How to ? [Archive] - RCE Messageboard's Regroupment

View Full Version : How to ?

Jo_ti

August 25th, 2009, 00:36

Hi,

I am just trying to crack soft. The program is using strings to get cracked.

While running the application. I got a call where the value of EAX is showing string "Key Invalid"

and the soft is not accepting the fake key. But when i changed the Value in memory just for test in olly. Key Invalid to Key valid. The program start working.

So basically i think i need to make an inline patch regarding string. But problem is this i put the bp on that call and after at least 7 run it show that value Key Invalid.

Before that it shows value:

Program data, C:/, Check, etc

So the main thing is this i want to add compare their so that when the value of EAX is "KEY INVALID" it should jmp to my inline patch. If it is not equal then it should proceed as normal.

Any idea what i have to write just before my " Key Valid" Patch.

Means that comparing code

Thanks i hope someone will guide me about this.

naides

August 25th, 2009, 14:06

My suggestions are inserted in Blue

Quote:

[Originally Posted by Jo_ti;82559]Hi,

I am just trying to crack soft. The program is using strings to get cracked.

While running the application. I got a call where the value of EAX is showing string "Key Invalid"

and the soft is not accepting the fake key. But when i changed the Value in memory just for test in olly. Key Invalid to Key valid. The program start working.

So basically i think i need to make an inline patch regarding string. But problem is this i put the bp on that call and after at least 7 run it show that value Key Invalid.

Before that it shows value:

Program data, C:/, Check, etc

This behavior suggests that the protection is based on an interpreter that reads strings generated by the application and acts accordingly. While you caught the app "red handed" passing information on text flags, you found out the hard way, that this is not the best strategy for cracking it

So the main thing is this i want to add compare their so that when the value of EAX is "KEY INVALID" it should jmp to my inline patch. If it is not equal then it should proceed as normal.

Perhaps if you trace back the call stack and think: Who and why generates the "KEY INVALID" string and modify its behavior to generate a "KEY VALID", no matter what, or trace forward to see who reads the "KEY INVALID" string and force it to act as if it read "KEY VALID", you may have better luck.

Any idea what i have to write just before my " Key Valid" Patch.

I think the place you are planning to patch i.e: the String pointed by EAX is way too repeatedly used to be practical, requiring a rather convoluted and inefficient (System expensive) real time "watch and patch" approach. Move backwards or forwards to a more protection specific code to apply your crack.

Means that comparing code

Thanks i hope someone will guide me about this.

Feel free to PM the name and link for your software plus some specific info about what you have found so far and I will take a look. I make no promises. . .

bunion

August 25th, 2009, 21:13

Quote:

[Originally Posted by Jo_ti;82559]Hi,
So the main thing is this i want to add compare their so that when the value of EAX is "KEY INVALID" it should jmp to my inline patch. If it is not equal then it should proceed as normal.

Any idea what i have to write just before my " Key Valid" Patch.

.

I agree with naides suggestion how u you should go about it but at least i can see your learning on your feet and thats whats its all about

..your key valid patch IS your compare so as soon as the eax value contains Key Invalid, Program data, C:/, Check, etc you want to jmp to your code cave

this line will contain the code u needed to change in order to jump here
cmp eax=key invalid ?
jmp not equal back to the code immediately after where i originally jumped from
mov eax=key valid
jmp back to the code immediately after where i originally jumped from

..your code cave can be the 0000000's you normally find at the end of code listing or it can be any unused code nearby ie..code that generates the nag as that would now be redundant

thats the way i learned at first and its ok but then you'll learn little tricks like instead of eax checking Key Invalid's address the address actually points to Key valid

How would you go about that?...most things are located and fetched by pointers so key invalid & key valid will have there own unique pointer address...find them and have both point to key valid...in the end u might only need to change 1 byte

bunion

The Beginners Guide to Codecaves
_http://www.codeproject.com/KB/cpp/codecave.aspx?fid=453181&df=90&mpp=25&noise=3&sort=Position&view=Quick&select=2218784