تقييم الموضوع :
  • 7 أصوات - بمعدل 2.71
  • 1
  • 2
  • 3
  • 4
  • 5
By ppassing almoste all protection of the type : Call - Test -Jump
#1
Posted By: TripleIntegrale 20-10-2007, 01:47 PM

assalamo wara7mato allah ta3ala wa barakaatouh
hello every body!
This is my 1st essay in english, so you have to forgive my bad english
In This tut I'll teach you how to breack this kind of protection : Call//Test//Jmp, but not with reversing Jumps (Je becomes JNE...)
In general, the programmes test if hi is registered or not, and, depend on result, he put after the call a static value in a register, this register is usually EAX, so the test (or cmp...) after the last call, the programme checks the result of AL (NB: EAX-32bits- =AX-16bits-= AL-8bits-+AH-8bits-) then we find eighter a JE or a JNE..Of course those jumps are directelly influanced by the Zero Flag witch is modified by EAX !
So the tip is to localisate this call, to force the register EAX or AL to have the correct value (0 or 1) !
NB: You have to know that a "Call" is ALWAYS ended by a "RET"
eg:

:00408740 E87B5B0000 Call 0040E2C0 ; works the name/sn..
:00408748 85C0 test eax, eax ; checks if sn is good
:0040874B 7527 Jne 00408774 ; jump if ZF = 1
:0040874C --->"Invalid Registration code!!"
*********Cut***Cut***Cut***Cut**********
:00408774 ---> "Thank you for Support!!"
So if we put an invalid code, the "Call" begins his work from 40E2C0, arriving to the "RET" he send a result to EAX, if EAX contain the correct value , JNE --> show good boy, else... that's it !

As beginners, the 1st idea you have is to change JNE on JE or JMP, but on closing the programme, you have to put the name/sn an other time...Now you know that all is playing on EAX register, so we have to force this last having eigther 1 or 0 in the begining of the "CALL" (in tis exemple in adress 40E2C0)
For this, a magic command is here : MOV; so to foce EAX having 0 we put only "Mov eax,0" (idem fo Al) so all what the "call" must do is a mov eax,0 or mov eax,1 !! that's all like if hi cheked the sn, found it correct and sent the correct value to eax ! And for stopping the "call" exacttly after the mov, we put a "RET" =)
In our exemple :
:0040E2C0 81EC340400 sub esp, 434
:0040E2xx 8B0D605F4500 Mov ecx, dword ptr ds:[455F60]
...
***********Cut***Cut***Cut***Cut***************
...
:0040Exxx C3 RET
In this situation we must chage "sub esp, 434" & "Mov ecx, dword ptr ds:[455F60]" on "Mov eax, 1" & "Ret"

=>
:0040E2C0 B801000000 mov, eax,1
:0040E2xx C3 RET
:0040E2xx 0D ?
:0040E2xx 60 ?
:0040E2xx 5F ?
:0040E2xx 45 ?
:0040E2xx 00 ?

NB1: You can fill with NOPs but its not necessary coz theys willnot be executed !
NB2: Mov AL,X = B00X and RET = C3
Have a nice day !!
لَّا إِلَٰهَ إِلَّا أَنتَ سُبْحَانَكَ إِنِّي كُنتُ مِنَ الظَّالِمِينْ.

عن أبي هريرة -رضي الله عنه- أن رسول الله -صلى الله عليه وسلم- كانَ يقولُ في سجودِهِ: «اللَّهُمَّ اغْفِرْ لي ذَنْبِي كُلَّهُ: دِقَّهُ وَجِلَّهُ، وَأَوَّلَهُ وَآخِرَهُ، وَعَلاَنِيَتَهُ وَسِرَّهُ».
(صحيح - رواه مسلم).
أعضاء أعجبوا بهذه المشاركة : vosiyons


التنقل السريع :


يقوم بقرائة الموضوع: بالاضافة الى ( 3 ) ضيف كريم