 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
|
|
|
|
||||||||||
|
||||||||||||||
|
||||||||||||||
|
#1
09-19-2023, 04:15 AM
|
|||
|
|||
Themida HWID mismatch patch part2
Themida HWID mismatch patch part2
Themida HWID mismatch patch (part1): http://www.reteam.org/board/showthread.php?t=7459 This time we let the locked to different machine message run; we set breakpoint to end of MessageBoxExW 76DA29DA C2 1400 RETN 0x14 We click ok on message, it breaks we return from it and we see return address from Section=.winlice We click that address and we choose Search for -> Sequence of commands (Ctrl+S) we enter this: mov r32,[r32] cmp [r32],r32 PUSHFD we set breakpoint to all found addresses on cmp [r32],r32 we found something like 0133B1BF 8B09 MOV ECX,DWORD PTR DS:[ECX] 0133B1C1 3901 CMP DWORD PTR DS:[ECX],EAX 0133B1C3 9C PUSHFD 0133B1C4 81E2 24000000 AND EDX,0x24 On first breakpoint we notice the value of EAX register as 7AC7A65D we execute the cmp instruction and we set ZF to 1 by double click. as this time we won't change anything until a new message is shown; after we click once again OK on the message we notice the value of EAX register as 7AC7A65D we execute the cmp instruction and we set ZF to 1 by double click. And the program runs, we set breakpoint on memory to code section for finding OEP. 
|
Linear Mode
