 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
|
|
|
|
||||||||||
|
||||||||||||||
|
||||||||||||||
|
#42
04-22-2010, 11:48 AM
|
|||
|
|||
@ Git
Sorry Git, the code to put into registry file is (0x14 cell) 0x4F01E29F -->after set MSb --> 0xCF01E29F Not? How can I find out where's descriptor array? In my version is something like that: CALL lic.?ProfileId@CAtollKeyProfile@@QAEKXZ <-- CALL 00404B10 AND EAX,3 LEA EAX,DWORD PTR DS:[EAX+EAX*8] LEA EAX,DWORD PTR DS:[EAX*4+411198] Thanks in advance BR Last edited by mantovano : 04-22-2010 at 04:20 PM. Reason: Added another question 
|
|
#43
04-22-2010, 05:31 PM
|
|||
|
|||
|
I can't tell you what value to put in cell 0x14 because I don't know what your PID is. Correct about setting the MSbit, I mentioned in the first post and then forgot it in the next. Now corrected.
> AND EAX,3 val = PID & 3; > LEA EAX,DWORD PTR DS:[EAX+EAX*8] // val + val*8 = val*9 val *= 9; // LEA is often used just to do a sum, nothing to do with pointers > LEA EAX,DWORD PTR DS:[EAX*4+411198] val*4 because the table has an entry every 4 bytes. Looks to me very like it starts at 0x411198 don't you think?. That is the address where the data is loaded when run. If for any reason you want to find out where it is in the file, go to that address in IDA and hover the mouse pointer over the address. The lower status bar will show the address and the file offset. Git
|
|
#45
04-23-2010, 07:13 AM
|
|||
|
|||
|
You're near somewhere but <insert deity> knows what. What is it you are looking for exactly?. I've already posted every last scrap of information you need. Try 470120. I just found that in 2 minutes by doing this :
Code:
1) load new lic.exe into IDA
2) We know first table entry is 0xE29F4F01, so do a "Search for sequence
of bytes" and look for "01 4F 9F E2"
3) IDA finds one entry at 0x00470120. Jump to that address, keep hitting
'd' until the data at that address shows as dword 0E29F4F01h.
4) Hit keypad '*' to make an array. Set up as follows :
number of elements = 36
Items on a line = 1
Element width = -1
Use "dup" construct : NO
Signed elements : NO
Display indexes : your choice
Create as array : YES
While the cursor is on the address 470120, hit 'n' and give it the new name 'descriptorArray'. With the cursor on the label 'descriptorArray' now hit 'x' to find cross references to that address. IDA will find just one at 40A420. Double click the xref it found to go to that address. You should recognise that line and the two lines above as the code to look up descriptorArray[(pid & 3)*9] . Code:
.text:0040A41A and eax, 3 .text:0040A41D lea ecx, [eax+eax*8] .text:0040A420 mov ebx, descriptorArray[ecx*4] Git Last edited by Git : 04-23-2010 at 07:21 AM.
|
|
#46
04-23-2010, 11:09 AM
|
|||
|
|||
|
Hello Git
I did choose a PID Code:
92b987ee Code:
67FFC3F0 Code:
C3F067FF so C3F067FF is the PID which should be hardcoded into the reg file the WP i got it when i first PVA the dng file (brute WP) and its 5191  Anyway its in here as well 00407BCF dates will be starting 23/4/2010 and ending 31/12/2030 Question: How to deactivate the time bomb in the reg :'( Last edited by bassem_16 : 04-23-2010 at 12:08 PM.
|
|
#47
04-23-2010, 12:22 PM
|
|||
|
|||
|
At word 0x0E of your reg you will find timebomb expiration .) change date into your reg and restart the emul.
Do again your homeworks changing the reg giving the right algos .)
|
|
#48
04-23-2010, 12:29 PM
|
|||
|
|||
|
@sparpacillon
I know that, I'm not talking about changing date for time bomb if you go back to the images set by Git, you will find him deactivating the check box for time bomb (as if no time bomb exists) This should be reflected in the reg file somehow setting 0x0E to 00 00 wont do the trick any idea ?
|
|
#49
04-23-2010, 01:10 PM
|
|||
|
|||
|
@bassem16
hey!! index starts at "0" If you set/unset time bomb PID changes @Git Is sufficent if I unset time bomb and I use this PID? Thank you Git, a very pleasure to find out other dimension of this stuff when iluminated by you Last edited by mantovano : 04-23-2010 at 01:34 PM.
|
Linear Mode
