Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Modifying resources of self-checking exe (https://forum.exetools.com/showthread.php?t=5373)

c4p0ne 09-15-2004 15:14
Modifying resources of self-checking exe
 
Anyone got a good tutorial for this? I was just trying to experiment with the kav.exe icon (Kaspersky AntiVirus GUI part) and of course I cant because it detects itself as being "modified" once you run it again (KAV Personal v5.0.153)... Is there a simple way to do this? All I really want to do is chane some resources like icons and text and stuff, nothing serious.

Cobi 09-15-2004 21:05
The only way is to Patch the Self-Check, cause you cant edit the File without changing the Checksum.

redbull 09-15-2004 21:27
Yeah you have to either
1. Patch the self checking routine as Cobi says
or
2. Figure out what hashing algorithm is used and find a "Hash Collision" for it using the new resources.

I recommend 1 :)

MaRKuS-DJM 09-16-2004 01:21
well, i f it uses CRC32, you can crack it normal way and use a CRC32 fixer

c4p0ne 09-16-2004 04:36
Hehe, I doubt Kaspersky guys would use CRC32 for thier software (i wish). Anyway thanks for that info. =)

MaRKuS-DJM 09-17-2004 03:44
well i don't have kaspersky, so i don't know :)

did you try breaking on APIs like CreateFileA? i think it's needed for nearly every self-check on HD.

or did you check all used crypto? else if crypto is used... CreateFileA will be also needed ;)

taos 09-17-2004 12:43
I've cracked the last version of safelock (I'm preparing to upload to ftp) and it uses CRC check in every, but it was very easy, make a BP on createfilea and then analyze the parameter that get the name of the file, if this is the name of your exe the you must change the jump, or NOP, etc... or follow the algorythm and take note of the new CRC and the old and search the EXE for the old, remember that not all soft uses the CRC standard. Normally, the crc generated by the programmer is in the end of the file, normally, in other is in a crypted file, etc...

goldenegg 09-17-2004 16:54
Quote:
Originally Posted by redbull
Yeah you have to either
1. Patch the self checking routine as Cobi says
or
2. Figure out what hashing algorithm is used and find a "Hash Collision" for it using the new resources.

I recommend 1 :)
there is a third way witch interest me.I'm not a pure cracker,i do not want
to spend much time to do a patch.I 'd like to hook the apis it called and change the return value,this is a programming way.

taos 09-17-2004 21:32
Quote:
Originally Posted by goldenegg
there is a third way witch interest me.I'm not a pure cracker,i do not want
to spend much time to do a patch.I 'd like to hook the apis it called and change the return value,this is a programming way.

But you forget something, there's not API func for CRC.
If you mean to hook internal func, then it's a very hard job, you must debug this internal func to know how it's calculate the CRC and what format use (decimal,HEX,string) to return the value that you want. it's more easy to patch because must be only a few bytes.


All times are GMT +8. The time now is 10:02.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX