User Tools

Site Tools


unix:osx:office_crack

These are really difficult to read, they were sort of on the fly notes while working to avoid the date expiration of some beta software, maybe.

So, check the stack at break of McpDoBetaCheck, calling funcion is McpFInitMcp. Break on that function (break McpFInitMcp, then step (s) forward), disas the address, and start looking for the call to McpDoBetaCheck, can just look for the previous break point address or something, can't remember.

addresses need * in front for a jump. you can break McpFInitMcp and then see what address you need to jump from there.

gdb ./Microsoft Entourage break *0x01044cab jump *0x01044cb2

that works. (eureka moment!)

NOTE: on finding the code in the decompiled text version- the last 3 characters in gdb's address correspond to the hex offset- to find the code quickly, grep -B1 “cad:” decomp.txt|grep “jne” or grep -B1 “cad:” mcpdecomp.out|grep -B1 call | grep -A1 jne … SO simple, so fast. (this was used to find the correct section of code by the order of commands made)

hexedit offsets for the nop's are 1190C0 for power pc and 400CAD for intel. nop codes are “90” for intel, and believed to be “60 00 00 00” for power pc…

Using objdump, disassemble the files, objdump -D binaryfile >decompiledoutputfile.txt. An example command to find the necessary lines looks like:

grep -A5 -B4 'mov    $0x1,%eax' mcpdecomp.out |grep -B5 -A4 'add    $0x4,%esp'

and the output looks like:

106ca4:	e8 b1 71 02 00       	call   12de5a <LC_SEGMENT.__TEXT.__text+0x12ca86>
106ca9:	85 c0                	test   %eax,%eax
106cab:	75 05                	jne    106cb2 <LC_SEGMENT.__TEXT.__text+0x1058de>
106cad:	e8 1c f8 ff ff       	call   1064ce <LC_SEGMENT.__TEXT.__text+0x1050fa>
106cb2:	b8 01 00 00 00       	mov    $0x1,%eax
106cb7:	83 c4 04             	add    $0x4,%esp
106cba:	5b                   	pop    %ebx
106cbb:	5d                   	pop    %ebp
106cbc:	c3                   	ret    
106cbd:	00 00                	add    %al,(%eax)

Open a hexeditor and search for the strings that match the opcodes in question, e8b171020085c07505… then replace the jne jump to nop's, 90 90. The offset location in this case is 106ca4

Now, objdump the file again with power4 powerpc instruction set as an argument…

For powerpc, we're looking for the code of:

grep -A2 'cmpwi   cr7,r3,0' power4decomp.txt|grep -B5 -A4 'bne'
grep -A2 'cmpwi   cr7,r3,0' power4decomp.txt|grep -B1 -A1 'bne     cr7,'
grep -A2 'cmpwi   cr7,r3,0' power4decomp.txt|grep -B1 -A1 'bne     cr7,' |grep bl |wc -l
    81
grep -A3 'cmpwi   cr7,r3,0' power4decomp.txt|grep -B1 -A2 'bne     cr7,' |grep -A1 bl

And finally we find it….

frieda:Desktop ben$ grep -A3 'cmpwi   cr7,r3,0' power4decomp.txt|grep -B1 -A2 'bne     cr7,' |grep -A1 bl|grep 'addi   r1,r1,80'
frieda:Desktop ben$ grep -A3 'cmpwi   cr7,r3,0' power4decomp.txt|grep -B1 -A2 'bne     cr7,' |grep -A1 bl|grep 'addi    r1,r1,80'
1180c4:	38 21 00 50 	addi    r1,r1,80
1180c4:	38 21 00 50 	addi    r1,r1,80
frieda:Desktop ben$ grep -A3 'cmpwi   cr7,r3,0' power4decomp.txt|grep -B1 -A2 'bne     cr7,' |grep -B4 -A2 bl|grep 'addi    r1,r1,80'
1180c4:	38 21 00 50 	addi    r1,r1,80
1180c4:	38 21 00 50 	addi    r1,r1,80
frieda:Desktop ben$ grep -A3 'cmpwi   cr7,r3,0' power4decomp.txt|grep -B1 -A2 'bne     cr7,' |grep -B4 -A2 bl|grep -A4 -B4 'addi    r1,r1,80'
--
1180b8:	2f 83 00 00 	cmpwi   cr7,r3,0
1180bc:	40 9e 00 08 	bne     cr7,1180c4 <LC_SEGMENT.__TEXT+0x1180c4>
1180c0:	4b ff fa 31 	bl      117af0 <LC_SEGMENT.__TEXT+0x117af0>
1180c4:	38 21 00 50 	addi    r1,r1,80
--  
--
--
1187e8:	2f 83 00 00 	cmpwi   cr7,r3,0
--
--
1180b8:	2f 83 00 00 	cmpwi   cr7,r3,0
1180bc:	40 9e 00 08 	bne     cr7,1180c4 <LC_SEGMENT.__TEXT.__text+0x115e84>
1180c0:	4b ff fa 31 	bl      117af0 <LC_SEGMENT.__TEXT.__text+0x1158b0>
1180c4:	38 21 00 50 	addi    r1,r1,80
--
--
--
1187e8:	2f 83 00 00 	cmpwi   cr7,r3,0
0x01044ca9 <McpFInitMcp+57>:	test   %eax,%eax
0x01044cab <McpFInitMcp+59>:	jne    0x1044cb2 <McpFInitMcp+66>
0x01044cad <McpFInitMcp+61>:	call   0x10444ce <McpDoBetaChecc>
0x01044cb2 <McpFInitMcp+66>:	mov    $0x1,%eax
unix/osx/office_crack.txt · Last modified: 2010/02/22 08:57 by ben