Hello,
I know their are a lot of genius people here and i'm praying that
one of them will have time to help me in this bad road.

-i have plugins to patch (64bit) where licensing is integrated inside of each files (plugins).
-Protection is watermark "blue bar in the screen".
-File size comes from 240kb to 500kb max.
So shame on me to not be able patching so ridiculous file.

I thought the code that need to be patched was here :
text:000000000000DF0D loc_DF0D: ; CODE XREF: licence_d(char *,CPlugin *)+B70 j
.text:000000000000DF0D xorps xmm0, xmm0
.text:000000000000DF10 mov rax, cs:_ZZN7CSlideraSEiE6Slider_ptr
.text:000000000000DF17 cvtsi2ss xmm0, ebx
.text:000000000000DF1B movss [rsp+5D8h+var_5CC], xmm0
.text:000000000000DF21 mov ebx, [rsp+5D8h+var_5CC]
.text:000000000000DF25 mov rdi, [rbp+80h]
.text:000000000000DF2C mov [rax+34h], ebx
.text:000000000000DF2F mov rax, [rdi]
.text:000000000000DF32 call qword ptr [rax+50h]
.text:000000000000DF35 mov rdi, rax
.text:000000000000DF38 mov rax, [rbp+80h]
.text:000000000000DF3F mov rdx, [rbp+10h]
.text:000000000000DF43 mov rsi, [rax+8]
.text:000000000000DF47 mov [rsp+5D8h+var_5CC], ebx
.text:000000000000DF4B movss xmm0, [rsp+5D8h+var_5CC]
.text:000000000000DF51 mov rax, cs:FuncTBL_ptr
.text:000000000000DF58 call qword ptr [rax+20h]
.text:000000000000DF5B mov rax, cs:cmpt_ptr
.text:000000000000DF62 lea rsi, aLictChecklicOk ; "LicT CheckLic: ok\n"
.text:000000000000DF69 mov dword ptr [rax], 1
.text:000000000000DF6F mov rax, cs:iRunTestLicence_ptr
.text:000000000000DF76 mov dword ptr [rax], 2

code DF6F et DF76 must be executed to validate the license.
So i changed
48 89 5C 24 E8 48 89 6C 24 F0 48 89 FB 4C 89 64
with:
B8 01 00 00 00 C3

Of course it doesn't work and it is why i'm asking bro here to have a look.Please it takes 2 minutes to disassemble a file
Here is one of this plugin file (200kb only):
http://www.megaupload.com/?d=7ZV2ADTT

i will be thankful for ever if someone could help me because i need it to solve a big problem.

Take this for what it's worth. I haven't attacked anything 64-bit yet, but just looking at what the code does. It appears to store values at [rax] a lot. Your code just returns a 1. If the code checks for those stored values vs. a 1 in eax, then it won't work. On the other hand. If your code is correct, you have the issue of your code fragment being 32-bit:

mov eax, 1

vs. this code being in 64-bit mode, where you'd need:

mov rax, 1

So, as I said, I have yet to tackle a 64-bit app., so I don't know if the mov opcode is still the same. If it IS, then you need to extend your opcode to 64 bits. Something like: B8 01 00 00 00 00 00 00 00 C3 because of the registers being 64-bit.

If nothing else, this gives you something to check.

Have you applied your patch, and then disassembled the code again to make sure it looks OK?

Thanks Frank for your reply ;-)
As i said in the description, yes it is X64 codes "i have plugins to patch (64bit)"
Yes i've also disasembled my patch who gave me the bad result at the end.

well, as i can see gentlemen left this forum or maybe my request is too hard
thanks in anyways

Howdy,

As far as I can tell Frank said he has not played with 64 bit stuff yet.
So I dont think he can offer any more help.

Woodmann

yes i've understood it, was just an simple answer to his question
Just praying that my request could interest someone else, but after
2 days without nothing, i guess "not"

I haven't hit my 7 64 bit system yet but I like to hack something I know nothing about.. :x So lets make a few 'guestions' into what these code pieces 'do' shall we... :S
In future posts try to include what the registers are at the time of execution..that will definitely 'help' us in 'hitting it'..

My 'answers' are contingent upon the information you can provide me..take that as 'issue of truth' #1 and you well get 'more answers' and more questions that can 'decipher your thinking'. lol : oh noes.. !! run!!

Yes "BanMe" i think you got it and your first analyze is going in the same way as mine

BTW, i also think that we have many different places to patch to break the security and get the success issue at the end like :
-patching the whole licensing
or
-patching the watermark itself
-patching the encrypted key then allow you to set inside a fake license what you want
...i've tested and tried all that ways ): but !!! why is it impossible ?

1.You ask a question that is a stumbling block in itself(nothing is impossible).. that shouldn't be..
2.you're impatient (I like that).

I want more information from you..:smug'see' above post by me)..

regards BanMe

1.You said 'Why is it impossible'?
2. You said '2 days without nothing, i guess "not" '

I'm not sure to understand you Banme, do u want me to send some proofs ? i'm little bite
lost with your words/humor and strange english
As u can see i can write like you LOL.
BTW, i'm not sure it is a chatting box here and the comments you made on the hexa codes are questions for you or for me ?
Once again i don't understand where u wanna go or what do you want me to add.
Excuse me in advance if this post is mad

'Use your anger as a motivational tool to divide and conquer'.

1.the 'chatter here' never ceases..
2.the questions are 'from me to you'..
3.The humor was a tool I used to make you talk further.. :d seeing what you, got out of 'it'.
4.if this isn't a 'chat based environment, 'why' do they include the 'edit' ability..0:

A byte that is lost in 'words' and not in 'finding' the information to the proper 'execution' path, is not lost.. It just 'needs' guidance.. :0 (I'm 'shifty'..o0)

I NEED MORE debug information to help you 'further'..xD(ie I need the CODE to the call's and maybe a pastebin copy/paste of registers.. And Debug information..and maybe a 64 bit reference... lol..

.text:000000000000DF0D loc_DF0D: ; CODE XREF: licence_d(char *,CPlugin *)+B70
.text:000000000000DF0D xorps xmm0, xmm0 0?
.text:000000000000DF10 mov rax, cs:_ZZN7CSlideraSEiE6Slider_ptr;...HWND?
.text:000000000000DF17 cvtsi2ss xmm0, ebx;what is ebx?
;Convert one signed doubleword integer from r/m32 to one single-precision floating-point value in xmm.
.text:000000000000DF1B movss [rsp+5D8h+var_5CC], xmm0;hmm...
.text:000000000000DF21 mov ebx, [rsp+5D8h+var_5CC];float to dword?
.text:000000000000DF25 mov rdi, [rbp+80h];what is this?
.text:000000000000DF2C mov [rax+34h], ebx;this writes something..?
.text:000000000000DF2F mov rax, [rdi];a table of some sort..
.text:000000000000DF32 call qword ptr [rax+50h]; a call to 'somewhere' I need this calls code..
.text:000000000000DF35 mov rdi, rax;save something
.text:000000000000DF38 mov rax, [rbp+80h];table pointer
.text:000000000000DF3F mov rdx, [rbp+10h];..no idea..;hmm
.text:000000000000DF43 mov rsi, [rax+8];??(more information here
.text:000000000000DF47 mov [rsp+5D8h+var_5CC], ebx;ebx changed?
.text:000000000000DF4B movss xmm0, [rsp+5D8h+var_5CC];float to float..
.text:000000000000DF51 mov rax, cs:FuncTBL_ptr;fux omg
.text:000000000000DF58 call qword ptr [rax+20h];'I need this code to'.I think it compares 'something'...
.text:000000000000DF5B mov rax, cs:cmpt_ptr;xD
.text:000000000000DF62 lea rsi, aLictChecklicOk ; "LicT CheckLic: ok\n"
.text:000000000000DF69 mov dword ptr [rax], 1;a 64 bit 1?
.text:000000000000DF6F mov rax, cs:iRunTestLicence_ptr;o0!!!!WoRDS!..
.text:000000000000DF76 mov dword ptr [rax], 2;...

maybe a 'laundry list' would help you..

#1 I want to help you..
#2 I want you to help yourself..
#3 I like you for your fire..lol
#4 (take as much time as you need..) :S