I’m practicing a bit of reverse engineering right now, and I came across a problem. If I copy an address from Cheat Engine and then want to jump to the same place in Ghidra, I end up in a veerem place. For example, 0x00429D1F is sub [ebx+4],edi in Cheat Engine and jge LAB_00 429d2b in Ghidra. I have already heard that you can reset the base address in the Memory Map window and have tried it, but unfortunately it did not work. Besides, pattern scanning in Ghidra does not work for me. When I search a certain pattern of bytes from Cheat Engine in Ghidra, Ghidra doesn't find the pattern even though it exists. Thanks in advance for any help.
Maybe you talking about several modules like this? CE disassembler->view->enumerate dll's and symbols
If it so, then you need to import specific module (.dll, .exe, etc.) to your project and set the base address for him.
Related
Background
I have used MS editors and applications for years including Visual Studio and office products and got use to CTRL+Y being redo. In fact so use to it doing that that I use undo CTRL+Z multiple times to look back on what I had just done then CTRL+Y until I get to my last point which has become second nature... that was until I came to Access 2007's VBA editor which has CTRL+Y being cut line.
Now I understand that this has always been this way (and I'm sure is useful if your use to it) but I'm not and apparently am unable to correct my brain just for Access 2007 and keep losing my whole redo list by clicking it when I want to redo. :(
I have looked for a solution in help files, Google (other search engines are available I'm sure! ;)) and even on SO but alas I have only found other soles like me who keep wiping there redo chain and others shouting at them for not being able to just learn that's what it does. LOL I'm stuck in my ways and don't use VBA's editor often enough to adapt!
So my Question
Is it possible to ether:
* Remap the CTRL+Y shortcut key in Access 2007's VBA Code editor to Redo
* Disable the CTRL+Y shortcut key in Access 2007's VBA Code editor
Both of these would solve my problem of wiping the redo chain and losing any work I had done.
From comments:
It is a while since I used MZ Tools but they were very popular and may still be. I do not know if it will provide an answer, but it may help:
I am practicing reversing skill using OLLdbg under windows.
there is an interactive window asking you input, let's say "serial number". My question is when user operate on the window, it is hard to locate related data flow within the debugger window. For example, if I click "F9", we can view the instruction flow; but When inputing on the window, I can't know which instructions have been executed.
My target is to find some jump instruction and change it, so that I can bypass the correct input requirement. I think the instruction should be quite close to instruction related to arg#, and related to TEST command.
Looking for hint or trick. Thanks.
One thing you could do is type something in the text field and then use an application such as Cheat Engine to find out where in the memory these characters are stored. Then you can put a memory (on access) breakpoint on the address of the first character in ollydbg. Then press the button that verifies the serial. When an instructions accesses this part of the memory it will break. You're inside a part of the code that verifies your string. Now from here you have to try to understand what the code is doing to find the instruction you want to alter.
Depending on how secure the application is, this will work. With a more secure application this most likely won't work. When your just starting reverse engineering I suggest you find some easy applications made for cracking and work your way to the more secure applications. A site where you can find many of these "crackmes" is crackmes.de. Also i can suggest lene151's tutorials here. Some of the best tutorials I've seen on reverse engineering.
(The story is relevant...mostly)
So I'm over at my buddy's house playing some RE5 Gold Edition, beat the game, unlock a bunch of stuff, and then I copy the save file to my memory stick so I can take it home with me.
Of course, the save is locked to his profile so I can't play it on my PS3, even though I was there beating everything with him. Lame.
So, I've got this save file sitting on my memory stick, I want to see if I can hack it to work with my profile.
I figure if I just create 2 new saves on different profiles and do nothing else, they should be identical except for the profile information. Then I just have to replace my friend's profile info with mine, and it should work, right?
So I need a tool for diff-ing these 2 binary files so I can quickly locate the parts of the file that are different. I know there are plenty of tools for text, but what about for binary?
(Actually, there are 3 files, DATA0.DAT, PARAM.PFD, and PARAM.SFO... not sure if anyone knows anything about PS3 save files, specifically for Resident Evil 5 Gold)
Don't think it's going to be possible. Apparently the save file is "protected". All it would take to prevent me from tampering with it is if they hash the contents of the data using some unknown algorithm, and then verify the hash matches up upon load. Not sure if they're doing that, but... guess it would be kind of dumb if they weren't doing something similar.
Hex Workshop is one of the premier hex manipulation applications and it has a file compare function.
But be aware that the game may not use a straight foward data saving mechanism, you may be dealing with a custom database structure, or the data may be encrypted. Game developers typically don't make it easy to hack save files, for obvious reasons...
I thought most of compare tools can do that (like Beyond Compare which I love). For example, there is FC.exe in Windows 7 in System folder. Compares ASCII and binaries. See http://support.microsoft.com/kb/159214 for some details.
check out hex workshop. most other hex editors out there should have this feature as well.
So I've spent the last few days looking for a way to create a simple image drawing app with wxPython, and I think the key to doing just that is understanding how to use Device Contexts. The problem is that the wxPython demo program doesn't demonstrate DCs, and the docs for both wxPython and wxWidgets don't explain as much as I'd like to know so I've decided to try and 'reverse engineer' an existing app to see how its done.
The first problem I have is that I don't know of any drawing apps written in wxPython (or any written in Python for that matter o.o), and the second is I don't know how I'd go about doing it. Am I right in saying that I'm going to need a copy of an application's Python source and something like Winpdb? What do professional programmers do when they find themselves in a situation like mine, needing answers that the docs don't provide?
If you need to understand the concepts, but the docs don't cut it, it's worth it to look at docs for similar APIs. In the case of drawing contexts, there are a lot of similar APIs in other languages. Java has Swing for instance.
Reverse engineering is easier in tools that aren't big event-driven GUI things. The converse is that event-driven GUI things tend to copy each other, so you only need to figure them out once or twice before they all make sense.
In .NET world, I have Reflector as indispensable tool.
In my company, we use to program SharePoint websites. There are many "gotchas" we just figure out by reverse engineering that product assemblies, exactly because documentation is plain wrong, just missing or simply doesn't exists.
I mean, I always was wondered about how the hell somebody can develop algorithms to break/cheat the constraints of legal use in many shareware programs out there.
Just for curiosity.
Apart from being illegal, it's a very complex task.
Speaking just at a teoretical level the common way is to disassemble the program to crack and try to find where the key or the serialcode is checked.
Easier said than done since any serious protection scheme will check values in multiple places and also will derive critical information from the serial key for later use so that when you think you guessed it, the program will crash.
To create a crack you have to identify all the points where a check is done and modify the assembly code appropriately (often inverting a conditional jump or storing costants into memory locations).
To create a keygen you have to understand the algorithm and write a program to re-do the exact same calculation (I remember an old version of MS Office whose serial had a very simple rule, the sum of the digit should have been a multiple of 7, so writing the keygen was rather trivial).
Both activities requires you to follow the execution of the application into a debugger and try to figure out what's happening. And you need to know the low level API of your Operating System.
Some heavily protected application have the code encrypted so that the file can't be disassembled. It is decrypted when loaded into memory but then they refuse to start if they detect that an in-memory debugger has started,
In essence it's something that requires a very deep knowledge, ingenuity and a lot of time! Oh, did I mention that is illegal in most countries?
If you want to know more, Google for the +ORC Cracking Tutorials they are very old and probably useless nowdays but will give you a good idea of what it means.
Anyway, a very good reason to know all this is if you want to write your own protection scheme.
The bad guys search for the key-check code using a disassembler. This is relative easy if you know how to do this.
Afterwards you translate the key-checking code to C or another language (this step is optional). Reversing the process of key-checking gives you a key-generator.
If you know assembler it takes roughly a weekend to learn how to do this. I've done it just some years ago (never released anything though. It was just research for my game-development job. To write a hard to crack key you have to understand how people approach cracking).
Nils's post deals with key generators. For cracks, usually you find a branch point and invert (or remove the condition) the logic. For example, you'll test to see if the software is registered, and the test may return zero if so, and then jump accordingly. You can change the "jump if equals zero (je)" to "jump if not-equals zero (jne)" by modifying a single byte. Or you can write no-operations over various portions of the code that do things that you don't want to do.
Compiled programs can be disassembled and with enough time, determined people can develop binary patches. A crack is simply a binary patch to get the program to behave differently.
First, most copy-protection schemes aren't terribly well advanced, which is why you don't see a lot of people rolling their own these days.
There are a few methods used to do this. You can step through the code in a debugger, which does generally require a decent knowledge of assembly. Using that you can get an idea of where in the program copy protection/keygen methods are called. With that, you can use a disassembler like IDA Pro to analyze the code more closely and try to understand what is going on, and how you can bypass it. I've cracked time-limited Betas before by inserting NOOP instructions over the date-check.
It really just comes down to a good understanding of software and a basic understanding of assembly. Hak5 did a two-part series on the first two episodes this season on kind of the basics of reverse engineering and cracking. It's really basic, but it's probably exactly what you're looking for.
A would-be cracker disassembles the program and looks for the "copy protection" bits, specifically for the algorithm that determines if a serial number is valid. From that code, you can often see what pattern of bits is required to unlock the functionality, and then write a generator to create numbers with those patterns.
Another alternative is to look for functions that return "true" if the serial number is valid and "false" if it's not, then develop a binary patch so that the function always returns "true".
Everything else is largely a variant on those two ideas. Copy protection is always breakable by definition - at some point you have to end up with executable code or the processor couldn't run it.
The serial number you can just extract the algorithm and start throwing "Guesses" at it and look for a positive response. Computers are powerful, usually only takes a little while before it starts spitting out hits.
As for hacking, I used to be able to step through programs at a high level and look for a point where it stopped working. Then you go back to the last "Call" that succeeded and step into it, then repeat. Back then, the copy protection was usually writing to the disk and seeing if a subsequent read succeeded (If so, the copy protection failed because they used to burn part of the floppy with a laser so it couldn't be written to).
Then it was just a matter of finding the right call and hardcoding the correct return value from that call.
I'm sure it's still similar, but they go through a lot of effort to hide the location of the call. Last one I tried I gave up because it kept loading code over the code I was single-stepping through, and I'm sure it's gotten lots more complicated since then.
I wonder why they don't just distribute personalized binaries, where the name of the owner is stored somewhere (encrypted and obfuscated) in the binary or better distributed over the whole binary.. AFAIK Apple is doing this with the Music files from the iTunes store, however there it's far too easy, to remove the name from the files.
I assume each crack is different, but I would guess in most cases somebody spends
a lot of time in the debugger tracing the application in question.
The serial generator takes that one step further by analyzing the algorithm that
checks the serial number for validity and reverse engineers it.