dunno
November 28th, 2001, 12:08
Hi to you all,
I'm working on a smart program which is not packed but which (I suspect) has a CRC check. I call it smart because when you patch the "registered-or-not" flag the program starts without the nag screen, does not display "UNREGISTERED" string neither on its caption nor on the About box however, it does not work at all. You just see the GUI and that's all. It does not perform its intended functions when you click on them, and it eventually terminates itself in a completely random fashion in 5 minutes or 2 days time. I made a loader which appropriately patches the required bytes and it works perfectly.
The problem is; I exactly know where to patch but I don't want to use a loader. Instead, I'd like to inject a piece of code at the end of its original code which would jump to the exact location, change the required bytes and let the program run smoothly as if it is registered.
To exemplify:
.
.
.
Referenced by a call at ....
00402600: mov eax, dword ptr [004B5BA4]
00402605: xor ecx, ecx
00402607: and eax, 112000C2
0040260C: cmp eax, 112000C2
00402611: sete, cl ; changing this to "setne" lets the program run as if it is registered.
00402614: mov eax, ecx
00402616: ret
.
.
.
Now, where to put my jump-to-the-end instruction. At 00401000?, right before RVA 00402600?, or right after the last significant byte towards the end where 00's begin?
Here is the code snippet which I try to inject:
.
.
... Zeros begin here...>
0049137A: push 00xxxxxx (the original instruction which I should replace in order to jump here)
0049137F: push eax
0049138D: mov al, 95
00491382: mov byte ptr [00402612], al
00491387: pop eax
00491388: jmp 00xxxxxx (back to the RVA of the following instruction where I jumped)
Program crashes w32dasm. I got all the above info from another dasm. It works well with SoftIce. Reg routine is crypted and its too hard for me to decrypt. So, no chance of serial fishing.
What should I do to defeat this CRC check? I have no idea where this check is implemented
Module entry point: 0045B9A0
Any comment well appreciated. Thanks.
I'm working on a smart program which is not packed but which (I suspect) has a CRC check. I call it smart because when you patch the "registered-or-not" flag the program starts without the nag screen, does not display "UNREGISTERED" string neither on its caption nor on the About box however, it does not work at all. You just see the GUI and that's all. It does not perform its intended functions when you click on them, and it eventually terminates itself in a completely random fashion in 5 minutes or 2 days time. I made a loader which appropriately patches the required bytes and it works perfectly.
The problem is; I exactly know where to patch but I don't want to use a loader. Instead, I'd like to inject a piece of code at the end of its original code which would jump to the exact location, change the required bytes and let the program run smoothly as if it is registered.
To exemplify:
.
.
.
Referenced by a call at ....
00402600: mov eax, dword ptr [004B5BA4]
00402605: xor ecx, ecx
00402607: and eax, 112000C2
0040260C: cmp eax, 112000C2
00402611: sete, cl ; changing this to "setne" lets the program run as if it is registered.
00402614: mov eax, ecx
00402616: ret
.
.
.
Now, where to put my jump-to-the-end instruction. At 00401000?, right before RVA 00402600?, or right after the last significant byte towards the end where 00's begin?
Here is the code snippet which I try to inject:
.
.
... Zeros begin here...>
0049137A: push 00xxxxxx (the original instruction which I should replace in order to jump here)
0049137F: push eax
0049138D: mov al, 95
00491382: mov byte ptr [00402612], al
00491387: pop eax
00491388: jmp 00xxxxxx (back to the RVA of the following instruction where I jumped)
Program crashes w32dasm. I got all the above info from another dasm. It works well with SoftIce. Reg routine is crypted and its too hard for me to decrypt. So, no chance of serial fishing.
What should I do to defeat this CRC check? I have no idea where this check is implemented
Module entry point: 0045B9A0
Any comment well appreciated. Thanks.