Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   the big call >> mov eax,01 ret (https://forum.exetools.com/showthread.php?t=12086)

crkelbery 03-03-2009 23:07
the big call >> mov eax,01 ret
 
Hi!
Most of people knows that a lot apps has an important call that the program uses at start up and during the registration routine. A simple mov eax,1 ret solves it,....nothing new.
Recently i've had fun (and got won,too) with an app called word2picture. It's protected by execryptor and its classical big call hides his code with tones of loops, decrypts,bla,bla..which made me give up. I know that the piece of cake is there...but you get absolutely tired looking for the two lines of code that really matters. I was wondering if there is a magical way to find it.

PS: i'm not interested at all in getting a crack for this app. When I want an image from a doc file, i save as... web page and take the jpg file directly.

pp2 03-04-2009 07:33
Seems, that you need to patch (inline) and/or emulate Execryptor API, which is used to check registration, if program author have no more checks by its own code? Sometimes it is not just "mov eax, 1/retn" to bypass. What will you do, if some useful code is ciphered? It is impossible to reconstruct it without having a key, and even bypassing validation check will execute ciphered code and end with an unhandled exception.

Sure, all these tones of checks, loops, cipherings, virtual machines are intended to impede your work to find this magic code! But how you will be sure, that any program will get registered patching somewhere jne/je to jmp (or setting some variable to 0 or 1)?

emery 03-04-2009 14:39
The simple compares only exist if the author wrote their code in this fashion

poor, but basic example:

global registered = false; //reference throughout code

doSerialCheck(){
.....
if(all_checks_passed) registered = true;

}

If for instance a hash is always compared or some other method is used then this simple move-and-compare-boolean check no longer really exists. Granted you can typically always reduce a patch to something very small or similar in nature but I think you see my point.

Cheers

leosmi05 03-21-2009 06:40
Just another idea
 
Maybe you could try to patch the file and let it make all the decrypting and CRC checking on a backup of the original file. This way it would bypass some tricky decompressing routines which are using the calculated CRC to generate decompressed code.


All times are GMT +8. The time now is 21:37.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX