Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-15-2004, 15:14
c4p0ne's Avatar
c4p0ne c4p0ne is offline
Friend
 
Join Date: Jul 2002
Location: n/a
Posts: 83
Rept. Given: 1
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 2
Thanks Rcvd at 0 Times in 0 Posts
c4p0ne Reputation: 1
Unhappy Modifying resources of self-checking exe

Anyone got a good tutorial for this? I was just trying to experiment with the kav.exe icon (Kaspersky AntiVirus GUI part) and of course I cant because it detects itself as being "modified" once you run it again (KAV Personal v5.0.153)... Is there a simple way to do this? All I really want to do is chane some resources like icons and text and stuff, nothing serious.
Reply With Quote
  #2  
Old 09-15-2004, 21:05
Cobi Cobi is offline
Friend
 
Join Date: Sep 2004
Location: Germany
Posts: 55
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Cobi Reputation: 0
The only way is to Patch the Self-Check, cause you cant edit the File without changing the Checksum.
Reply With Quote
  #3  
Old 09-15-2004, 21:27
redbull redbull is offline
Friend
 
Join Date: Mar 2004
Posts: 160
Rept. Given: 17
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 6 Times in 6 Posts
redbull Reputation: 5
Yeah you have to either
1. Patch the self checking routine as Cobi says
or
2. Figure out what hashing algorithm is used and find a "Hash Collision" for it using the new resources.

I recommend 1
Reply With Quote
  #4  
Old 09-16-2004, 01:21
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
well, i f it uses CRC32, you can crack it normal way and use a CRC32 fixer
Reply With Quote
  #5  
Old 09-16-2004, 04:36
c4p0ne's Avatar
c4p0ne c4p0ne is offline
Friend
 
Join Date: Jul 2002
Location: n/a
Posts: 83
Rept. Given: 1
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 2
Thanks Rcvd at 0 Times in 0 Posts
c4p0ne Reputation: 1
Post

Hehe, I doubt Kaspersky guys would use CRC32 for thier software (i wish). Anyway thanks for that info. =)
Reply With Quote
  #6  
Old 09-17-2004, 03:44
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
well i don't have kaspersky, so i don't know

did you try breaking on APIs like CreateFileA? i think it's needed for nearly every self-check on HD.

or did you check all used crypto? else if crypto is used... CreateFileA will be also needed
Reply With Quote
  #7  
Old 09-17-2004, 12:43
taos's Avatar
taos taos is offline
The Art Of Silence
 
Join Date: Aug 2004
Location: In front of my screen
Posts: 580
Rept. Given: 65
Rept. Rcvd 54 Times in 19 Posts
Thanks Given: 69
Thanks Rcvd at 133 Times in 36 Posts
taos Reputation: 54
I've cracked the last version of safelock (I'm preparing to upload to ftp) and it uses CRC check in every, but it was very easy, make a BP on createfilea and then analyze the parameter that get the name of the file, if this is the name of your exe the you must change the jump, or NOP, etc... or follow the algorythm and take note of the new CRC and the old and search the EXE for the old, remember that not all soft uses the CRC standard. Normally, the crc generated by the programmer is in the end of the file, normally, in other is in a crypted file, etc...
Reply With Quote
  #8  
Old 09-17-2004, 16:54
goldenegg
 
Posts: n/a
Quote:
Originally Posted by redbull
Yeah you have to either
1. Patch the self checking routine as Cobi says
or
2. Figure out what hashing algorithm is used and find a "Hash Collision" for it using the new resources.

I recommend 1
there is a third way witch interest me.I'm not a pure cracker,i do not want
to spend much time to do a patch.I 'd like to hook the apis it called and change the return value,this is a programming way.
Reply With Quote
  #9  
Old 09-17-2004, 21:32
taos's Avatar
taos taos is offline
The Art Of Silence
 
Join Date: Aug 2004
Location: In front of my screen
Posts: 580
Rept. Given: 65
Rept. Rcvd 54 Times in 19 Posts
Thanks Given: 69
Thanks Rcvd at 133 Times in 36 Posts
taos Reputation: 54
Quote:
Originally Posted by goldenegg
there is a third way witch interest me.I'm not a pure cracker,i do not want
to spend much time to do a patch.I 'd like to hook the apis it called and change the return value,this is a programming way.

But you forget something, there's not API func for CRC.
If you mean to hook internal func, then it's a very hard job, you must debug this internal func to know how it's calculate the CRC and what format use (decimal,HEX,string) to return the value that you want. it's more easy to patch because must be only a few bytes.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Highly self modifying code chants General Discussion 1 09-21-2016 17:46
Google Source code(Search and Spell checking) Hero General Discussion 0 02-02-2005 18:48


All times are GMT +8. The time now is 15:08.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )