Sync Modular - Inside a Stripped ELF - by PIrgE Tools: reveng by zadig, hex editor, db the console be debugger The Sync Modular (sm) demo needs a registration number to enable the full functionality of the application - the demo restrictions are quite comprehensive and complex so the approach I took was to reverse the registration process. It is apparent that the demo contains all the code for full functionality as a reg number can be entered when the app starts. If we enter any old reg code we get an alert teling us it is invalid. Backup the executable, run sm through reveng and search for the alert box invalid string. If we look just before where the invalid reg string is pushed onto the stack for the alert function call we find a couple of obvious jumps that take us past the alert - so patch the jumps to force the validity of the reg and name entered. Run SM and enter a name and reg code - oh oh segment violation! - but this is good as it will lead us straight to the protection code. Run db with sm as an argument and when db first starts put a break on the second patched jump, enter reg code and when it breaks step over the code line by line - this way you will discover which call is responsible for the segment violation. When you know the function address that is responsible - study the reveng output of the function for a call that uses a variable as the address (the address is calculated at runtime from some or all of the regcode) you will find - call *%eax. Zen feeling that this is just for reg check and nothing else so nop this call, run sm, enter regcode and name hey presto registered BUT not only that registered with a proper reg number! Replace the patched sm with your backup and if you use Sync Modular BUY it! I leave it to the reader to discover how/where the reg is stored. The disassembly: xxxxxxxx: 85c0 test %eax,%eax //bad/good jump here xxxxxxxx: 741b je xxxxxxxx xxxxxxxx: 6805800000 push $0x8005 xxxxxxxx: 6a2e push $0x2e xxxxxxxx: 8b9538ffffff mov 0xffffff38(%ebp),%edx xxxxxxxx: 52 push %edx xxxxxxxx: e8b832f0ff call 0x19d5ec xxxxxxxx: 83c40c add $0xc,%esp xxxxxxxx: 6685c0 test %ax,%ax //bad/good jump here xxxxxxxx: 7439 je xxxxxxxx //bad guys go here Referenced by (conditionnal) jump(s) at Address(es): xxxxxxxx xxxxxxxx xxxxxxxx: 6a01 push $0x1 xxxxxxxx: 89d8 mov %ebx,%eax xxxxxxxx: 058768faff add $0xfffa6887,%eax Possible reference to string "SynC Modular" xxxxxxxx: 50 push %eax xxxxxxxx: 8b4d08 mov 0x8(%ebp),%ecx xxxxxxxx: 89d8 mov %ebx,%eax xxxxxxxx: 059468faff add $0xfffa6894,%eax Possible reference to string "The name or registration code is not valid. Make sure you " xxxxxxxx: 50 push %eax xxxxxxxx: 833900 cmpl $0x0,(%ecx) xxxxxxxx: 750f jne xxxxxxxx xxxxxxxx: 68af020000 push $0x2af xxxxxxxx: 6a16 push $0x16 xxxxxxxx: e88ec9e8ff call xxxxxxxx xxxxxxxx: 83c408 add $0x8,%esp Referenced by (conditionnal) jump(s) at Address(es): xxxxxxxx xxxxxxxx: 8b5508 mov 0x8(%ebp),%edx xxxxxxxx: 8b02 mov (%edx),%eax xxxxxxxx: 50 push %eax xxxxxxxx: e86c8af1ff call xxxxxxxx xxxxxxxx: e96b010000 jmp xxxxxxxx Referenced by (conditionnal) jump(s) at Address(es): xxxxxxxx xxxxxxxx: 8b8d44ffffff mov 0xffffff44(%ebp),%ecx xxxxxxxx: 51 push %ecx //this call goes to the function that causes the segment violation xxxxxxxx: e87f25f0ff call xxxxxxxx xxxxxxxx: 8b8544ffffff mov 0xffffff44(%ebp),%eax ///////////////////////////////////////////////////////////////////////////////////////////////////////// //function that causes the segmnet violation xxxxxxxx 8d84027e012853 lea 0x5328017e(%edx,%eax,1),%eax xxxxxxxx: 8b4d08 mov 0x8(%ebp),%ecx xxxxxxxx: 51 push %ecx //segment violation comes occurs next as the call attempts to reach an invalid address for this app //this is just a check so nop it. xxxxxxxx ffd0 call *%eax xxxxxxxx: 31d2 xor %edx,%edx xxxxxxxx: 31ff xor %edi,%edi This is better protection but not taken far enough - more checks like this, but not identical otherwise its just find and replace, scattered within lots of functions would be more effective. PIrgE 12/2000