Results 1 to 11 of 11

Thread: Need help please to exec a function

  1. #1
    Rose
    Guest

    Need help please to exec a function

    Hello,
    I know their are a lot of genius people here and i'm praying that
    one of them will have time to help me in this bad road.

    -i have plugins to patch (64bit) where licensing is integrated inside of each files (plugins).
    -Protection is watermark "blue bar in the screen".
    -File size comes from 240kb to 500kb max.
    So shame on me to not be able patching so ridiculous file.

    I thought the code that need to be patched was here :
    text:000000000000DF0D loc_DF0D: ; CODE XREF: licence_d(char *,CPlugin *)+B70 j
    .text:000000000000DF0D xorps xmm0, xmm0
    .text:000000000000DF10 mov rax, cs:_ZZN7CSlideraSEiE6Slider_ptr
    .text:000000000000DF17 cvtsi2ss xmm0, ebx
    .text:000000000000DF1B movss [rsp+5D8h+var_5CC], xmm0
    .text:000000000000DF21 mov ebx, [rsp+5D8h+var_5CC]
    .text:000000000000DF25 mov rdi, [rbp+80h]
    .text:000000000000DF2C mov [rax+34h], ebx
    .text:000000000000DF2F mov rax, [rdi]
    .text:000000000000DF32 call qword ptr [rax+50h]
    .text:000000000000DF35 mov rdi, rax
    .text:000000000000DF38 mov rax, [rbp+80h]
    .text:000000000000DF3F mov rdx, [rbp+10h]
    .text:000000000000DF43 mov rsi, [rax+8]
    .text:000000000000DF47 mov [rsp+5D8h+var_5CC], ebx
    .text:000000000000DF4B movss xmm0, [rsp+5D8h+var_5CC]
    .text:000000000000DF51 mov rax, cs:FuncTBL_ptr
    .text:000000000000DF58 call qword ptr [rax+20h]
    .text:000000000000DF5B mov rax, cs:cmpt_ptr
    .text:000000000000DF62 lea rsi, aLictChecklicOk ; "LicT CheckLic: ok\n"
    .text:000000000000DF69 mov dword ptr [rax], 1
    .text:000000000000DF6F mov rax, cs:iRunTestLicence_ptr
    .text:000000000000DF76 mov dword ptr [rax], 2

    code DF6F et DF76 must be executed to validate the license.
    So i changed
    48 89 5C 24 E8 48 89 6C 24 F0 48 89 FB 4C 89 64
    with:
    B8 01 00 00 00 C3

    Of course it doesn't work and it is why i'm asking bro here to have a look.Please it takes 2 minutes to disassemble a file
    Here is one of this plugin file (200kb only):
    http://www.megaupload.com/?d=7ZV2ADTT

    i will be thankful for ever if someone could help me because i need it to solve a big problem.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Take this for what it's worth. I haven't attacked anything 64-bit yet, but just looking at what the code does. It appears to store values at [rax] a lot. Your code just returns a 1. If the code checks for those stored values vs. a 1 in eax, then it won't work. On the other hand. If your code is correct, you have the issue of your code fragment being 32-bit:

    mov eax, 1

    vs. this code being in 64-bit mode, where you'd need:

    mov rax, 1

    So, as I said, I have yet to tackle a 64-bit app., so I don't know if the mov opcode is still the same. If it IS, then you need to extend your opcode to 64 bits. Something like: B8 01 00 00 00 00 00 00 00 C3 because of the registers being 64-bit.

    If nothing else, this gives you something to check.

    Have you applied your patch, and then disassembled the code again to make sure it looks OK?

  3. #3
    Rose
    Guest
    Thanks Frank for your reply ;-)
    As i said in the description, yes it is X64 codes "i have plugins to patch (64bit)"
    Yes i've also disasembled my patch who gave me the bad result at the end.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Rose
    Guest
    well, as i can see gentlemen left this forum or maybe my request is too hard
    thanks in anyways
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Howdy,

    As far as I can tell Frank said he has not played with 64 bit stuff yet.
    So I dont think he can offer any more help.

    Woodmann
    Learn Or Die.

  6. #6
    Rose
    Guest
    yes i've understood it, was just an simple answer to his question
    Just praying that my request could interest someone else, but after
    2 days without nothing, i guess "not"
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    I haven't hit my 7 64 bit system yet but I like to hack something I know nothing about.. :x So lets make a few 'guestions' into what these code pieces 'do' shall we... :S
    Code:
    text:000000000000DF0D loc_DF0D: ; CODE XREF: licence_d(char *,CPlugin *)+B70 j
    .text:000000000000DF0D xorps xmm0, xmm0
    .text:000000000000DF10 mov rax, cs:_ZZN7CSlideraSEiE6Slider_ptr...HWND?
    .text:000000000000DF17 cvtsi2ss xmm0, ebx
    .text:000000000000DF1B movss [rsp+5D8h+var_5CC], xmm0
    .text:000000000000DF21 mov ebx, [rsp+5D8h+var_5CC]
    .text:000000000000DF25 mov rdi, [rbp+80h];what is this?
    .text:000000000000DF2C mov [rax+34h], ebx;this writes something..?
    .text:000000000000DF2F mov rax, [rdi];a table of some sort..
    .text:000000000000DF32 call qword ptr [rax+50h]o0
    .text:000000000000DF35 mov rdi, rax;save something
    .text:000000000000DF38 mov rax, [rbp+80h]table pointer
    .text:000000000000DF3F mov rdx, [rbp+10h]..no idea..
    .text:000000000000DF43 mov rsi, [rax+8]
    .text:000000000000DF47 mov [rsp+5D8h+var_5CC], ebx
    .text:000000000000DF4B movss xmm0, [rsp+5D8h+var_5CC]
    .text:000000000000DF51 mov rax, cs:FuncTBL_ptr;fux omg :D
    .text:000000000000DF58 call qword ptr [rax+20h]
    .text:000000000000DF5B mov rax, cs:cmpt_ptr
    .text:000000000000DF62 lea rsi, aLictChecklicOk ; "LicT CheckLic: ok\n"
    .text:000000000000DF69 mov dword ptr [rax], 1
    .text:000000000000DF6F mov rax, cs:iRunTestLicence_ptr;o0!!!!WoRDS!..
    .text:000000000000DF76 mov dword ptr [rax], 2
    In future posts try to include what the registers are at the time of execution..that will definitely 'help' us in 'hitting it'..

    My 'answers' are contingent upon the information you can provide me..take that as 'issue of truth' #1 and you well get 'more answers' and more questions that can 'decipher your thinking'. lol : oh noes.. !! run!!
    Last edited by BanMe; April 7th, 2011 at 11:43.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  8. #8
    Rose
    Guest
    Yes "BanMe" i think you got it and your first analyze is going in the same way as mine

    BTW, i also think that we have many different places to patch to break the security and get the success issue at the end like :
    -patching the whole licensing
    or
    -patching the watermark itself
    -patching the encrypted key then allow you to set inside a fake license what you want
    ...i've tested and tried all that ways ): but !!! why is it impossible ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    1.You ask a question that is a stumbling block in itself(nothing is impossible).. that shouldn't be..
    2.you're impatient (I like that).

    I want more information from you..('see' above post by me)..

    regards BanMe

    1.You said 'Why is it impossible'?
    2. You said '2 days without nothing, i guess "not" '
    Last edited by BanMe; April 8th, 2011 at 10:08.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  10. #10
    Rose
    Guest
    I'm not sure to understand you Banme, do u want me to send some proofs ? i'm little bite
    lost with your words/humor and strange english
    As u can see i can write like you LOL.
    BTW, i'm not sure it is a chatting box here and the comments you made on the hexa codes are questions for you or for me ?
    Once again i don't understand where u wanna go or what do you want me to add.
    Excuse me in advance if this post is mad
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    'Use your anger as a motivational tool to divide and conquer'.

    1.the 'chatter here' never ceases..
    2.the questions are 'from me to you'..
    3.The humor was a tool I used to make you talk further.. :d seeing what you, got out of 'it'.
    4.if this isn't a 'chat based environment, 'why' do they include the 'edit' ability..0:

    A byte that is lost in 'words' and not in 'finding' the information to the proper 'execution' path, is not lost.. It just 'needs' guidance.. :0 (I'm 'shifty'..o0)

    I NEED MORE debug information to help you 'further'..xD(ie I need the CODE to the call's and maybe a pastebin copy/paste of registers.. And Debug information..and maybe a 64 bit reference... lol..


    • .text:000000000000DF0D loc_DF0D: ; CODE XREF: licence_d(char *,CPlugin *)+B70
      .text:000000000000DF0D xorps xmm0, xmm0 0?
      .text:000000000000DF10 mov rax, cs:_ZZN7CSlideraSEiE6Slider_ptr;...HWND?
      .text:000000000000DF17 cvtsi2ss xmm0, ebx;what is ebx?
      ;Convert one signed doubleword integer from r/m32 to one single-precision floating-point value in xmm.
      .text:000000000000DF1B movss [rsp+5D8h+var_5CC], xmm0;hmm...
      .text:000000000000DF21 mov ebx, [rsp+5D8h+var_5CC];float to dword?
      .text:000000000000DF25 mov rdi, [rbp+80h];what is this?
      .text:000000000000DF2C mov [rax+34h], ebx;this writes something..?
      .text:000000000000DF2F mov rax, [rdi];a table of some sort..
      .text:000000000000DF32 call qword ptr [rax+50h]; a call to 'somewhere' I need this calls code..
      .text:000000000000DF35 mov rdi, rax;save something
      .text:000000000000DF38 mov rax, [rbp+80h];table pointer
      .text:000000000000DF3F mov rdx, [rbp+10h];..no idea..;hmm
      .text:000000000000DF43 mov rsi, [rax+8];??(more information here
      .text:000000000000DF47 mov [rsp+5D8h+var_5CC], ebx;ebx changed?
      .text:000000000000DF4B movss xmm0, [rsp+5D8h+var_5CC];float to float..
      .text:000000000000DF51 mov rax, cs:FuncTBL_ptr;fux omg
      .text:000000000000DF58 call qword ptr [rax+20h];'I need this code to'.I think it compares 'something'...
      .text:000000000000DF5B mov rax, cs:cmpt_ptr;xD
      .text:000000000000DF62 lea rsi, aLictChecklicOk ; "LicT CheckLic: ok\n"
      .text:000000000000DF69 mov dword ptr [rax], 1;a 64 bit 1?
      .text:000000000000DF6F mov rax, cs:iRunTestLicence_ptr;o0!!!!WoRDS!..
      .text:000000000000DF76 mov dword ptr [rax], 2;...


    maybe a 'laundry list' would help you..

    #1 I want to help you..
    #2 I want you to help yourself..
    #3 I like you for your fire..lol
    #4 (take as much time as you need..) :S
    Last edited by BanMe; April 9th, 2011 at 20:25.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

Similar Threads

  1. Help with reverse of function
    By pacman730 in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: March 31st, 2011, 14:17
  2. bad function
    By blowfrank in forum The Newbie Forum
    Replies: 2
    Last Post: December 15th, 2010, 08:10
  3. Ollydebug with threads and exec
    By rwartell in forum OllyDbg Support Forums
    Replies: 1
    Last Post: July 24th, 2010, 17:59
  4. Add a new function to a dll
    By lllaaa in forum The Newbie Forum
    Replies: 0
    Last Post: March 2nd, 2003, 06:36
  5. SI, VB and function in DLL
    By JohnnyBoy in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: September 13th, 2001, 07:52

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •