#16
|
|||
|
|||
and whats the value of the byte @ ebp-1.. that seems somewhat critical
|
#17
|
|||
|
|||
can you share your target (max 50 mb)?
|
#18
|
|||
|
|||
#19
|
|||
|
|||
Quote:
also that value is written by the above function as edx is treated as a pointer to that location, a value is being copied from another location |
#20
|
|||
|
|||
Quote:
|
#22
|
|||
|
|||
did you tried to run your debugger as admin?
|
#23
|
|||
|
|||
nop i dont have a reason to do so, do i?
|
#24
|
|||
|
|||
Quote:
you just need debug file carefully to find out solution, you need look after decryption function for next step (you have all needed info to reach oep). |
#25
|
|||
|
|||
i am not running inside a vm and i dont know the key if it has already created, this api is not being called(can you tell me the key path so i can delete it?)..also i have to return 0 in eax and ebp-1?
also i am getting access violation if i return all 0 from the pattern function...strange! Last edited by 0xall0c; 03-04-2020 at 06:53. |
#26
|
|||
|
|||
so i think this is doing something like xoring the first byte at that address where the exception is occuring, and as because registration is bypassed by xoring but our licence is still invalid so i get exception?
also this is wrapped by a loop and later one more loop to decrypt another function!! dont know how i can validate the licence keys! here: Code:
push ebx mov ebx,dword ptr ds:[eax] xor ebx,dword ptr ds:[edx] mov dword ptr ds:[ecx],ebx mov ebx,dword ptr ds:[eax+4] xor ebx,dword ptr ds:[edx+4] mov dword ptr ds:[ecx+4],ebx mov ebx,dword ptr ds:[eax+8] xor ebx,dword ptr ds:[edx+8] mov dword ptr ds:[ecx+8],ebx mov eax,dword ptr ds:[eax+C] xor eax,dword ptr ds:[edx+C] mov dword ptr ds:[ecx+C],eax pop ebx ret Last edited by 0xall0c; 03-04-2020 at 15:51. Reason: added more info |
#27
|
|||
|
|||
is 0x4c00000 is the oep?
|
#28
|
|||
|
|||
my progress till now in python x64dbg:
Code:
from x64dbgpy import pluginsdk from x64dbgpy.pluginsdk._scriptapi import module from x64dbgpy.pluginsdk._scriptapi import memory from x64dbgpy.pluginsdk._scriptapi import pattern from x64dbgpy.pluginsdk._scriptapi import register PEP_425_REG = "B? ?? ?? ?? ?? E8 ?? ?? 00 00 0F B6 ?? ?? 5? 5? C2 10 00" addr = pluginsdk.RemoteGetProcAddress('kernel32.dll','CompareStringW') pluginsdk.Run() pluginsdk.Run() pluginsdk.SetBreakpoint(addr) pluginsdk.Run() pluginsdk.DeleteBreakpoint(addr) pattern_location = pattern.FindMem(module.GetMainModuleBase(), module.GetMainModuleSize(), PEP_425_REG) setEaxAddress = pattern_location + 10 pluginsdk.SetHardwareBreakpoint(setEaxAddress,pluginsdk.HardwareType.HardwareExecute) pluginsdk.Run() # called 14 times, if ebp-1 set to 0 for i in range(13): memory.WriteByte(register.GetEBP() - 1, 0) pluginsdk.Run() pluginsdk.DeleteHardwareBreakpoint(setEaxAddress) # now it will jump to oep 0x4c0000 |
The Following User Says Thank You to 0xall0c For This Useful Post: | ||
niculaita (03-05-2020) |
#29
|
|||
|
|||
yes it was can you, give some more hints?
|
#30
|
|||
|
|||
previous oep is wrong, i am very sure it is 0x004BF9C0 but still contains all 0s. its hard!
|
|
|