Log in

View Full Version : How to use really s 0 l ffffffff ?


thalos
December 29th, 2003, 07:13
Lol

Need any hints on s 0 l ffffffff ‘x’

Example
What I have done

Break due to BPX KERNEL!HMEMCPY (ET=647.67 milliseconds)+ F12
:BD *
:S 0 L FFFFFFFF '11223344'
Pattern found at 0030:015AC754 (015AC754)
:BPR 15AC754 15AC754+8 RW
:S
Pattern found at 0030:80D18472 (80D18472)
:BPR 80D18472 80D18472+8 RW
:S
Pattern found at 0030:C24BDA25 (C24BDA25)

Break due to BPR #0030:015AC754 #0030:015AC75C RW
At 017F:00405470

+ F5
Break sometimes and finally the bab boy screen pops .

But the break has never land in the good place .Ihave 13 calls I break near the 3 rd call With the trick s 0 l ffffffff ‘x’ + bpr but the solution is in the 13 call (I have found the serial).

Why land I never in the good call with this process ? After the bpx hmemcpy , there was only 13 calls to see and an analyse .In another case it could be 50 or 100 calls to analyse .If s 0 l ffffffff ‘11223344’ can’t help me in a more efficient way how to find the generator of the serial?.Otherwise , I don’t really understand how to use the s 0 l ffffffff

naides
December 29th, 2003, 11:04
As above.

What S 0 l ffffffff 'your_fake_serial' does is to help you locate where in memory your serial got stored. It may get copied somewhere else, checked in its length, analysed by the serial validation routine etc, and it is up to you to understand what is going on.
It may happen soon or later in the program.
Moreover, the memory site you put a BPR on may be recylcled and used for other purposes, giving you false breaks.


Point is: S(earch) memory is one, among many, pathways for serial fishing. Depending on the implementation of the protection, may take you there right away, or may lose you in the code woods. It is up to you to use it wisely.

thalos
December 29th, 2003, 12:00
What are the other pathways for serial fishing ?

Don't say to work on the buffer parameters of a API as getwindowtextA ,getdlgitemtextA ,lstrcmpiA .Why ? Because the most of the time the buffer concern the title bar and not the edit control of the fake serial .
Don't say to put bmsg handle wm_gettext .(the break where I land is not interressant)
and not s 0 l ffffffff 'fake serial' of course

I need another tricks on serial fishing particulary with a target which has been wrotten in Visual c++ 6.0.

The problem to crack is not to understand the serial routine but to find the serial routine .
That's all

naides
December 29th, 2003, 12:41
The quickest way to a crack is begining near the end. Always skip to the end.

You have a bad boy mesage box, right?
Start there and work your way backwards to the place where the decision to show it is made.
Then analyze who make that decision: the serial validation routine(s).

Again, don't get all flustered at me, and don't challenge me to give you a solution to your problem. I was giving you a general tip: A protection is a problem not meant to be solved, and you have to invent a solution as you go along. There is no ready made up recipe or fool proof technique, just a handful of approaches that you learn by doing and reading.

thalos
December 29th, 2003, 16:43
Thank you for your patience Naides .

I hope that I haven’t irritated you , I know you do a good work . Bye