Help-Inline Patching ASPACK 2.12(System Mechanic 4.0h)

Target: System Mechanic Personal Edition Version 4.0h (As on 30/03/2004)
Download Target: h**p://www.iolo.com/sm/4/download.cfm

Protection: ASPACK 2.12 and Serial. . Here what u do to beat this proggie.
Thanks SatyricOn for your lesson no. 2 : Find one place where the "IsSystemMech4Registered" & "IsRegistrationKeyValid" is located and patch it. Gee..i found it the kiddie way

Quote:

004D6423 0F84 80000000 JE SysMech4.004D64A9

Change to

004D6423 |. 0F84 7C000000 JE SysMech4.004D64A5

I tested it and found no bug.

I tried inline Patching ASPACK'd System Mechanic but it will not allow me to copy the changes to executable. Can u guys tell me why? Temporary injection of my own code and running in Olly, the software will run registered killing all nags. But it will not allow to make changes permanent.

This is how i inject my code and it works. The app runs registered
00C704FE 68 E4666900 PUSH SysMech4.006966E4 (Signature bytes)

006966E4 C605 25644D00 >MOV BYTE PTR DS:[4D6425],7C
006966EB 68 C4666900 PUSH 006966C4 ( Real OEP)
006966F0 C3 RETN

Now if i try to make the changes permanent it will tell me that the data not found in the executable and will disable the "Copy" & "Copy All" button.
I'm using Olly v1.10 Step 2
How can i do it in Olly if i don't want to use Hiew
Someone plz explain
Regards,

Seems to me like your trying to patch it after its already started its unpacking procedure, meaning those address's dont actually exist in the executable so OllyDBG is unable to write the changes, my best guess anyway.

Just change the 00C704F4 75 08 JNZ SHORT SysMech4.00C704FE
to jump to your custom code then, jump back when it's executed.


Edit: Here's my solution.

00C704F4 E9 073E0100 JMP SysMech4.00C84300
00C704F9 90 NOP
00C704FA 90 NOP

00C84300 C605 25644D00 7C MOV BYTE PTR DS:[4D6425],7C
00C84307 ^E9 F2C1FEFF JMP SysMech4.00C704FE

Thank you both Mr.Anonymous and SvensK for ur help

Svensk i'l try ur solution and hopefully it will work

Regards,

It's even easier to serial fish this baby. Took a few minutes.

Name: SvensK [pH]
Serial#: 74758-S4565-4654558635

Now you don't have to patch the exe at all. Enjoy

Hi,
It seems u use the point-H method but i when i used the same method it didn't show me the real serial only shows me the fake serial i enter..strange. So thats why i opted to patch it. Anywayz i did learn how to inline patch ASPACK
Thanks

Regards,

Simply put a breakpoint at: 004D6486 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]

Press F8 once and the correct serial# is pushed to EAX and is shown at the top row in the Registers window.

I found the serial earlier today too Ferrari, this is how I found it:

Point H & Call stack didn't seem to help with this program, so I used by a bit of lateral thinking for a solution, and in this case it fucking worked!!!, in fact I got a serial when I thought I'd just be finding where to crack the trial, don't know how well it will work on other targets, with long routines it may pay to press ctrl & F8 to bring up the evaluation screen sooner:


F8 till evaluation screen opens, happens at:

006966D4 . E8 B7F3FFFF CALL SysMech4.00695A90

Restart, F8 till above, then F7, then F8 till evaluation screen opens, happens here:

00695AD6 |. E8 81F0FFFF CALL SysMech4.00694B5C

Restart, Trace with F8, then F7, then F8 till above, then F7 into, code here looks more interesting, some tests, so lets trace into some of these calls, and see which ones are worth a breakpoint:

This one looks like it tests for past crackers and serial cracks, lets not bother with this for now:

00694B7E . E8 D919E4FF CALL SysMech4.004D655C


This one just seems to check whether it is a first run, I don't think we will bother with that:

00694B9F . E8 1817E4FF CALL SysMech4.004D62BC


This one looks real prommising, has strings mentioning serials:

00694BBA > E8 ED17E4FF CALL SysMech4.004D63AC


This one deals with the trial period, and when it expires, lets not worry about this for now:

00694BE2 . E8 6D15E5FF CALL SysMech4.004E6154

The evaluation screen opens in this call, so let us not look any further.


So let us put a breakpoint on 004D63AC, and restart program in Olly, and run until evaluation screen comes up, enter your name and fake serial, and the bad cracker message comes up, oh bugger it didn't break, you think you are back to the drawing board, but when you hit ok to this message, Olly does break here:


004D63AC /$ 55 PUSH EBP

Now look in the memory dump window, we can see our fake details, and a valid serial for your username is shown at 0012F894, for Pompeyfan it is 71686-S4670-0635881907

If I hadn't grabbed a serial, I would have investigated the trial and first run calls, to try and kill the trial.

@ SvensK
Your solution worked my friend
Thnx once again

@Pompeyfan

you got the serial. I didn't think of putting the BP at 004D63AC few lines above where i patched the program coz i was too excited to see my patching work and so i didn't bother. I'm glad that it didn't click for me orelse i would have not learned inline patching Aspack I wasted alot of time cracking this app trying everyother way to beat it including F7 at 006966D4(i'l tell what i did in this call to get rid of the nag ) . I was really fed up. I'l explain how i finally got to that address 004D6423(kiddie way ) in my tutorial in detail if our fellow team member Enforcer is ready to upload the software to our ftp. But i feel i should write a tut on this one anywayz...hell of an experience

Regards,

I agree mate, a tut is certainly worth doing, and I for one am looking forward to reading it, as I don't know much about inline patching, so you will be teaching me something new.