PDA

View Full Version : Altered dll's


Deep Undercover
October 29th, 2007, 19:06
Hi,
I apologise if this is in the wrong section.

Below are two differend altered dll,s Each compared to the Original they replace within an application.

Could some one please give me a pointer as to what each change (single) to the original dll makes to the running of the application, and how this alteration is made to the original dll.

Thank you for ANY help anyone can give me.

dll compare original and cracked N01
Quote:
http://img139.imageshack.us/img139/6681/comparedonewm3.png


dll compare origina and cracked N02
Quote:
http://img136.imageshack.us/img136/7308/compatetwoiu1.png



Deep Undercover

naides
October 29th, 2007, 19:20
Suggestion #1:

Start the story about two chapters behind.

Suggestion #2:

You are comparing .dll with Microsoft Word??
That is not the right tool to do the job, you need to study the code at hex/assembly level

Issue # 3

The only thing I can glimpse from the images you show is that a COMMENT in the form ; ASCII "zw" has been added to a disassembly. Comments have no effect on the code flow, they are for humans to read and understand.

So Again: Explain as if I were 5 years old, what is the situation, what you have done, where are those dis-assembly listings coming from, who or what added those comments to the disassembly??

Woodmann
October 29th, 2007, 20:02
Howdy,

Actually, I am a bit surprised you can use word to see such things.

let me make naides instructions a bit easier to understand.

Name the .dll's and tell us what you are trying to do with them.
Try using a better tool like Olly to show the "flow" of the code
and where the changes are being made.

Woodmann

rendari
October 29th, 2007, 20:16
I have always found Ultraedit useful when comparing two binary files, since it will nicely list out the changes in between the two files. Once you have the offsets of the changes, look at them in Olly and figure out what and why is being changed.

Oh, and if the two files are of different size, chances are that Manual Unpacking is involved. You'll have to read up on that.

Aimless
October 29th, 2007, 21:01
Or better,

get IDA + BinDiff2 and work it out...

Have Phun

Deep Undercover
October 29th, 2007, 21:29
Guys I am so dumb...sorry.. I have now opened the dlls in HDasm and tracked the changes from the original dll to the cracked dll. I have then sucessfully reproduced the cracked dll by mimicing the alterations within the cracked dll using HIEW to crack the original dll. What i need to know now is how the changes to the dll allow the main exe application when run, to install ANY serial applied. Thanks for ANY help you can give me...below are the 3 screen shot changes..

http://img98.imageshack.us/img98/4792/change1dg0.png
http://img165.imageshack.us/img165/5669/change2iz9.png
http://img148.imageshack.us/img148/2463/change3fo3.png

Woodmann
October 29th, 2007, 22:01
Show us something here.
I am to lazy to cut and paste a new http .

Woodmann

Deep Undercover
October 29th, 2007, 22:09
i cant find the image tags LOL


sorry

Woodmann
October 29th, 2007, 22:51
Thats because we dont allow them.

You have a good project/problem. We want to help you but you need to bring it down to our forum level.

Use Olly or IDA and do your own cut and paste and then post it here.

Woodmann

Kayaker
October 30th, 2007, 00:22
OMG that hurts to look at! Still, MS Word has a disassembler??

Yes, you would be better to cut and paste from OllyDbg or IDA, you might as well get used to the main reversing tools.
IDA can be downloaded here:
http://www.datarescue.be/idafreeware/freeida43.exe

If you do, please paste code between CODE tags (that's the 2nd last icon from the right that looks like the # sign). Also try to include only pertinent code, commented if you wish, and not reams of unrelated code.

That said, it looks like in at least one instance an entire function is bypassed. Inserted at the start of the function is a simple return:

Code:
mov eax, 0
ret
nop (just a byte filler)


The problem with this is that you don't really know *what* the patch has done - it's simply *not* calling a particular routine. While this may work sometimes, it's not really an "elegant" patch. By not calling a complete function you're just as likely to break something further on down the line.

If you really want to understand this your best bet would be to set a breakpoint in the *unpatched* dll at the same address the patch is made and trace through the missing code, checking contents of variables, strings etc., to try to understand what the code does. Then you'll probably realize why the patch was done at that particular place.

Kayaker

LLXX
October 31st, 2007, 17:57
Hahahahah oh wow... you certainly have the right motivation and mindset, but perhaps you should read the articles on reversing to see the proper way to do it? There's the excellent "Fravia's Pages of Reverse Engineering" -- link at the bottom of every page -- the material is somewhat dated, but is of incomparable quality and considered essential reads for the beginner, especially classic works such as +ORC's original series.

Also, look up the fc command next time you want to do a file comparison.

SiGiNT
October 31st, 2007, 23:22
Answering your question - simply paraphrased "how did the cracker know what to change in the .dll and how did he know to change it" - a simple answer is he studied, observed, studied. researched, and studied, experimented, failed and studied some more - it requires at least a fundamental knowledge of assembly language, basic programming techniques, some math, and a whole lot of curiousity - finding the answer to your question is your responsibility, we are here to help you over the rough spots. Another good place to find info in addition to the archives here is -http://www.tuts4you.com ("http://www.tuts4you.com"). Good luck - looking forward to helping you when you are ready.

SiGiNT

LLXX
November 1st, 2007, 00:18
Quote:
[Originally Posted by sigint33;69963]Another good place to find info in addition to the archives here is -http://www.tuts4you.com ("http://www.tuts4you.com").
That's certainly one of the larger repositories, but quality and accuracy tend to be rather varied. You'll just have to look through a lot before you find something comprehensible.

blurcode
November 1st, 2007, 06:11
Quote:
[Originally Posted by LLXX;69965]That's certainly one of the larger repositories, but quality and accuracy tend to be rather varied. You'll just have to look through a lot before you find something comprehensible.


If you only look and not read through a lot you may miss some joke inside the tutorials, videos, etc