Shulou(Shulou.com)06/03 Report--

The software opens the interface:

Those below V2.0 seem to just skip the registration box without decoding. (the following is from my original upk, not plagiarism)

The following PATCH HWID takes V3.7 as an example:

First, find the generated address of HWID:

one,

First write the breakpoint of memory under the section (0101B000) between .rsrc and .data, which is actually a dll (DLL_Loader.dll) verified by Enigma itself.

two,

REP similar to the 1428B2C line. It's the decoding part. After decoding:

3, save as DLL file:

Double-click the 0101B000 section, save the data to a file, and select dll file. At this point, you can put

Enigma's own DLL_Loader.dll is saved, and if the output table doesn't open, the RAW address needs to be modified. (version 3.7 can be opened directly without correction after saving.)

4. You can see the RVA of EP_RegHardwareID in DLL_Loader.dll

Below V3.7:

0C80F4 + 0101B000 (IMAGE BASE) is the address in the program, the next breakpoint, after which you can slowly track the location of the machine code.

You can also use the search all MOV EAX,DWORD PTR DS: [EDI] command, run after all breakpoints, and get the machine code location after the interruption.

Version 3.7: the actual offset address of EP_RegHardwareID is: 0x0C253C. Instead of the offset value seen by dll.

By breaking IMAGEBASE + 0xC253C, you can break on the actual EP_RegHardwareID function.

For example, this example should actually be concluded: HE 0C253C + 0101B000

After the breakpoint, you can break at the machine code generation by searching the MOV EAX,DWORD PTR DS: [EDI] command.

The above is just a quick way to reach it by tracking it step by step.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.