Archive for the ‘Reverse Engineering’ Category

Final Uninstaller – Patched

November 29, 2010 Leave a comment

Recently, my Google Chrome keep crashing on me, I tried to uninstall it, but still crash, my assumptions is something not wrong with my browsing data, so I tried to remove all chrome related data from temporaries, registries, etc.

Looking around for a good uninstaller, I found Final Uninstaller, but the thing is a shareware.

First, I was going to alter the registration process, but then everytime I fired up Final Uninstaller, I always have UnRegistered version coming up, even after I patched the Registration process. Then I changed my trace into the application start, and look for some string reference of “UnRegistered Version”, if I can’t find it, I will look intermodular calls and reverse engineer some assembly codes to perhaps make a Keygen, based on the Registration process, but I found this string, and everything become simpler, I can then crack it for just a couple minutes.

Fired up OllyDbg, search for strings reference of “UnRegistered Version”, trace up and search for the caller of the unregistered function, got one, changed jnz into jz, and voila, I have a patch address, fired up hex editor, change patch it, save it as a patch binary. Overwrite my trial one with my patched one, then it’s full version now.

This app is bare naked, it doesn’t have protection whatsoever that makes it easier to crack in just a couple minutes.

One more thing, this app created either using Delphi or C++ builder, I saw it uses fastcall calling convention in all of its function call and TXXX class naming everywhere.

Categories: Reverse Engineering

Assembly 101 – Memory

March 23, 2010 Leave a comment

It seems that this blog got abandoned by me due to busy schedule, but anyway, since this blog is a little storage from the corner of my mind, I think it is no problem if I don’t have time to write on this blog all the time. Time is essentials, a little time is so much worth if we can appreciate it. It happens that I have a little free time today, so I guess I am going to dig some old memories in the dark corner of my long gone memory of my mind.

I used to start learning Assembly since I was in High School 1st grade, and it’s actually pretty exciting to discover new things of my own, for the notice, I learn assembly in the hard way, I didn’t read books a lot, just facing in DOS era and learn from there, even crack how the AND, OR, XOR operator working of my own, since nobody will tell me back then, and lack of book resources lead me to self education which is the hard way.

Well enough with the blabbering…

I think I’ll start again writing on this blog on the matter of assembly.

If you ask me, what is assembly, well my answer is: type Assembly in google. You’ll be much better understand it that way rather than explained by me.

Okay, let start with computer memory.
In the old days of DOS (miss those days), we only know that Intel uses the concept of Real Mode in its memory. Meaning that, if you have an operating system in some chunk of address space in memory, then you have an application in other chunk of memory, then that application of yours can easily write and modify your operating system code on its chunk of memory, meaning that any application can overwrite the OS code in the OS memory, which lead us to where? crash. Just see the old MS DOS for example, if you a program then that program is hang, what can you do to go back to the DOS Prompt? Well the options is not much, you just have to hit the reset button or press Ctrl + Alt + Delete. In today’s Operating System if a application crash, you close it without having to reset the whole computer system, bla.. bla.. bla..

Why is that happen? because Real Mode provides us with no protection at all in accessing memory. Anybody from anywhere can access memory in every where. That’s the big picture of real mode.

But, hey, since now is another era of computing, what happen with the real mode now? is it still there in our computer or not? The answer is YES, it is still there. Can I overwrite the OS memory now, since it still there? the answer is NO if you are using Windows, or any modern OS that uses the latest memory model from Intel.

Question is, what kind of memory model that prevent us from overwriting the memory area of the OS aka Kernel? The answer is Protected Mode. I first learned Protected Mode in Hight School too. So I am saying this is my long gone of memory.

So, now we know 2 kind of memory mode in Intel processor, which is Real Mode and Protected Mode. And actually there’s another memory mode that Intel use, it was called System Management Mode (SMM), but I am not going to discuss that now.

In Protected Mode, the memory is protected by some kind of protection mechanism that prevent unauthorized application to overwrite the kernel memory.

There are a couple protection mechanism, there’s a segment protection and paging protection.
Yeah, you heard me, Segment Protection and Paging Protection.

What the h**l is that you’re asking again?
OK, the answer you must wait for the next post… For now I got work to do reversing some codes…

Categories: Reverse Engineering

Debugging a Plugin

June 5, 2009 Leave a comment

I used to wonder, how am I suppose to debug a plugin? I can’t just debug the binary just like a ELF, or EXE file and use the disassembled offset right out of the box for me to breakpoint.

Let’s take a good example:
Suppose we have EarthDesk.prefPane (I got it from

The I dump the binary into class header like this:

* Generated by class-dump 3.1.2.
* class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2007 by Steve Nygard.

struct __CFString;

* File: EarthDesk
* Arch: Intel 80x86 (i386)

.... Cut on purpose

@interface ComXericDesignEarthDeskLicenseController : NSWindowController
ComXericDesignEarthDeskPrefPane *bridge;
NSTextField *userField;
NSTextField *orgField;
NSTextField *keyField;
NSButton *okButton;
int fieldKeyCount;

- (id)initWithObject:(id)fp8;
- (BOOL)licenseBlocked:(unsigned short)fp8 hVal:(unsigned long)fp12;
- (BOOL)licenseAdded:(unsigned short)fp8 hVal:(unsigned long)fp12;
- (void)setLicenseFields;
- (void)controlTextDidChange:(id)fp8;
- (void)keyCountAlert;
- (void)showLicenseSheet:(id)fp8;
- (void)okButtonAction:(id)fp8;
- (void)cancelButtonAction:(id)fp8;
- (void)sheetDidEnd:(id)fp8 returnCode:(int)fp12 contextInfo:(void *)fp16;


@interface NSMutableData (Compression)
- (BOOL)compress;
- (BOOL)uncompress;

@interface NSData (Compression)
- (id)compressedData;
- (id)compressedDataWithLevel:(int)fp8;
- (id)uncompressedData;

..... Cut on purpose

I fired up the application using System Preferences, and see the Enter License Sheet (Find sheet at:

And then I look for some interesting method, and I found -controlTextDidChange:, I am guessing this is a documented callback or something, and find out in Xcode documentation about this method, and I found out that this is a notification received from NSNotificationCenter, and the I disassemble the binary into this:

-(void)[ComXericDesignEarthDeskLicenseController controlTextDidChange:]
+0 000068e0 55 pushl %ebp
+1 000068e1 89e5 movl %esp,%ebp
+3 000068e3 83ec48 subl $0x48,%esp
+6 000068e6 895df4 movl %ebx,0xf4(%ebp)
+9 000068e9 8b4508 movl 0x08(%ebp),%eax
+12 000068ec e800000000 calll 0x000068f1
+17 000068f1 5b popl %ebx
+18 000068f2 8975f8 movl %esi,0xf8(%ebp)
+21 000068f5 897dfc movl %edi,0xfc(%ebp)
+24 000068f8 8945e4 movl %eax,0xe4(%ebp)
+27 000068fb 8b8303890000 movl 0x00008903(%ebx),%eax
+33 00006901 89442404 movl %eax,0x04(%esp)
+37 00006905 8b4510 movl 0x10(%ebp),%eax
+40 00006908 890424 movl %eax,(%esp)
+43 0000690b e8c0980000 calll 0x000101d0 -[(%esp,1) object]
+48 00006910 89c7 movl %eax,%edi
+50 00006912 8b45e4 movl 0xe4(%ebp),%eax
+53 00006915 8b5034 movl 0x34(%eax),%edx
+56 00006918 8b837f880000 movl 0x0000887f(%ebx),%eax
+62 0000691e 891424 movl %edx,(%esp)

..... Cut on purpose

And then I want to set a breakpoint at address: 0x000068e0 which is the beginning of the method.
OK, now where am I suppose to breakpoint it? I can’t run the EarthDesk.prefPane just like a normal app! Why? because only System Preferences can call this program.

Now, I start thinking, if System Preferences is the one who load this program, it means that System Preferences will load it somewhere in the memory.
Now I want GDB to attach the process of System Preferences, and next thing I know, I type this:

$ps -ax | grep Preference
1519 ?? 0:00.54 /Applications/System Preferences -psn_0_372827
1538 ttys000 0:00.00 grep Preference

I look for System Preferences PID which is 1519, from looking at the result I know that System Preferences is a Carbon application, you can know this from the -psn id it has.

Now I fire up GDB and attach 1519 to my gdb.

$gdb -q
gdb$ attach 1519
Attaching to process 1519.
Reading symbols for shared libraries . done
Reading symbols for shared libraries ............... done
0x91b56286 in mach_msg_trap ()
EAX: 10004005 EBX: 92C21967 ECX: BFFFEC7C EDX: 91B56286 o d I t s z a P c
ESI: 00000000 EDI: 00000000 EBP: BFFFECB8 ESP: BFFFEC7C EIP: 91B56286
CS: 0007 DS: 001F ES: 001F FS: 0000 GS: 0037 SS: 001F
BFFFECCC : 50 04 00 00 03 0F 00 00 - 00 00 00 00 00 00 00 00 P...............
BFFFECBC : 4E 20 C2 92 A0 ED FF BF - 06 00 00 03 00 00 00 00 N ..............
BFFFECAC : 06 00 00 03 E8 87 10 00 - A0 ED FF BF 78 F2 FF BF ............x...
BFFFEC9C : 01 00 00 00 03 37 00 00 - 93 58 C7 49 7B 07 C2 92 .....7...X.I{...
BFFFEC8C : 50 04 00 00 03 0F 00 00 - 00 00 00 00 00 00 00 00 P...............
BFFFEC7C : 7C DA B5 91 A0 ED FF BF - 06 00 00 03 00 00 00 00 |...............
0x91b56286 : ret
0x91b56287 : nop
0x91b56288 : mov eax,0xffffffe0
0x91b5628d : call 0x91b56ad4
0x91b56292 : ret
0x91b56293 : nop
0x91b56294 : mov eax,0xffffffdf
0x91b56299 : call 0x91b56ad4
gdb$ continue
Reading symbols for shared libraries . done

And now I open the EarthDesk preference in the System Preference so it will be loaded to the memory. Then I back to terminal hit Ctrl + C to break.

Back to my disassembled source list, I want to set a breakpoint at 0x000068e0. No, I can't just type:
b *000068e0 to the gdb right? why? because this offset is not correct, why is that? because this is a loaded plugin which mean that it must be put somewhere in the memory as the base address, so we must find out where in memory System Preference put EarthDesk?
Then I get back again to GDB:

gdb$ info shared

.... Cut on purpose

104 EarthDesk - 0x152d0000 dyld Y Y /Users/Syuaibi/Library/PreferencePanes/EarthDesk.prefPane/Contents/MacOS/EarthDesk at 0x152d0000 (offset 0x152d0000)


Now I got the base address of EarthDesk, take a look at the bold address: 0x152d0000. This is my base address, now I must add all our breakpoint address with this base address.
I then add 0x000068e0 with 0x152d0000, I got 0x152D68E0

put it back in my GDB console, and voila I breakpoint in the correct address...

Now, everything is easier after this one, you can figure it out yourself.

Have fun!

Categories: Reverse Engineering

Hello Debugger

June 3, 2009 Leave a comment


Debugging is one of the most important thing either for a Programmer or a Reverser. In this post, I’d like to mentions some of the best tools we can use for Reversing or debugging.

There are several kind of debuggers, there is a user mode debugger that lies in the user space of Operating System (Application Level), also there is kernel debugger that we can use to debug kernel via network.

The following is some of the tools I used and know for Windows, Linux, or perhaps MacOSX. If you guys knows something that I don’t know about some great tool, you can post me a comment and I’ll add that to my list.

  • OllyDbg, this debugger is a user mode debugger made by Oleh Yuschuk, one of the coolest free debugger for Windows
  • WinDbg, this is a kernel mode and user mode debugger by far is surpasses OllyDbg in the integration with Windows Operating System, we can look up any data structure inside windows module, like ntdll.dll (using DT command, we can list the data structure inside a module (.DLL), like TEB (accessed via fs register), but you must load the symbols from Microsoft Server in order to cache the symbol to your WinDbg, so far I know 2 symbol servers that we can use:
      _NT_SYMBOL_PATH=srv*c:\mss* (For Microsoft Symbol Server
      _NT_SYMBOL_PATH=srv*c:\css* (For Citrix Symbol Server)
  • IDA Pro, this is one of the best disassembler and also a user mode debugger, but it cost us a lot of money. But as far as I know, this is one of the powerfull disassembler, if you ever try this tool, i bet you will like this one
  • PEBrowse Professional Interactive, this tool is good since this tool can also debug IL (Intermediate Language) codes of .NET framework
  • SoftIce, now this is the coolest thing ever to debug Kernel mode locally.
  • GNU Debugger, is the debugger mostly used for Linux and MacOSX, in my previous reversing tutorial, I use this tool, pretty powerfull debugger if you like command lines like me
  • Have fun!

    Categories: Reverse Engineering

    Cracking DiscoApp

    May 31, 2009 1 comment

    Beberapa hari terakhir aku sedang mencari-cari program burning yang bagus buat di Mac, searching-searching dapat di situs

    Nama aplikasinya DiscoApp, nyari cracknya dimana-mana gak ketemu, akhirnya coba ngecrack, ternyata berhasil, buat sarana belajar aku mau share tutorialnya, maaf kalau salah-salah… Enjoy..

    Program ini pake nag screen, tapi gak menampilkan pesan kesalahan sama sekali, effort buat ngecrack program ini lebih lama daripada program yang menampilkan pesan kesalahan registrasi, tapi cukup mudah untuk di crack menggunakan GDB.

    Download tutorialnya:

    Categories: Reverse Engineering

    Hello Mac Reversing

    May 30, 2009 Leave a comment


    This is the space for my extra times for coding and reversing, I love reversing, but recently due to my daily job, I can’t spend much time on it.

    Last time I was reversing was 3 years ago, so bear with me, I am now starting again with the new platform I have now: Mac.

    I love coding in Mac, I own a MacBook Black, but sometimes I needed some softwares which is not free, so I dedicate this blog space as my corner of reversing.


    Categories: Reverse Engineering