Sign in to follow this  

Reverse Engineering

This topic is 4711 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

I'm not sure if I just made a mistake last time I posted this, or if it was deleted by the mods (whom I PMed, but no reply). So I appologize if this was deleted... ****** DISCLAIMER ********** I AM NOT DOING THIS TO PIRATE SOFTWARE. I DO NOT BELEIVE IN PIRATING SOFTWARE. I AM DOING THIS FOR MY OWN INTEREST. *************************** OK, so i'm learning how to disasemble and modify code (cracking code) out of a personal interest, a way to help me learn assembly, learning how programs work at a low level, how to protect programs, etc. NOTE: I'm practicing with programs *I* write. So i have a decompiler, IDA pro, which I decompile a program with. One of my test programs just checks for a serial number, and when I decompile it, I find two conditional jumps that I want to get rid of. These two jumps go to "This is an invalid code" part. IE: I want to change the jz to a nop so its just passed over. I'm not sure if this would work, but time will tell:P Now, any of the essays I've found on the subject say to modify the data using a HEX editor. Well, i have 2 of them, and I can never find the area i'm looking for. So how do I go about modifying my program? I've tried [google], but that isn't helping. :P So what do I do now that i've found what I want to modify? Cheers Sigma

Share this post


Link to post
Share on other sites
If you know the Hex for the instructions you are looking for - or know the offset - it should mean you can just type your NOP hex codes over the ones there. HHD Hex Editor that certainly applies - I had some jpeg images once that had the header corrupted by one hex digit that had to be corrected (dodgy 3rd party jpeg converter). Also had to alter some bluetooth drivers to work with a specific model of dongle - followed some instructions on a forum and was there.

If you ever need to get at parts of a program to extend it or get at unexposed functionality, investigate dll injection. There are several good articles on that in codeproject.

I'm a little concerned about the example you are using in your post though. Things about hacking serial numbers may directly effect people's livelyhood whom post and read here - so if a mod did delete the post it was probably because they thought it was a bit insensitive.

Share this post


Link to post
Share on other sites
Fishing pole:
#asm has some excellent links.

The Newbiez Project used to have lots of good tutorials, but sadly they've closed up shop. You can take up the search (go "Zur Seite", then tutorials, then choose a topic in the top bar).

Fish:
if you've found the offending instruction at address <a>, file offset can be calculated as follows: section_offset = a - code_section_virtual_RVA - module_load_address (0x400000 for EXE); offset = code_section_raw_data_offset + section_offset.

Addendum:
regrettably, a lot of interesting and legitimate programming knowledge is tarred by the "hacker" brush. As to someone's livelyhood depending on people not knowing how to crack a simple serial protection scheme: given an opportunity, even non-kleptomaniacs can be driven to "steal". When parking a bike unattended in a rough part of town without a lock, it can be written off. Just as you want to invest in a decent bike lock to secure it, coders should know how to protect themselves. If you do not, you are better served learning how, rather than trying to prevent the inevitable spread of knowledge.

*sigh* It's a shame that morals come up every time reverse engineering is mentioned. It's not like we're providing a step-by-step instruction booklet how to steal (or build a nuke), which would be bad - this information has valid use.

/* fixed links */

[Edited by - Jan Wassenberg on January 18, 2005 9:14:59 AM]

Share this post


Link to post
Share on other sites
There is a program called "Hacker's View" - Hiew. You can use that to modify that test application thing you are talking about. You will need to know the offset of the instructions you are wanting to modify. I never used SoftIce because it failed to work for me when I had WinMe - as for XP, so I do not know how you will obtain the address. However I did use W32DASM to find the address of instructions before. You simply go to the line and at the bottom it tells you the address you need - such as:

@Offest: 00001DBA

When you open a file in HIEW you can hit F4 and chose 'decode' mode to see the assembly listing. Next you hit F5 to goto the offset. Finally you hit F3 to edit the code at that location - where you would add in the HEX of the instructions - such as 90 for no-op.

I hope this helps some! Good luck in learning assembly.

- Drew

[edit] Yea _Sigma I had replied to that post but when I submitted it the post was AWOL [lol]....its still in my profile under recent replies [/edit]

Share this post


Link to post
Share on other sites
I can understand the need to learn what you're wanting to do, purely for the purposes of ensuring that your own code is not easily hacked by others. (I work in the security industry)
I myself have often checked that say, database connection passwords are not visible in plain text in the compiled executable, but are instead put together from bits and pieces.
I'd still prefer not to help though sorry, not that I have a lot to offer here anyway.

Share this post


Link to post
Share on other sites
Olly debugger. Important tool for static executables.

You could learn by a disassembly a lot about software behaviour at runtime, and CPU. If nothing else it would improve your assembly programming


Re iMalc "I can understand the need to learn what you're wanting to do, purely for the purposes of ensuring that your own code is not easily hacked by others. (I work in the security industry)"
That's a bit silly. If you work in a security industry, you know that what is needed to be disassembled, would be disassembled. Security by obscurity? This doesn't worke too much. Also there would be harder problem. What would happen if you'd lost right to sue a violator, just becose you didn't "obscured" your code?

Share this post


Link to post
Share on other sites
>Fish:
if you've found the offending instruction at address <a>, file offset can be calculated as follows: section_offset = a - code_section_virtual_RVA - module_load_address (0x400000 for EXE); offset = code_section_raw_data_offset + section_offset.

Whats the chance you could elaborate a bit? [grin] I have no idea what you just said.


>Next you hit F5 to goto the offset. Finally you hit F3 to edit the code at that location - where you would add in the HEX of the instructions - such as 90 for no-op.


When I try F3, it says "read only mode". eh?

Share this post


Link to post
Share on other sites

This topic is 4711 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this