Considering you just c&p this from another site you might want to give credits to Shad0w_ for doing all the work.
Also from Shad0w, who deserves all credit.
Wanted to modify some assembly, it gave me the old security module error so I bypassed it.
Blowfish decryption and emulation isn't really my thing so I'm looking at doing standard patches.
The func, which i've named SecMod_
Code:
seg000:00854CE0 SecMod_854CE0 proc near
seg000:00854CE0 push esi
seg000:00854CE1 mov esi, ecx
seg000:00854CE3 cmp dword ptr [esi+4], 0
seg000:00854CE7 jnz short loc_854CF7
seg000:00854CE9 push offset aSecurityModule
seg000:00854CEE call sub_854B70
seg000:00854CF3 xor eax, eax
seg000:00854CF5 pop esi
seg000:00854CF6 retn
seg000:00854CF7 ; ---------------------------------------------------------------------------
seg000:00854CF7
seg000:00854CF7 loc_854CF7: ; CODE XREF: SecMod_854CE0+7j
seg000:00854CF7 mov ecx, [esi+4]
seg000:00854CFA mov eax, [ecx]
seg000:00854CFC mov edx, [eax+8]
seg000:00854CFF call edx
seg000:00854D01 test eax, eax
seg000:00854D03 jnz short loc_854D15
seg000:00854D05 push offset aSecurityModu_0
seg000:00854D0A mov ecx, esi
seg000:00854D0C call sub_854B70
seg000:00854D11 xor eax, eax
seg000:00854D13 pop esi
seg000:00854D14 retn
seg000:00854D15 ; ---------------------------------------------------------------------------
seg000:00854D15
seg000:00854D15 loc_854D15:
seg000:00854D15 cmp dword ptr [esi+8], 0
seg000:00854D19 jz short loc_854D2B
seg000:00854D1B push offset aSecurityModu_1
seg000:00854D20 mov ecx, esi
seg000:00854D22 call sub_854B70
seg000:00854D27 xor eax, eax
seg000:00854D29 pop esi
seg000:00854D2A retn
seg000:00854D2B ; ---------------------------------------------------------------------------
seg000:00854D2B
seg000:00854D2B loc_854D2B:
seg000:00854D2B mov eax, 1
seg000:00854D30 pop esi
seg000:00854D31 retn
seg000:00854D31 SecMod_854CE0 endp
At first I figured ok, I can just hook it an ret 1 like they do @
Code:
seg000:00854D2B mov eax, 1
seg000:00854D30 pop esi
seg000:00854D31 retn
An example of how I did this, was like so:
(Thanks to fatboy88 & Zenma for the EDX trick for the hook)
Code:
/
pedef int ( __thiscall* tSecMod)(void *ptr);
//tSecMod oSecMod;
int __fastcall SecModHook(void *ptr, void *Unknown)
{
return 1;
}
However if you follow the EIP, you will see almost-infinite-recursion happening (it will crash eventually).
That I found was due to this function not being called:
Code:
(*(int (**)(void))(**(_DWORD **)(ptr + 4) + 8))()
Rather than emulating the function, my way was to just patch over the conditions.
The conditions are like roughly 10 byte conditional jumps, so simply forcing the conditional jumps with an 8 bit relative jump of my own in place can do the job.
Corrected Function:
Code:
seg000:00854CF7 loc_854CF7: ; CODE XREF: SecMod_854CE0+7j
seg000:00854CF7 mov ecx, [esi+4]
seg000:00854CFA mov eax, [ecx]
seg000:00854CFC mov edx, [eax+8]
seg000:00854CFF call edx
seg000:00854D01 test eax, eax
seg000:00854D03 jmp short loc_854D15
seg000:00854D05 push offset aSecurityModu_0 ; "Security Module Error - 2"
seg000:00854D0A mov ecx, esi
seg000:00854D0C call sub_854B70
seg000:00854D11 xor eax, eax
seg000:00854D13 pop esi
seg000:00854D14 retn
seg000:00854D15 ; ---------------------------------------------------------------------------
seg000:00854D15
seg000:00854D15 loc_854D15: ; CODE XREF: SecMod_854CE0+23j
seg000:00854D15 cmp dword ptr [esi+8], 0
seg000:00854D19 jmp short loc_854D2B
seg000:00854D1B push offset aSecurityModu_1 ; "Security Module Error - 3"
seg000:00854D20 mov ecx, esi
seg000:00854D22 call sub_854B70
seg000:00854D27 xor eax, eax
seg000:00854D29 pop esi
seg000:00854D2A retn
seg000:00854D2B ; ---------------------------------------------------------------------------
seg000:00854D2B
seg000:00854D2B loc_854D2B: ; CODE XREF: SecMod_854CE0+39j
seg000:00854D2B mov eax, 1
seg000:00854D30 pop esi
seg000:00854D31 retn
seg000:00854D31 SecMod_854CE0 endp
The hooking method is valid, just make sure that you call the function before returning.
SecMod calls Module Error - 1? I never got that one myself but [protip:] that will only happen when*(PDWORD)ptr + 4 is NULL.
Lots of other functions to look at and patch in my free time, I'll try to share as much information as I can be bothered to write out.
Enjoy and Discuss.