Title: Crack 1stOptv1. 5 Demo
Easily tracing Keygen 1stOptv1. 0
[Author]: winndy
[Contact information ]:
However, you can enter the path in the text box on the keyboard. After running, you can generate a result to save the file and save the parameter value to save the file. But click the file button next to it, but you cannot set the path in both text boxes. This is also true for the official registration version. It seems to be a bug.
Since 1stOptv1. 5 is like this, why not fix this bug.
0068F47A mov edx, [ebp-38]
0068F47D pop eax
0068F47E call 00404910; D7.System. @ LStrCmp;
0068F483 jnz short 0068F4D6
0068f1_push 0
0068F487 push 0068F5E8; file"
0068F48C lea edx, [ebp-44]
0068F48F mov eax, ebx
0068F491 call 0046CC0C
0068F496 push dword ptr [ebp-44]
0068F499 push 0068F62C; "it has been used to save the result file. Please try another file name!
0068F49E lea eax, [ebp-40]
0068F4A1 mov edx, 3
0068F4A6 call 004048C0
0068F4AB mov eax, [ebp-40]; |
0068F4AE cx, [68F620]; |
0068F4B5 xor edx, edx; |
0068F4B7 call 0046E8C0; 1stOpt_u.0046E8C0
0068F4BC jmp short 0068F4D6
0068F4BE lea edx, [ebp-48]
0068F4C1 mov eax, ebx
0068F4C3 call 0046CC0C
0068F4C8 mov edx, [ebp-48]
0068F4CB mov eax, [esi + 5C8]
0068F4D1 call 0044540C; D7.Controls. TControl. SetText (TControl; TCaption );
0068F4D6 xor eax, eax
Key here: 0068F483 jnz short 0068F4D6
Jumped to 0068F4D6, and the above TControl. SetText jumped over.
The comparison at 0068F47E indicates whether the result file name is the same as the parameter file name.
The modification method is to jump to 0068F4BE,
0068F483 jnz short 0068F4BE
Save, run, OK!
Jnz short 0068F4D6 machine code is 75 51
The machine code of jnz short 0068F4BE is 75 39.
It is OK to change only one byte.
In 1 stOpt v1.0:
006849C2 call 00404910; D7.System. @ LStrCmp;
006849C7 jnz short 00684A1A; jump to 00684A02
[Omitted…]
00684A02 lea edx, [ebp-48]
00684A05 mov eax, ebx
[Omitted…]
00684A15 call 0044540C
00684A1A xor eax, eax
The machine code at 006849C7 is changed from 75 51 to 75 39.
It's easy, just a byte. Next we will learn how to install Inline patches on v1.0. The simpler it is, the more effective it will be to get started.
The EP of V1.0 after shelling is
006C0608> $55 push ebp
Base Address: 00400000.
006C0608-00400000 = 002C0608
Use ultraeditto open 1stopt.exe, search for 08 06 2C 00, and find the only one.
0010c4d2h: 08 06 2C 00 ;..,.
Change it to: 0077114B (where the code patch is delivered)-00400000 = 0037114B
0010c4d2h: 4B 11 37 00 ;..,.
Three bytes. After the program is decompressed, we will first jump to the patch location 0077114B.
Then, change the machine code at 006849C7 from 75 51 to 75 39.
Then jump to the original entrance 006C0608.
Write the following assembly code in the v1.0 file without shelling and find the machine code:
0077114B C605 C8496800 39 mov byte ptr [6849C8], 39
00771152 68 08066C00 push 006C0608
00771157 C3 retn
Write the above machine code at the raw offset corresponding to rva = 0077114B-00400000 (Imagebase) = 0037114B.
Use lordpeto open 1stopt.exe, and you can see that 002C06D0 Is In The. aspack segment.
The VOffset in the. aspack segment is 00371000, The VSize is 00002000, The ROffset is 0010C400, And the RSize is.
Roffset = (0037114B-00371000) + 0010C400 = 0010C54B
It can be verified using LordPE FLC.
Use ultraedit to jump to offset: 0010C54B, and then write the machine code above:
C605c8496800415808066c00c3
Save it. Inline Patch successful.
Reference: http://www.pediy.com/bbshtml/BBS2/FORUM260.HTM
Next we will use DUP for a patcher.
DUP is easy to use. You can also use the aPE to play Inline patch.
[Experience Summary ]:
1. Although 1stOptv1. 5 is a demo, the code of v1.0 and v1.5 on these basic functions should not be changed. Therefore, you can directly port the code in v1.0 to v1.5. Fortunately, the function corresponding to 1.5 can be found in 1.0 when the call is fixed. It is mainly found based on the feature code of the function. Otherwise, I want to modify the Import Table and Import other functions. I am exhausted and may not have done it yet.
2. by tracing the source, find the core of file encryption and set up HKStreams. In this way, we will focus on analyzing the registration mechanism of Auto2Fit v3.0, instead of spending our effort on reverse HKStreams, this is an open-source component. otherwise, let me analyze the blowfish and LHA algorithms of HKStreams, and I will not be able to use them. this is also an idea that starts from the overall situation and reflects code reuse. In addition, programming is very helpful for reverse engineering. As DFCG's "I want" said, forward and reverse are never opposite.
[Thanks]: Friends of Pediy, Unpack.cn, FCG, DFCG, PYG, FST, Exetools, ARTeam, Tuts4you, and 0wei
[Fixing time]: 2006.09.21