By ppassing almoste all protection of the type : Call - Test -Jump - نسخة قابلة للطباعة +- الفريق العربي للهندسة العكسية (https://www.at4re.net/f) +-- قسم : ENGLISH FORUM (https://www.at4re.net/f/forum-6.html) +--- قسم : General Discussion (https://www.at4re.net/f/forum-13.html) +--- الموضوع : By ppassing almoste all protection of the type : Call - Test -Jump (/thread-336.html) |
By ppassing almoste all protection of the type : Call - Test -Jump - M!X0R - 04-11-2018 Posted By: TripleIntegrale 20-10-2007, 01:47 PM
assalamo wara7mato allah ta3ala wa barakaatouh
hello every body!
This is my 1st essay in english, so you have to forgive my bad english
In This tut I'll teach you how to breack this kind of protection : Call//Test//Jmp, but not with reversing Jumps (Je becomes JNE...)
In general, the programmes test if hi is registered or not, and, depend on result, he put after the call a static value in a register, this register is usually EAX, so the test (or cmp...) after the last call, the programme checks the result of AL (NB: EAX-32bits- =AX-16bits-= AL-8bits-+AH-8bits-) then we find eighter a JE or a JNE..Of course those jumps are directelly influanced by the Zero Flag witch is modified by EAX !
So the tip is to localisate this call, to force the register EAX or AL to have the correct value (0 or 1) !
NB: You have to know that a "Call" is ALWAYS ended by a "RET"
eg:
So if we put an invalid code, the "Call" begins his work from 40E2C0, arriving to the "RET" he send a result to EAX, if EAX contain the correct value , JNE --> show good boy, else... that's it !As beginners, the 1st idea you have is to change JNE on JE or JMP, but on closing the programme, you have to put the name/sn an other time...Now you know that all is playing on EAX register, so we have to force this last having eigther 1 or 0 in the begining of the "CALL" (in tis exemple in adress 40E2C0) For this, a magic command is here : MOV; so to foce EAX having 0 we put only "Mov eax,0" (idem fo Al) so all what the "call" must do is a mov eax,0 or mov eax,1 !! that's all like if hi cheked the sn, found it correct and sent the correct value to eax ! And for stopping the "call" exacttly after the mov, we put a "RET" =) In our exemple : In this situation we must chage "sub esp, 434" & "Mov ecx, dword ptr ds:[455F60]" on "Mov eax, 1" & "Ret"=>
NB1: You can fill with NOPs but its not necessary coz theys willnot be executed ! NB2: Mov AL,X = B00X and RET = C3 Have a nice day !! |