Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-23-2016, 21:50
byvs's Avatar
byvs byvs is offline
Friend
 
Join Date: May 2002
Location: Brazil
Posts: 64
Rept. Given: 4
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 19
Thanks Rcvd at 8 Times in 7 Posts
byvs Reputation: 0
Red face How to identify the address where the test is done?

Hello guys
I need help please
When you change a string the process ends.
How to identify the address where the test is done?
The string is "uLme" in the address 007B3AD8 in ulme.exe file

FILE: http://www113.zippyshare.com/v/oenVyf9Q/file.html

Thank you for your help.

PS: sorry, I could not post the REQUESTS
Reply With Quote
  #2  
Old 10-24-2016, 00:41
t3xc0d3 t3xc0d3 is offline
Friend
 
Join Date: Oct 2016
Posts: 9
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 24 Times in 9 Posts
t3xc0d3 Reputation: 4
You can set a read/write hardware breakpoint to obtain the location that reads/writes the string.

Another possibility is a pure static approach: searching for xrefs in the code. Doing that, you will see that 0x7B31B6 loads the data location into eax and then calls 0x40A748.
Reply With Quote
The Following User Says Thank You to t3xc0d3 For This Useful Post:
byvs (10-24-2016)
  #3  
Old 10-24-2016, 02:57
byvs's Avatar
byvs byvs is offline
Friend
 
Join Date: May 2002
Location: Brazil
Posts: 64
Rept. Given: 4
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 19
Thanks Rcvd at 8 Times in 7 Posts
byvs Reputation: 0
And how do I stop this test and change the string?
Reply With Quote
  #4  
Old 10-24-2016, 04:59
bongos_man bongos_man is offline
Friend
 
Join Date: Aug 2016
Posts: 25
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 4
Thanks Rcvd at 25 Times in 14 Posts
bongos_man Reputation: 4
assuming the program is otherwise unprotected and will not try to prevent or detect it, write a loader which injects a dll into the target process's memory and patches bytes in the appropriate place to call a function in your dll that changes the string however you wish. there are lots of tutorials on code injection, here are some good ones:

Three Ways to Inject Your Code into Another Process
A More Complete DLL Injection Solution Using CreateRemoteThread
Code Injection - A Generic Approach for 32bit and 64bit Versions
InjLib - A library that implements remote code injection for all Windows versions
Reply With Quote
The Following User Says Thank You to bongos_man For This Useful Post:
byvs (10-24-2016)
  #5  
Old 10-24-2016, 05:37
byvs's Avatar
byvs byvs is offline
Friend
 
Join Date: May 2002
Location: Brazil
Posts: 64
Rept. Given: 4
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 19
Thanks Rcvd at 8 Times in 7 Posts
byvs Reputation: 0
Quote:
Originally Posted by bongos_man View Post
assuming the program is otherwise unprotected and will not try to prevent or detect it, write a loader which injects a dll into the target process's memory and patches bytes in the appropriate place to call a function in your dll that changes the string however you wish. there are lots of tutorials on code injection, here are some good ones:

Three Ways to Inject Your Code into Another Process
A More Complete DLL Injection Solution Using CreateRemoteThread
Code Injection - A Generic Approach for 32bit and 64bit Versions
InjLib - A library that implements remote code injection for all Windows versions
But in practice how do I stop this test and change the string?
Reply With Quote
  #6  
Old 10-24-2016, 06:14
bongos_man bongos_man is offline
Friend
 
Join Date: Aug 2016
Posts: 25
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 4
Thanks Rcvd at 25 Times in 14 Posts
bongos_man Reputation: 4
i didn't have a chance to look at your exe, but say a target calls strcmp and then does something based its result. your loader (which injects a dll with your code) can use WriteProcessMemory to patch the call to strcmp (in your target) to instead call the function in your dll. your function can then modify the string and return strcmp(s1, s2). the tutorials show you how can calculate the address of the dll function so that you can patch the call with the right address.
Reply With Quote
  #7  
Old 10-24-2016, 06:30
byvs's Avatar
byvs byvs is offline
Friend
 
Join Date: May 2002
Location: Brazil
Posts: 64
Rept. Given: 4
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 19
Thanks Rcvd at 8 Times in 7 Posts
byvs Reputation: 0
Quote:
Originally Posted by bongos_man View Post
i didn't have a chance to look at your exe, but say a target calls strcmp and then does something based its result. your loader (which injects a dll with your code) can use WriteProcessMemory to patch the call to strcmp (in your target) to instead call the function in your dll. your function can then modify the string and return strcmp(s1, s2). the tutorials show you how can calculate the address of the dll function so that you can patch the call with the right address.
For those who know it is easy, but for a layman is complicated.
Reply With Quote
  #8  
Old 10-24-2016, 08:00
bongos_man bongos_man is offline
Friend
 
Join Date: Aug 2016
Posts: 25
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 4
Thanks Rcvd at 25 Times in 14 Posts
bongos_man Reputation: 4
here is sample loader and dll code for you, i tried to put it in the thread but exetools forum kept giving errors.

https://gist.github.com/anonymous/0f8bdbcc6e0bc2bb835ebe55713b41de
Reply With Quote
The Following User Gave Reputation+1 to bongos_man For This Useful Post:
niculaita (10-26-2016)
The Following User Says Thank You to bongos_man For This Useful Post:
niculaita (10-26-2016)
  #9  
Old 10-24-2016, 08:13
byvs's Avatar
byvs byvs is offline
Friend
 
Join Date: May 2002
Location: Brazil
Posts: 64
Rept. Given: 4
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 19
Thanks Rcvd at 8 Times in 7 Posts
byvs Reputation: 0
Quote:
Originally Posted by bongos_man View Post
here is sample loader and dll code for you, i tried to put it in the thread but exetools forum kept giving errors.

https://gist.github.com/anonymous/0f8bdbcc6e0bc2bb835ebe55713b41de

What to do with it?
Reply With Quote
  #10  
Old 10-24-2016, 15:12
mcp mcp is offline
Friend
 
Join Date: Dec 2011
Posts: 73
Rept. Given: 4
Rept. Rcvd 12 Times in 11 Posts
Thanks Given: 7
Thanks Rcvd at 47 Times in 35 Posts
mcp Reputation: 12
HW breakpoints won't help you if the program performs self-checksums in memory. What you really want to do is diff runtime traces:
1) Record a trace of running the unmodified binary
2) Record a trace of running the modified binary
3) See where they differ. This yields one (possibly many) program location which does "the check(s)".

As for collecting traces, use your favourite debugger (x64dbg, ollydbg, IDA) or dynamic binary instrumentation tool (DynamoRIO, PIN).
Reply With Quote
  #11  
Old 10-24-2016, 22:11
byvs's Avatar
byvs byvs is offline
Friend
 
Join Date: May 2002
Location: Brazil
Posts: 64
Rept. Given: 4
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 19
Thanks Rcvd at 8 Times in 7 Posts
byvs Reputation: 0
Quote:
Originally Posted by bongos_man View Post
at 0x7B31BB, the function is called with the address of your string in eax. you want to patch this call to instead call a function in your dll. add a function to your dll like this:

Code:
void __declspec(naked) patchstring() {
  __asm {
    ; modify string here somehow
    ; but be careful to preserve registers
    ; because your target looks like it uses fastcall

    ; now call old func at 0x7B31BB
    jmp 0xBB31BB ; 0x400000 + 0x7B31BB
  }
}
and in the DllMain, replace the bytes from 0x7B31BC to 0x7B31BF with the address of that function (read the tuts for more info). don't replace the 0xE8 at 0x7B31BB because that is the beginning of the call opcode ;]
@bongos_man
Thank you my friend,
I will replace the value FF bytes by 88 bytes. It worked, but not 100%
0xE88875C5FF to 0xE88875C588
it is?
Reply With Quote
  #12  
Old 10-25-2016, 02:37
bongos_man bongos_man is offline
Friend
 
Join Date: Aug 2016
Posts: 25
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 4
Thanks Rcvd at 25 Times in 14 Posts
bongos_man Reputation: 4
sorry, i was very, very drunk. ignore everything i said.

try this: https://gist.github.com/anonymous/9068570079dd3550015caeb19026d5f8
Reply With Quote
  #13  
Old 10-25-2016, 04:16
byvs's Avatar
byvs byvs is offline
Friend
 
Join Date: May 2002
Location: Brazil
Posts: 64
Rept. Given: 4
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 19
Thanks Rcvd at 8 Times in 7 Posts
byvs Reputation: 0
Quote:
Originally Posted by bongos_man View Post
sorry, i was very, very drunk. ignore everything i said.

try this: https://gist.github.com/anonymous/9068570079dd3550015caeb19026d5f8
Sorry, I do not know what to do with it!
Reply With Quote
  #14  
Old 10-25-2016, 08:40
bongos_man bongos_man is offline
Friend
 
Join Date: Aug 2016
Posts: 25
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 4
Thanks Rcvd at 25 Times in 14 Posts
bongos_man Reputation: 4
compile main.c as an exe and loader.c as a dll/shared library, then run:
Code:
main yourprogram loader.dll
if you don't know very much c or assembly, you will need to learn them better in order to become a good reverse engineer.
Reply With Quote
The Following User Says Thank You to bongos_man For This Useful Post:
niculaita (10-26-2016)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Identify an unknown 64 bit Packer Kurapica General Discussion 1 07-06-2021 01:05
Help identify crypto The Old Pirate General Discussion 5 12-27-2014 04:15
Trying to identify crypto algorithm SiNTAX General Discussion 4 06-17-2010 03:23


All times are GMT +8. The time now is 12:47.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )