Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 03-26-2012, 12:32 PM
.net .net is offline
Member
 
Join Date: Oct 2011
Posts: 35
Default New Api Srm

Hello all,

Alladin Release New API & Many function already obfuscate.
i can reverse with old api & application works smoothly.

anybody know how to get TABLE API BASE on new API ?


thanks
Reply With Quote
  #2  
Old 03-26-2012, 04:59 PM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

What kind of obfuscation?. Is it the old
jz label
jnz label
...
label+1:

If so, I have an IDA script that removes mst of it.

Git
Reply With Quote
  #3  
Old 03-27-2012, 12:09 AM
.net .net is offline
Member
 
Join Date: Oct 2011
Posts: 35
Default

Looks this table from old api
Quote:
100B9C21 . 3D XXXXXX00 CMP EAX, xxxxxx ---- Serial key
100B9C26 . 74 1B JE SHORT App1.100B9C43
100B9C28 . 3D 00000000 CMP EAX, 0
100B9C2D . 74 32 JE SHORT App1.100B9C61
100B9C2F . 3D 00000000 CMP EAX, 0
100B9C34 . 74 49 JE SHORT App1.100B9C7F
100B9C36 . 3D 00000000 CMP EAX, 0
100B9C3B . 74 60 JE SHORT App1.100B9C9D
100B9C3D . 5F POP EDI
100B9C3E . E9 FB1C0000 JMP App1.100BB93E
Start of table
100B9C43 > B8 A60955CF MOV EAX, xxxxxxx
100B9C48 . AB STOS DWORD PTR ES:[EDI]
100B9C49 . B8 1E6FDE24 MOV EAX, xxxxxxx
100B9C4E . AB STOS DWORD PTR ES:[EDI]
100B9C4F . B8 2A5CBBC0 MOV EAX, xxxxxxx
100B9C54 . AB STOS DWORD PTR ES:[EDI]
100B9C55 . B8 F033A55E MOV EAX, xxxxxxx
100B9C5A . AB STOS DWORD PTR ES:[EDI]
100B9C5B . 5F POP EDI
i am difficult to get this part ?
@Git
if you have script to remove
can you send on PM.
Reply With Quote
  #4  
Old 03-27-2012, 05:53 AM
nodongle nodongle is offline
Senior Member
 
Join Date: Oct 2007
Posts: 299
Default

The tables useless for new API, even if you found them.
Reply With Quote
  #5  
Old 03-27-2012, 07:03 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

.net - I repeat :
What kind of obfuscation?. Is it the old
jz label
jnz label

Perhaps you can show an example?

Git
Reply With Quote
  #6  
Old 03-27-2012, 09:24 AM
.net .net is offline
Member
 
Join Date: Oct 2011
Posts: 35
Default

@ Git
HASP LOGIN SCOPE
old api likes below
Quote:
sub esp, 400h
push esi
mov esi, [esp+404h+arg_4]
push esi
call sub_2009670
add esp, 4
cmp eax, 8000h
jbe short loc_2001D6D
New API
Quote:
sub esp, 400h
jz short near ptr loc_20B313D+1
but they add
jz....
JNZ...
JMP...
for new api.

so just made confuse for RE
but how find key on new API ?
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.