Reversing : The Hacker's Guide to Reverse Engineering

This transformation can be improved upon in several different ways, depending on how much performance and code size you’re willi ...

004010C2 cmp ebp,3 004010C5 ja 004010E8 004010C7 add ecx,14h 004010CA jmp 004010A3 004010CC mov ebx,edi 004010CE sub ecx,14h 004 ...

because the analyzer must determine how memory modifications performed through one pointer would affect the data accessed using ...

Interleaving Code Code interleaving is a reasonably effective obfuscation technique that is highly potent, yet can be quite cost ...

Notice how each function segment is followed by an opaque predicate that jumps to the next segment. You could theoretically use ...

meaninings of variable values will not be immediately clear. Changing the encoding of a variable can mean all kinds of different ...

357 Cracking is the “dark art” of defeating, bypassing, or eliminating any kind of copy protection scheme. In its original form, ...

but you won’t be cracking real copy protections. That would not only be ille- gal, but also immoral. Instead, I will be demonstr ...

Figure 11.2 KeygenMe-3’s invalid serial number message. Unfortunately for crackers, sophisticated protection schemes typically a ...

This view immediately tells you the Key4.exeis a “lone gunner,” appar- ently with no extra DLLs other than the system DLLs. You ...

Figure 11.5 Imports and exports for Key4 (from OllyDbg). At the moment, you’re interested in the Import entry titled USER32. Mes ...

The first entry brings you to the About message box (from looking at the message text in OllyDbg). The second brings you to a pa ...

this case, you’re not interested in ever getting to the error message at Key4.00401358, so you completely eliminate the jump fro ...

Figure 11.8 KeygenMe-3’s success message box. Keygenning You may or may have not noticed it, but KeygenMe-3’s success message wa ...

challenge, where the protected program takes the volume serial number and the username and generates a challenge, which is just ...

004012D3 CALL <JMP.&USER32.GetDlgItemTextA> ; GetDlgItemTextA 004012D8 CMP EAX,0 004012DB JE SHORT Key4.004012DF 00401 ...

0040138E CALL <JMP.&KERNEL32.lstrlenA> ; lstrlenA 00401393 PUSH EBX 00401394 XOR EBX,EBX 00401396 MOV ECX,EAX 00401398 ...

Notice that the line that accesses this address is only using a single byte, and not whole DWORDs, so in reality the program is ...

SUB EBX, EDX IMUL EBX, EDX MOV ESI, EBX SUB EBX, EAX ADD EBX, 0x4353543 ADD ESI, EBX XOR ESI, EDX MOV EAX, 4 mov edx, 0x65 DEC E ...

The resulting serial number appears to be 580695444. You can run Key- genMe-3 (the original, unpatched version), and type “John ...