View Single Post
Old 11-14-2019, 02:19
CodeCracker CodeCracker is offline
Join Date: Jun 2011
Posts: 301
Rept. Given: 18
Rept. Rcvd 246 Times in 69 Posts
Thanks Given: 12
Thanks Rcvd at 1,022 Times in 225 Posts
CodeCracker Reputation: 200-299 CodeCracker Reputation: 200-299 CodeCracker Reputation: 200-299
Some info on how you could modify this to also work for Full version:
seems that under full version the only different thing is a dword which come after site_code:

uint32_t ToBeHashed[2];
ToBeHashed[0] = site_code; // we need site code for decoding
ToBeHashed[1] = 0xA264D581; // this should be changed

You should grab it from target program:
Here is the first PC Guard check serial length:
009CA211 83F9 23 CMP ECX,23
009CA214 9C PUSHFD
009CA215 EB 01 JMP SHORT 009CA218

and this will move in eax the dword which should be fixed:
009CA74F 8B85 10B74100 MOV EAX,DWORD PTR SS:[EBP+41B710]
009CA755 60 PUSHAD
009CA756 E8 03000000 CALL 009CA75E
009CA75B 83EB 0E SUB EBX,0E
009CA75E EB 01 JMP SHORT 009CA761
How you should trace PC Guard: if you are after the actual check you should set a breakpoint before where current call get called; - restart Olly (not bother on trying to fallow jumps), you will also see some loop: just set breakpoint on exit door.
Reply With Quote
The Following User Gave Reputation+1 to CodeCracker For This Useful Post:
Mahmoudnia (11-14-2019)
The Following 3 Users Say Thank You to CodeCracker For This Useful Post:
dj-siba (04-06-2020), kallegaul (11-14-2019), Mahmoudnia (11-14-2019)