This shows you the differences between two versions of the page.
unix:osx:office_crack [2010/02/22 08:37] ben created |
unix:osx:office_crack [2010/02/22 08:57] ben |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | **These are really difficult to read, they were sort of on the fly notes while working to avoid the date expiration of some beta software, maybe.** | ||
+ | |||
So, check the stack at break of McpDoBetaCheck, calling funcion is McpFInitMcp. Break on that function (break McpFInitMcp, then step (s) forward), disas the address, and start looking for the call to McpDoBetaCheck, can just look for the previous break point address or something, can't remember. | So, check the stack at break of McpDoBetaCheck, calling funcion is McpFInitMcp. Break on that function (break McpFInitMcp, then step (s) forward), disas the address, and start looking for the call to McpDoBetaCheck, can just look for the previous break point address or something, can't remember. | ||
Line 8: | Line 10: | ||
jump *0x01044cb2 | jump *0x01044cb2 | ||
- | that works. | + | that works. (eureka moment!) |
NOTE: on finding the code in the decompiled text version- the last 3 characters in gdb's address correspond to the hex offset- | NOTE: on finding the code in the decompiled text version- the last 3 characters in gdb's address correspond to the hex offset- | ||
to find the code quickly, grep -B1 "cad:" decomp.txt|grep "jne" or grep -B1 "cad:" mcpdecomp.out|grep -B1 call | grep -A1 jne ... | to find the code quickly, grep -B1 "cad:" decomp.txt|grep "jne" or grep -B1 "cad:" mcpdecomp.out|grep -B1 call | grep -A1 jne ... | ||
- | SO simple, so fast. | + | SO simple, so fast. (this was used to find the correct section of code by the order of commands made) |
hexedit offsets for the nop's are 1190C0 for power pc and 400CAD for intel. | hexedit offsets for the nop's are 1190C0 for power pc and 400CAD for intel. | ||
Line 23: | Line 25: | ||
and the output looks like: | and the output looks like: | ||
- | -- | + | |
106ca4: e8 b1 71 02 00 call 12de5a <LC_SEGMENT.__TEXT.__text+0x12ca86> | 106ca4: e8 b1 71 02 00 call 12de5a <LC_SEGMENT.__TEXT.__text+0x12ca86> | ||
106ca9: 85 c0 test %eax,%eax | 106ca9: 85 c0 test %eax,%eax | ||
Line 43: | Line 45: | ||
For powerpc, we're looking for the code of: | For powerpc, we're looking for the code of: | ||
- | -- | + | |
grep -A2 'cmpwi cr7,r3,0' power4decomp.txt|grep -B5 -A4 'bne' | grep -A2 'cmpwi cr7,r3,0' power4decomp.txt|grep -B5 -A4 'bne' | ||
grep -A2 'cmpwi cr7,r3,0' power4decomp.txt|grep -B1 -A1 'bne cr7,' | grep -A2 'cmpwi cr7,r3,0' power4decomp.txt|grep -B1 -A1 'bne cr7,' | ||
Line 65: | Line 67: | ||
1180c0: 4b ff fa 31 bl 117af0 <LC_SEGMENT.__TEXT+0x117af0> | 1180c0: 4b ff fa 31 bl 117af0 <LC_SEGMENT.__TEXT+0x117af0> | ||
1180c4: 38 21 00 50 addi r1,r1,80 | 1180c4: 38 21 00 50 addi r1,r1,80 | ||
- | -- | + | -- |
-- | -- | ||
-- | -- |