![]() Okay then where was r9d changed then? And once again as you can see it is not in this routine, so let us once again go to the code that calls this function. Now take a look at the code, where is something loaded it to edi? Yes by the command edi, r9d. Now you should see this:Īs you can see we are now right after the call. Follow it by pressing “Enter” (it will always hold the address the program should return to after completing this routine). To do that set a breakpoint and restart the program. As you can see at the screenshot edi is not set in this routine so we need to go to the code that called this routine. We need to find where edi was changed to 71. That means the program still stops working after 30 days (How I know? I tried it). Now you maybe think YES! We just patch it here and all is good, but No if you patch anything here, the splash text and some of the other text change, but not the one at the “registration” form. If you put a breakpoint there you will see that edi is “71” (or another number in your case) and not DB so it will jump past this “Licensed to:” Don’t let it stop you just keep scrolling up until you see this: No we need to scroll up in the code as you scrolling you see all the good things in the comment “Single user license”, “site license” and so on. So is this the right place to patch? No, because if you look a little further down you see that if we do not take this jump we just get down to the line and look in the comment “Evaluation Version”. Now go to that address by pressing “Enter” Do that by pressing “Ctrl+R” and after the search is completed you should see this: We need to make a search for all reference to this address. So we did not come from the code just above, but from where then. Well normally, we would start to look at the code right before this breakpoint, but look at the command just above this one. Well, it is 6 different addresses so let us “set breakpoint on all commands” (by right clicking). Now let us make a String search for “Evaluation” (press the “Aa” button and enter ‘”Evaluation”). So just run the program and it should break here “Entry Breakpoint”: I assume that you have disabled the “Break on System Breakpoint” in the “options” and “preference” menu. We now know the target, let us fire up X64dbg. We could input some dummy info and press “Check License”, but I have decided to attack the text “Evaluation version” and not the bad boy, so we don’t need to. Let us hope this is just one check that writes the text all 4 places but I doubt it. Now that is 3 places, press the “Register” button and finale you see this:Īnd here it is also showed, so that is 4 places. Let us go to the menu “help” and select “about” now you see this: Until now the program already showed the text “Evaluation Version” 2 different places. Run the target and you will see this splash: Now a days I always fire up Fiddler and disconnect from the internet when investigate a target but this time you do not have to. Have Fun! Toolzģ0 days trial, Nag, Serial check Investigate the Target Remember, the best way to learn is to try to patch the program yourself first, if you do not succeed (or if you would like to see another approach) then read this tutorial. ![]() Do I have to say “ This is only for learning so please: if you do like it, pay for it!” I assume that you know 圆4dbg and how to change the flags, edit the asm code, search for constants and so on, just some basic knowledge. In this program we will have to go a little deeper into the code to make a working crack, but it is not that hard. It is a 30-day trial and has a corresponding nag. There is a very high probability that it will be faster.In this tutorial, we will be cracking a registration scheme from a ‘real’ program a Serial check. If you don't have access to the application itself, I suggest that you forget about it and find another way to solve your problem. In order to test the hypotheses you worked out with the steps above, edit one of the files and have the application read it.
0 Comments
Leave a Reply. |