Log in

View Full Version : I´ve cracked a program but i don`t know how...!!!!


Gento
April 1st, 2004, 10:05
Hello, i was trying to patch a program. I want to patch the internet connection of a dll using odbg109d.

Import: wininet.dll, im trying with

* Reference To: WININET.InternetGetConnectedState, Ord:0066h
|
FF1518620210 Call dword ptr [10026218]
8B4C2408 mov ecx, dword ptr [esp+08]
8901 mov dword ptr [ecx], eax
33C0 xor eax, eax
C3 ret

90 nop
....
....
....
90 nop

i´ve change this

* Reference To: WININET.InternetGetConnectedState, Ord:0066h
|
FF1518620210 Call dword ptr [10026218]
8B4C2408 mov ecx, dword ptr [esp+08]
33C0 xor eax, eax
8901 mov dword ptr [ecx], eax
C3 ret

90 nop
....
....
....
90 nop

Is this correct? Before that i' ve crack this soft with a crack founded from internet

... at this moment i am tryingo to do the same with another version,

thank all !!!!

(sorry for my bad english, i am spanish one)

ZaiRoN
April 1st, 2004, 11:04
Hi Gento.
hmmm, from your message I am not able to understand which part of the code you have patched. You patch the call to InternetGetConnectedState, am I right? Don't know if its the right way, you should tell us more about the protection...

Best regards,
ZaiRoN

Gento
April 1st, 2004, 11:10
Hi ZaiRoN

No protecction

I`ve change this

8901 mov dword ptr [ecx], eax
33C0 xor eax, eax

into this

33C0 xor eax, eax
8901 mov dword ptr [ecx], eax

I think it was very easy and i very happy !!!!

Thinks are more eary that we think.....uoouuuuu !!!!

Will
April 1st, 2004, 12:17
;Call InternetGetConnectedState to check for an internet connection
FF1518620210 Call dword ptr [10026218]
;put the offset of the buffer (esp+8) into ecx
8B4C2408 mov ecx, dword ptr [esp+08]
;move return value (eax) of the InternetGetConnectedState call into your buffer
8901 mov dword ptr [ecx], eax
;Clear eax
33C0 xor eax, eax
;return
C3 ret


By switching those two lines, you're faking the return of the InternetGetConnectedState call, by zero-ing it out. If eax =='s true, then there is an internet connection. If eax =='s false, then there isn't. You're just making it always false. Interesting approach.

cheers,
will

Will
April 1st, 2004, 13:52
Just out of curiosity, how did you manage to change that code accidentally?

Gento
April 2nd, 2004, 14:42
Hello Will, first I was thinking to change the result of the function InternetGetConnectedState (eax) but I did not know the correct number of eax. so first i changed this bytes and the soft works.

Gento
April 2nd, 2004, 14:48
Quote:
[Originally Posted by Gento]Hello Will, first I was thinking to change the result of the function InternetGetConnectedState (eax) but I did not know the correct number of eax. so first i changed this bytes and the soft works.


NOw I am trying to kill a nag that is shown when i close the soft. This nag has two buttons (ok and cancel)

ANy suggestion about this?

Will
April 2nd, 2004, 17:11
Well it depends on what you're trying to do. Do you just want to stop the displaying of the nag? There are a number of nag-killing tutorials on krobar's site.

Without knowing more, about the only thing that I would suggest is to check whether it's a window or a dialog and then lookup either the CreateWindow/Ex or DialogBoxParam/DialogBoxIndirectParam API functions in the help file or on msdn. If there's no call to the Dialog or Window then it can't nag you anymore.


cheers,
will

Gento
April 2nd, 2004, 18:15
Ok will (so sorry for my bad english)

I want not to display the nag. I dont know if I must 'simulate' the ok button.

thanks i´ll look for the tutorials

ZaiRoN
April 3rd, 2004, 03:12
Hi Gento,
removing the nag (as suggested by Will) is the best choice. If you want you can 'simulate' the hit of the ok button, you can write an external program that sends a wm_command with wparam=BN_CLICKED to the nag. To send the message you have two options: postmessage or sendmessage; the first one posts the message into the program's message queue and returns to your external program immediately while the other does not return (to your external program) until the message has not processed.

Zai

dev_zero
April 17th, 2004, 11:55
Just wondering which prog did you use to change the code?? hview??

Gento
April 19th, 2004, 08:37
Hello

Wdasm, ollydgb and to change the code hex workshop v4.23

http://www.woodmann.com/forum/showthread.php?t=5775 (this is the loader code to find the nag with error of course)