Screen Posted May 14, 2020 Share Posted May 14, 2020 Hi, I'm trying to learn about the premise and would love to follow up on the footsteps of experts and to get my hands dirty and patch a piece of software I have. If any one can send in some help this way.. would be appreciated. Thank you! ^^ Link to comment Share on other sites More sharing options...
Dodel Posted May 14, 2020 Share Posted May 14, 2020 A guide on starting out reverse engineering. https://0x00sec.org/t/re-guide-for-beginners-methodology-and-tools/2242 Link to comment Share on other sites More sharing options...
Sponpa Posted May 14, 2020 Share Posted May 14, 2020 Please do not message me. Personally I reverse things out of pure entertainment/interest/boredom. Watch some videos and read tutorials. Also watch some Malware analysis videos, like from OALab also very good content. I can give some tips about simple instructions you will likely use. Keep in mind there is not one single way to patch applications, sometimes lots of digging required (or far to complex), sometimes really easy and you will wonder why nobody has done it before you. You can enable mnemonics to help you explain what the instructions do in the disassembly view (CTRL+Shift+F1) if you don't understand what it does. Lots of patching involves these instructions inside a call, or right after a call, it's often actually that simple. Even for programs no public 'key-less' patches exist. "mov eax. 0x1" or 0x0 "mov eax, some specific value" "mov al. 0x1" or 0x0 Somewhere "xor al, al" "inc al" Top of function sometimes useful to just do that instead of patching after return of function. "xor eax, eax" "inc eax" "ret" (whatever end of call should actually return, obviously don't increase eax (inc eax) when it should actually be 0, xor eax, eax sets eax to 0) JE/JNE (and all other jumping instructions) usually replaced with whatever makes it jump (or not jump.. in which case you can also nop it out) or just "jmp". Sometimes use a jump, move a call from a nested function out, and jump directly to that call to bypass the entire nested verification stuff. You will also often encounter things like this, at the right place will unlock the doors with the right value fed "mov qword ptr ds:[register], al" "mov dword ptr ds:[register], value" Breakpoints, lots of breakpoints. Search for strings in current module, look for 'key' 'serial' 'auth' 'license' stuff like that, or warning msgs (serial is invalid etc), netapi32 (internet auth, or license re-check etc), have a website popup? look for url and bp, Intermodular calls and bp on ShellExecuteA. If something is protected really good (not same as the packing) (only garbage strings, clearly obfuscated code flow), don't bother. That requires some really good understanding if it's still doable or just a true waste of time. Free Tools you probably want: HxD (simple, free hex editor) or really any good hex editor x64dbg which you already have (GET THE PLUGINS! Like autopatchexporter) Cutter Ida Pro .-. (not very free) dnSpy for .Net applications Maybe this post was more confusing rather than useful, i don't know. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.