 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
|
|
|
|
||||||||||
|
||||||||||||||
|
||||||||||||||
|
#1
11-16-2019, 06:08 AM
|
|||
|
|||
Themida HWID mismatch patch
Themida HWID mismatch: this work if you have license for a different HWID.
Under Windows 7 there is no Api emulation! 1. VirtualAlloc Api Emulation - Windows XP: Search for kernel32.VirtualAlloc bytes under memory: 558BECFF7514FF7510FF750CFF75086AFFE8????????5DC210 00 VirtualAlloc is shadowed, actually the whole kernel32 is copied to a memory block: Those patterns are also found under kernel32.VirtualProtect 00C18EF1 8BFF MOV EDI,EDI 00C18EF3 55 PUSH EBP 00C18EF4 8BEC MOV EBP,ESP 00C18EF6 FF75 14 PUSH DWORD PTR SS:[EBP+14] 00C18EF9 FF75 10 PUSH DWORD PTR SS:[EBP+10] 00C18EFC FF75 0C PUSH DWORD PTR SS:[EBP+C] 00C18EFF FF75 08 PUSH DWORD PTR SS:[EBP+8] 00C18F02 6A FF PUSH -1 00C18F04 E8 09000000 CALL 00C18F12 00C18F09 5D POP EBP 00C18F0A C2 1000 RETN 10 Set breakpoint to VirtualAlloc emulation and under allocated memory it should write the next pattern (2.) 2. When 00C18F0A reached note the alocated address - in that you should search next pattern, do "bp kernel32.LoadLibraryA" Search for B8010000008985????????C785 You could also run the program and search under memory the previous pattern and then set breakpoint one execute and restart Olly debugger. You should see something like this: 005EB812 B8 01000000 MOV EAX,1 005EB817 8985 7D217C0C MOV DWORD PTR SS:[EBP+C7C217D],EAX 005EB81D C785 35107C0C 01000000 MOV DWORD PTR SS:[EBP+C7C1035],1 The address at 005EB81D hold HWID mismatch, break on write to that this should be patched to 02 01 value means HWID mismatch! or 6730E9D0 B8 01000000 MOV EAX, 0x1 6730E9D5 8985 F8299517 MOV DWORD PTR SS:[EBP+0x179529F8], EAX 6730E9DB C785 E451AD17 54DAF501 MOV DWORD PTR SS:[EBP+0x17AD51E4], 0x1F5DA54 // this holds HWID mismatch 6730E9E5 C785 4D209517 FFFFFFFF MOV DWORD PTR SS:[EBP+0x1795204D], -0x1 6730E9EF C785 74E3AF17 FFFFFFFF MOV DWORD PTR SS:[EBP+0x17AFE374], -0x1 6730E9F9 C785 87219517 FFFFFFFF MOV DWORD PTR SS:[EBP+0x17952187], -0x1 6730EA03 C785 D8379517 FFFFFFFF MOV DWORD PTR SS:[EBP+0x179537D8], -0x1 6730EA0D C785 5093AD17 FFFFFFFF MOV DWORD PTR SS:[EBP+0x17AD9350], -0x1 6730EA17 C785 3C189517 FFFFFFFF MOV DWORD PTR SS:[EBP+0x1795183C], -0x1 6730EA21 C785 6FD6B617 FFFFFFFF MOV DWORD PTR SS:[EBP+0x17B6D66F], -0x1 6730EA2B C785 EF179517 FFFFFFFF MOV DWORD PTR SS:[EBP+0x179517EF], -0x1 6730EA35 C785 A60DAF17 FFFFFFFF MOV DWORD PTR SS:[EBP+0x17AF0DA6], -0x1 6730EA3F 83BD 982A9517 00 CMP DWORD PTR SS:[EBP+0x17952A98], 0x0 6730EA46 0F85 27000000 JNZ 6730EA73 6730EA4C 83BD 202C9517 00 CMP DWORD PTR SS:[EBP+0x17952C20], 0x0 6730EA53 0F85 1A000000 JNZ 6730EA73 We set breakpoint on write to memory from 6730E9D5: We start with bad value (0x1F5DA54) write good value [68D241F8] = 53DDC72F write bad value (0x1F5DA54) This writes bad value: anyway this writes more values: Original instructions: 69D7B22F 8B36 MOV ESI,DWORD PTR DS:[ESI] 69D7B231 893E MOV DWORD PTR DS:[ESI],EDI 69D7B233 09F7 OR EDI,ESI Free spot at: 10707001 0000 ADD BYTE PTR DS:[EAX],AL Change at 1036B22F to: 1036B22F /E9 CDBD3900 JMP 10707001 1036B234 |90 NOP At the free spot change to: 10707001 81FF 54DAF501 CMP EDI,0x1F5DA54 10707007 75 05 JNZ SHORT 1070700E 10707009 BF 2FC7DD53 MOV EDI,0x53DDC72F 1070700E 8B36 MOV ESI,DWORD PTR DS:[ESI] 10707010 893E MOV DWORD PTR DS:[ESI],EDI 10707012 09F7 OR EDI,ESI 10707014 ^ E9 1B42C6FF JMP 1036B234 10707019 90 NOP 10707001 to: 81 FF 54 DA F5 01 75 05 BF 2F C7 DD 53 8B 36 89 3E 09 F7 E9 1B 42 C6 FF 90 
|
Linear Mode
