Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 03-04-2020, 03:25
evlncrn8 evlncrn8 is offline
VIP
 
Join Date: Sep 2005
Posts: 179
Rept. Given: 36
Rept. Rcvd 54 Times in 24 Posts
Thanks Given: 49
Thanks Rcvd at 117 Times in 69 Posts
evlncrn8 Reputation: 54
and whats the value of the byte @ ebp-1.. that seems somewhat critical
Reply With Quote
  #17  
Old 03-04-2020, 03:37
h4sh3m h4sh3m is offline
Friend
 
Join Date: Aug 2016
Location: RCE
Posts: 56
Rept. Given: 1
Rept. Rcvd 4 Times in 2 Posts
Thanks Given: 49
Thanks Rcvd at 81 Times in 35 Posts
h4sh3m Reputation: 4
can you share your target (max 50 mb)?
Reply With Quote
  #18  
Old 03-04-2020, 03:50
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
https://www78.zippyshare.com/v/CHp4KO0m/file.html

here
Reply With Quote
  #19  
Old 03-04-2020, 03:56
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
Quote:
Originally Posted by evlncrn8 View Post
and whats the value of the byte @ ebp-1.. that seems somewhat critical
i tried changing it to zero still same direct exit!

also that value is written by the above function as edx is treated as a pointer to that location, a value is being copied from another location
Reply With Quote
  #20  
Old 03-04-2020, 04:18
h4sh3m h4sh3m is offline
Friend
 
Join Date: Aug 2016
Location: RCE
Posts: 56
Rept. Given: 1
Rept. Rcvd 4 Times in 2 Posts
Thanks Given: 49
Thanks Rcvd at 81 Times in 35 Posts
h4sh3m Reputation: 4
Quote:
Originally Posted by 0xall0c View Post
needs password
Reply With Quote
  #21  
Old 03-04-2020, 04:21
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
Quote:
Originally Posted by h4sh3m View Post
needs password
12345 is the password
Reply With Quote
The Following User Says Thank You to 0xall0c For This Useful Post:
niculaita (03-04-2020)
  #22  
Old 03-04-2020, 04:47
h4sh3m h4sh3m is offline
Friend
 
Join Date: Aug 2016
Location: RCE
Posts: 56
Rept. Given: 1
Rept. Rcvd 4 Times in 2 Posts
Thanks Given: 49
Thanks Rcvd at 81 Times in 35 Posts
h4sh3m Reputation: 4
did you tried to run your debugger as admin?
Reply With Quote
  #23  
Old 03-04-2020, 04:51
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
nop i dont have a reason to do so, do i?
Reply With Quote
  #24  
Old 03-04-2020, 06:05
h4sh3m h4sh3m is offline
Friend
 
Join Date: Aug 2016
Location: RCE
Posts: 56
Rept. Given: 1
Rept. Rcvd 4 Times in 2 Posts
Thanks Given: 49
Thanks Rcvd at 81 Times in 35 Posts
h4sh3m Reputation: 4
Quote:
0100A060 | E8 3F 66 FC FF | call <wartrc2.RegCreateKeyExW> |
returns non-zero and will exit silently :|
you just need debug file carefully to find out solution, you need look after decryption function for next step (you have all needed info to reach oep).
Reply With Quote
  #25  
Old 03-04-2020, 06:39
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
i am not running inside a vm and i dont know the key if it has already created, this api is not being called(can you tell me the key path so i can delete it?)..also i have to return 0 in eax and ebp-1?

also i am getting access violation if i return all 0 from the pattern function...strange!

Last edited by 0xall0c; 03-04-2020 at 06:53.
Reply With Quote
  #26  
Old 03-04-2020, 15:42
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
so i think this is doing something like xoring the first byte at that address where the exception is occuring, and as because registration is bypassed by xoring but our licence is still invalid so i get exception?

also this is wrapped by a loop and later one more loop to decrypt another function!!
dont know how i can validate the licence keys!

here:

Code:
push ebx
mov ebx,dword ptr ds:[eax]
xor ebx,dword ptr ds:[edx]
mov dword ptr ds:[ecx],ebx
mov ebx,dword ptr ds:[eax+4]
xor ebx,dword ptr ds:[edx+4]
mov dword ptr ds:[ecx+4],ebx
mov ebx,dword ptr ds:[eax+8]
xor ebx,dword ptr ds:[edx+8]
mov dword ptr ds:[ecx+8],ebx
mov eax,dword ptr ds:[eax+C]
xor eax,dword ptr ds:[edx+C]
mov dword ptr ds:[ecx+C],eax
pop ebx
ret

Last edited by 0xall0c; 03-04-2020 at 15:51. Reason: added more info
Reply With Quote
  #27  
Old 03-04-2020, 20:38
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
is 0x4c00000 is the oep?
Reply With Quote
  #28  
Old 03-05-2020, 19:12
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
my progress till now in python x64dbg:


Code:
from x64dbgpy import pluginsdk
from x64dbgpy.pluginsdk._scriptapi import module
from x64dbgpy.pluginsdk._scriptapi import memory
from x64dbgpy.pluginsdk._scriptapi import pattern
from x64dbgpy.pluginsdk._scriptapi import register

PEP_425_REG = "B? ?? ?? ?? ?? E8 ?? ?? 00 00 0F B6 ?? ?? 5? 5? C2 10 00"

addr  = pluginsdk.RemoteGetProcAddress('kernel32.dll','CompareStringW')
pluginsdk.Run()
pluginsdk.Run()
pluginsdk.SetBreakpoint(addr)
pluginsdk.Run()
pluginsdk.DeleteBreakpoint(addr)


pattern_location = pattern.FindMem(module.GetMainModuleBase(), module.GetMainModuleSize(), PEP_425_REG)

setEaxAddress = pattern_location + 10

pluginsdk.SetHardwareBreakpoint(setEaxAddress,pluginsdk.HardwareType.HardwareExecute)
pluginsdk.Run()

# called 14 times, if ebp-1 set to 0
for i in range(13):
    memory.WriteByte(register.GetEBP() - 1, 0)
    pluginsdk.Run()

pluginsdk.DeleteHardwareBreakpoint(setEaxAddress)

# now it will jump to oep 0x4c0000
Reply With Quote
The Following User Says Thank You to 0xall0c For This Useful Post:
niculaita (03-05-2020)
  #29  
Old 03-06-2020, 02:22
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
Quote:
Originally Posted by evlncrn8 View Post
and whats the value of the byte @ ebp-1.. that seems somewhat critical
yes it was can you, give some more hints?
Reply With Quote
  #30  
Old 03-06-2020, 02:35
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
previous oep is wrong, i am very sure it is 0x004BF9C0 but still contains all 0s. its hard!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 18:38.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )