Reverse Engineering
Author
I'm not sure if I just made a mistake last time I posted this, or if it was deleted by the mods (whom I PMed, but no reply). So I appologize if this was deleted...
****** DISCLAIMER **********
I AM NOT DOING THIS TO PIRATE
SOFTWARE.
I DO NOT BELEIVE IN PIRATING SOFTWARE.
I AM DOING THIS FOR MY OWN INTEREST.
***************************
OK, so i'm learning how to disasemble and modify code (cracking code) out of a personal interest, a way to help me learn assembly, learning how programs work at a low level, how to protect programs, etc. NOTE: I'm practicing with programs *I* write.
So i have a decompiler, IDA pro, which I decompile a program with. One of my test programs just checks for a serial number, and when I decompile it, I find two conditional jumps that I want to get rid of. These two jumps go to "This is an invalid code" part. IE: I want to change the jz to a nop so its just passed over. I'm not sure if this would work, but time will tell:P
Now, any of the essays I've found on the subject say to modify the data using a HEX editor. Well, i have 2 of them, and I can never find the area i'm looking for. So how do I go about modifying my program? I've tried [google], but that isn't helping. :P So what do I do now that i've found what I want to modify?
Cheers
Sigma
If you know the Hex for the instructions you are looking for - or know the offset - it should mean you can just type your NOP hex codes over the ones there. HHD Hex Editor that certainly applies - I had some jpeg images once that had the header corrupted by one hex digit that had to be corrected (dodgy 3rd party jpeg converter). Also had to alter some bluetooth drivers to work with a specific model of dongle - followed some instructions on a forum and was there.
If you ever need to get at parts of a program to extend it or get at unexposed functionality, investigate dll injection. There are several good articles on that in codeproject.
I'm a little concerned about the example you are using in your post though. Things about hacking serial numbers may directly effect people's livelyhood whom post and read here - so if a mod did delete the post it was probably because they thought it was a bit insensitive.
If you ever need to get at parts of a program to extend it or get at unexposed functionality, investigate dll injection. There are several good articles on that in codeproject.
I'm a little concerned about the example you are using in your post though. Things about hacking serial numbers may directly effect people's livelyhood whom post and read here - so if a mod did delete the post it was probably because they thought it was a bit insensitive.
Fishing pole:
#asm has some excellent links.
The Newbiez Project used to have lots of good tutorials, but sadly they've closed up shop. You can take up the search (go "Zur Seite", then tutorials, then choose a topic in the top bar).
Fish:
if you've found the offending instruction at address <a>, file offset can be calculated as follows: section_offset = a - code_section_virtual_RVA - module_load_address (0x400000 for EXE); offset = code_section_raw_data_offset + section_offset.
Addendum:
regrettably, a lot of interesting and legitimate programming knowledge is tarred by the "hacker" brush. As to someone's livelyhood depending on people not knowing how to crack a simple serial protection scheme: given an opportunity, even non-kleptomaniacs can be driven to "steal". When parking a bike unattended in a rough part of town without a lock, it can be written off. Just as you want to invest in a decent bike lock to secure it, coders should know how to protect themselves. If you do not, you are better served learning how, rather than trying to prevent the inevitable spread of knowledge.
*sigh* It's a shame that morals come up every time reverse engineering is mentioned. It's not like we're providing a step-by-step instruction booklet how to steal (or build a nuke), which would be bad - this information has valid use.
/* fixed links */
[Edited by - Jan Wassenberg on January 18, 2005 9:14:59 AM]
#asm has some excellent links.
The Newbiez Project used to have lots of good tutorials, but sadly they've closed up shop. You can take up the search (go "Zur Seite", then tutorials, then choose a topic in the top bar).
Fish:
if you've found the offending instruction at address <a>, file offset can be calculated as follows: section_offset = a - code_section_virtual_RVA - module_load_address (0x400000 for EXE); offset = code_section_raw_data_offset + section_offset.
Addendum:
regrettably, a lot of interesting and legitimate programming knowledge is tarred by the "hacker" brush. As to someone's livelyhood depending on people not knowing how to crack a simple serial protection scheme: given an opportunity, even non-kleptomaniacs can be driven to "steal". When parking a bike unattended in a rough part of town without a lock, it can be written off. Just as you want to invest in a decent bike lock to secure it, coders should know how to protect themselves. If you do not, you are better served learning how, rather than trying to prevent the inevitable spread of knowledge.
*sigh* It's a shame that morals come up every time reverse engineering is mentioned. It's not like we're providing a step-by-step instruction booklet how to steal (or build a nuke), which would be bad - this information has valid use.
/* fixed links */
[Edited by - Jan Wassenberg on January 18, 2005 9:14:59 AM]
There is a program called "Hacker's View" - Hiew. You can use that to modify that test application thing you are talking about. You will need to know the offset of the instructions you are wanting to modify. I never used SoftIce because it failed to work for me when I had WinMe - as for XP, so I do not know how you will obtain the address. However I did use W32DASM to find the address of instructions before. You simply go to the line and at the bottom it tells you the address you need - such as:
@Offest: 00001DBA
When you open a file in HIEW you can hit F4 and chose 'decode' mode to see the assembly listing. Next you hit F5 to goto the offset. Finally you hit F3 to edit the code at that location - where you would add in the HEX of the instructions - such as 90 for no-op.
I hope this helps some! Good luck in learning assembly.
- Drew
[edit] Yea _Sigma I had replied to that post but when I submitted it the post was AWOL [lol]....its still in my profile under recent replies [/edit]
@Offest: 00001DBA
When you open a file in HIEW you can hit F4 and chose 'decode' mode to see the assembly listing. Next you hit F5 to goto the offset. Finally you hit F3 to edit the code at that location - where you would add in the HEX of the instructions - such as 90 for no-op.
I hope this helps some! Good luck in learning assembly.
- Drew
[edit] Yea _Sigma I had replied to that post but when I submitted it the post was AWOL [lol]....its still in my profile under recent replies [/edit]
I can understand the need to learn what you're wanting to do, purely for the purposes of ensuring that your own code is not easily hacked by others. (I work in the security industry)
I myself have often checked that say, database connection passwords are not visible in plain text in the compiled executable, but are instead put together from bits and pieces.
I'd still prefer not to help though sorry, not that I have a lot to offer here anyway.
I myself have often checked that say, database connection passwords are not visible in plain text in the compiled executable, but are instead put together from bits and pieces.
I'd still prefer not to help though sorry, not that I have a lot to offer here anyway.
Olly debugger. Important tool for static executables.
You could learn by a disassembly a lot about software behaviour at runtime, and CPU. If nothing else it would improve your assembly programming
Re iMalc "I can understand the need to learn what you're wanting to do, purely for the purposes of ensuring that your own code is not easily hacked by others. (I work in the security industry)"
That's a bit silly. If you work in a security industry, you know that what is needed to be disassembled, would be disassembled. Security by obscurity? This doesn't worke too much. Also there would be harder problem. What would happen if you'd lost right to sue a violator, just becose you didn't "obscured" your code?
You could learn by a disassembly a lot about software behaviour at runtime, and CPU. If nothing else it would improve your assembly programming
Re iMalc "I can understand the need to learn what you're wanting to do, purely for the purposes of ensuring that your own code is not easily hacked by others. (I work in the security industry)"
That's a bit silly. If you work in a security industry, you know that what is needed to be disassembled, would be disassembled. Security by obscurity? This doesn't worke too much. Also there would be harder problem. What would happen if you'd lost right to sue a violator, just becose you didn't "obscured" your code?
Author
Ok, well maybe I shouldn't have used the serial example. SOrry about that :P
Thats for the info, i'll look into that. :P
Thats for the info, i'll look into that. :P
Author
>Fish:
if you've found the offending instruction at address <a>, file offset can be calculated as follows: section_offset = a - code_section_virtual_RVA - module_load_address (0x400000 for EXE); offset = code_section_raw_data_offset + section_offset.
Whats the chance you could elaborate a bit? [grin] I have no idea what you just said.
>Next you hit F5 to goto the offset. Finally you hit F3 to edit the code at that location - where you would add in the HEX of the instructions - such as 90 for no-op.
When I try F3, it says "read only mode". eh?
if you've found the offending instruction at address <a>, file offset can be calculated as follows: section_offset = a - code_section_virtual_RVA - module_load_address (0x400000 for EXE); offset = code_section_raw_data_offset + section_offset.
Whats the chance you could elaborate a bit? [grin] I have no idea what you just said.
>Next you hit F5 to goto the offset. Finally you hit F3 to edit the code at that location - where you would add in the HEX of the instructions - such as 90 for no-op.
When I try F3, it says "read only mode". eh?
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement