Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > File Unpacking
Reload this Page Safengine Licensor change HWID
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 12-02-2019, 02:40 PM
CodeRipper CodeRipper is offline
Member
  
Join Date: Mar 2009
Location: Romania
Posts: 26
Default Safengine Licensor change HWID
Safengine Licensor change HWID:

Target:
https://forum.tuts4you.com/topic/38372-safengine-licensor-2370/


Search "RegQueryValueExA" Ascii string
Ignore the first find, you should find something like this:
0048EA54 E8 11000000 CALL 0048EA6A
0048EA59 52 65 67 51 7>ASCII "RegQueryValueExA"
0048EA69 00 ASCII 0
RegQueryValueExA Ascii string fallowed by:
0048EA6A ^\EB B8 JMP SHORT 0048EA24
fallow that jump! Set breakpoint to 0048EA24 (Not hardware breakpoint since are checked!)
0048EA24 50 PUSH EAX
0048EA25 E8 4E4DFEFF CALL 00473778
0048EA2A ^ E9 11F7FFFF JMP 0048E140
0048EA2F 9D POPFD
0048EA30 C3 RETN

Decode HWID : base64 to hex string:
https://cryptii.com/pipes/base64-to-hex
Valid HWID:
yK/BrQAICAAgD2AA2MyMnr+9Bgdm51d1JTiyJQ==
=>
c8 af c1 ad 00 08 08 00 20 0f 60 00 d8 cc 8c 9e bf bd 06 07 66 e7 57 75 25 38 b2 25
c8afc1ad00080800200f6000d8cc8c9ebfbd060766e7577525 38b225

My own hwid:
yK/BrQAIAgBiDxAAnKYN5LcQBgc4mIr0fxNT1A==
=>
c8 af c1 ad 00 08 02 00 62 0f 10 00 9c a6 0d e4 b7 10 06 07 38 98 8a f4 7f 13 53 d4
c8afc1ad00080200620f10009ca60de4b710060738988af47f 1353d4

When 0048EA24 breakpoint is reached do "Execute til return" (Ctrl+F9)
twice until you reach this:
00525509 E8 F0000000 CALL 005255FE
0052550E AC LODS BYTE PTR DS:[ESI]
0052550F BF 8631503B MOV EDI, 0x3B503186
00525514 F3: PREFIX REP:
Set breakpoint to 00525509:
The second time when is execute 00525509 it will write c8afc1ad0008 value!

Search:
c8afc1ad0008
found in two places:

0012E488 C8 AF C1 AD 00 08 02 00 62 0F 10 00 00 01 02 03
0012E498 04 05 06 07 38 98 8A F4 7F 13 53 D4
D4 is the last byte

0012E50C C8 AF C1 AD 00 08 02 00 62 0F 10 00 00 01 02 03
0012E51C 04 05 06 07 38 98 8A F4 7F 13 53 D4
D4 is the last byte

Those two values are stored under stack.

I've created a Olly script which would check 12E4A3 and 12E527 byte for D4 value:
is called SL_OllyScript_BreakWhenFound.txt
1. First time you set breakpoint to 0048EA24 50 PUSH EAX
2. You got to set breakpoint on write (byte) to 12E4A3 and 12E527 bytes
3. Run SL_OllyScript_BreakWhenFound.txt script
4. When it will break you should change the second location 0012E50C with your own hwid.
Attached Files
File Type: txt SL_OllyScript_BreakWhenFound.txt (177 Bytes, 6 views)
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump




Reverse Engineering Team - Archive - Top

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2023, Jelsoft Enterprises Ltd.