|
|
|
|
#1
11-14-2019, 02:19
|
|||
|
|||
|
Some info on how you could modify this to also work for Full version:
seems that under full version the only different thing is a dword which come after site_code: uint32_t ToBeHashed[2]; ToBeHashed[0] = site_code; // we need site code for decoding ToBeHashed[1] = 0xA264D581; // this should be changed You should grab it from target program: Here is the first PC Guard check serial length: 009CA211 83F9 23 CMP ECX,23 009CA214 9C PUSHFD 009CA215 EB 01 JMP SHORT 009CA218 and this will move in eax the dword which should be fixed: 009CA74F 8B85 10B74100 MOV EAX,DWORD PTR SS:[EBP+41B710] 009CA755 60 PUSHAD 009CA756 E8 03000000 CALL 009CA75E 009CA75B 83EB 0E SUB EBX,0E 009CA75E EB 01 JMP SHORT 009CA761 How you should trace PC Guard: if you are after the actual check you should set a breakpoint before where current call get called; - restart Olly (not bother on trying to fallow jumps), you will also see some loop: just set breakpoint on exit door. 
|
| The Following User Gave Reputation+1 to CodeCracker For This Useful Post: | ||
Mahmoudnia (11-14-2019) | ||
| The Following 3 Users Say Thank You to CodeCracker For This Useful Post: | ||
 |
| Thread Tools | |
| Display Modes | |
|
|
Hybrid Mode
