Keygening Malwarebytes .pdf



Nom original: Keygening Malwarebytes.pdfAuteur: t4pz

Ce document au format PDF 1.4 a été généré par Writer / OpenOffice.org 3.2, et a été envoyé sur fichier-pdf.fr le 23/02/2013 à 19:20, depuis l'adresse IP 77.195.x.x. La présente page de téléchargement du fichier a été vue 1872 fois.
Taille du document: 752 Ko (28 pages).
Confidentialité: fichier public


Aperçu du document


Keygenning Malwarebytes' Anti-Malware
Program Name
Program version
Website
Compiler
Protection
Tutorial author
Date
Level

Malwarebytes' Anti-Malware
1.50b
www.malwarebytes.org
Visual Basic 6.0
MD5+Custom
Xylitol
31/12/2010
Beginner

Introduction
Hi there at first: sorry for my bad English. I’m not a native English speaker.
In this tutorial we will see how to defeat Malwarebytes’ Anti-Malware who use a really basic
protection scheme.
So.. I hope you will like it, if not I’m sorry.

Tools used
• OllyDbg (http://ollydbg.de/)
• PEiD (http://peid.has.it/)

Summary
Summary................................................................................................................................................ 1
Start........................................................................................................................................................ 2
Finding the bad boy message................................................................................................................. 3
How it’s work.......................................................................................................................................... 5
ASM Keygen source code...................................................................................................................... 11
Patching................................................................................................................................................ 13
Greetings.............................................................................................................................................. 13

Start
So let’s start, the first thing to do is to scan the main executable (mbam.exe) in pied for see if
the binary was packed with something.

Seem not packed, now let’s see with the Krypto ANALyzer plugin if he can detect something
interesting.

Ok that will be fun.

Finding the bad boy message
Ok, now load the target in Ollydbg and click run (F9) for launch the app, click the register
button in malwarebytes’ and enter anything, then press Register.

Once you have this dialog message:

Return in Ollydbg and click on the pause button (F12)

Then go to the debug menu and click on ‘execute till user code’ (Alt+F9)

Return on the error message and press ok

After you will break again.

By going up the code you will see a JMP, click on the line just under this JMP and olly will says
you we come here by a jump in 00477C84

Make a right clicks and Go to JE from 0x477C84

We are here:

Scroll up the code and add a breakpoint (F2) on the Push EBP.

We can also go to the jump who call us but that become useless now:

How it’s work

Add your breakpoint (F2) in 0x477AC0, and click run (F9)
Then, press again register and we will break on the line.
Follow the lines by pressing F8 (Step over)
Until we reach again our bad boy jump we will see nothing really interesting.
Only this

Who make your ‘Product ID’ in capital letter.
So let’s see what’s is done on the call before

Press F7 (Step into) for enter in the call, then keep up with Step over (F8)
The first thing we will see

The serial dash check.
Here the registration routine check if the serial is correctly formatted, using the InStr
Function (VBA only)
The InStr function returns the position of the first occurrence of a string in another string.
The syntax for the InStr function is:
InStr( [start], string_being_searched, string2, [compare] )
Here it search for the dash (‘2D’ in hex)
How do you know that ?



My entered serial is 1337 so that not good.
And like you can see on the picture, he did that three times
so a good serial will be something like: XXXX-XXXX-XXXX-XXXX
We redid that with 1337-1337-1337-1337 and…
We don’t take the jump..

Next!
Continue to F8 with your new fake serial, now it will check if the ‘Product ID’ is also correctly
formatted.

Always the same jump who make you quit the routine if wrong.  (0x47775D)
Here we have the API “__vbaStrLike” exported by msvbvm60.dll
it check if you first product ID chars is a numeric (1-9)
If not you quit the routine
so the first character must be a numeric between 1-9 included (and no ‘0’ of course)

He did that many time, let’s see before re-testing:

2 chars check:

Must be a character between A-Z included.
3 chars check:

Must be a character between A-Z included
4 chars check:

Must be a character between A-Z included
5 chars check (and the last):

For example a correct product ID can be: 1AB23

Now we can retry with
Product ID: 1AB23
Serial: 1337-1337-1337-1337
Super, jumps are not taken, let’s continue…

On the picture, after checking the correct format of the entered product ID
we see again two jump we will make us quit the routine if we take it ( easy to recognize, it jump
always in the same line if something is wrong)

So let’s enter in the first call (F7) for see what’s he want this time,

And it’s a keygen check!

The program check if during the validation you have used a keygen.
It look on the process if he can detect something like ‘keygen.exe’
or some stuff from CRUDE

So if you made a keygen dont name it ‘keygen.exe’ or it will not accept your keys.

Now, let’s see what’s happen in the CALL 00412BE8.
Before entering you can see your serial in EAX and EDX.

F7.

ProductID blacklist routine!

Blacklisted ID are stored on ‘mbamcore.dll’ you will jump on it when reached ‘JMP eax’
Office Jesus from iNF have made a short paper about finding blacklisted serial so let's pass
this part.

Continuing, we will reach the crypto part

Here the MD5 call:

After we will enter in a loop:

The move eax 1 initialize the number of loop.
After: move ecx 10 (mean 16 in hex)
And then comparison between the number of loop done and the max number of loop
the JG (Jump if Greater) will decide if we continue or if it’s terminated. (16 loops reached)

The end of this loop is on 0x4776F2

Our MD5 hash will be each loop, decomposed.

Mov edx, dword take the MD5
imul eax eax 2: eax will contain the number of loop we have done, then multiply eax by 2
mov ecx,2: The number of chars to grab (always two)
the sub eax,1 is for determine where we will start to grab our two chars.
1x2 = 2, 2-1 = 1 so we start to grab from the 1st chars (first loop)
And finally, call ebx will call the api for grab our two chars (rtcMidCharBstr)

After grabbing our two chars, it will call StrMove and StrCat for create the strings
&H2e
After it does a hex to int in the call
Then you will get 2E in eax, who will be stored later in edi
It perform a logical And, with 2E (edi) and 8000001F
here is a screenshot for promote a tool of someone registered in my forum. 

Well, after doing this you will get “0E” in edi
Continue with F8 (step over), it will add to edi +1 (add edi,1)
EDI = “0F”
Then, it pass in the strings: 0123456789ABCDEFGHJKLMNPQRTUVWXY
And will call ebx for grab the chars who is in position 15 from the strings (0F = 15 in hex)
So the grabbed character will be: “E”
You can find the character by checking the hex dump for eax value

And then it increment eax (+1 loop done) take the end jump (JMP) and retry to make a loop.
When all is done (16 loops done), it will take the JG (Jump if Greater) we have talked at the
beginning (after the MD5 hashing call)
Something can be see:

It’s just all our chars done by the calculation.
1AB23: 2e69ae201966977628d24d08fceb5b5f
MD5
RESULT

2e
E

69
9

ae
E

20
0

19
R

66
6

97
P

76
N

28
8

d2
J

4d
D

08
8

fc
V

eb
B

5b
U

5f
Y

On this listing, the obtained strings “E9E0R6PN8JD8VBUY” will be translated to small letters
with the api rtcLowerCaseBstr.
Then our fake serial (1337-1337-1337-1337) appear and all dash will disappear (remember
the push 414C28)
Why? It will call the api rtcReplace for remove it, our fake serial will become
“1337133713371337”
Then the API rtcLowerCaseBstr is call again this time for the fake serial (but the fake serial is
full numeric so…)
And after the fake serial and the calculated string are compared with vbaStrCmp.
And badboy…
Because the final serial and our fake serial are not the same
End, finally this algorithm is not really complicated.

ASM Keygen source code
(ChOoKi have made something in Delphi, so time to use another language)

kg.asm:
.386
.model flat, stdcall
option casemap :none
include
include

keygen.inc
md5.asm

.code
start:
invoke GetModuleHandle, NULL
mov hInstance, eax
invoke DialogBoxParam, hInstance, IDD_MAIN, 0, offset DlgProc, 0
invoke ExitProcess, eax
invoke InitCommonControls
DlgProc proc uses esi edi hWnd:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
mov eax,uMsg
.if eax == WM_INITDIALOG
invoke LoadIcon,hInstance,200
invoke SendMessage, hWnd, WM_SETICON, 1, eax
mov Rndm,'RED'
invoke GetTickCount
add Rndm,eax
.elseif eax == WM_LBUTTONDOWN
invoke SendMessage,hWnd,WM_NCLBUTTONDOWN,HTCAPTION,NULL
.elseif eax == WM_COMMAND
mov eax,wParam
.if eax == IDB_EXIT
invoke SendMessage, hWnd, WM_CLOSE, 0, 0
.elseif eax == IDB_GENERATE
mov eax,Rndm
mov esi,offset Base10
mov edi,offset ID
mov ecx,10
xor edx,edx
idiv ecx
mov al,byte ptr [esi+edx]
stosb
invoke GetTickCount
add Rndm,eax
mov eax,Rndm
mov esi,offset Base26
mov ecx,26
xor edx,edx
idiv ecx
mov al,byte ptr [esi+edx]
stosb
invoke GetTickCount
add Rndm,eax
mov eax,Rndm
mov esi,offset Base26
mov ecx,26
xor edx,edx
idiv ecx
mov al,byte ptr [esi+edx]
stosb
invoke GetTickCount
add Rndm,eax
mov eax,Rndm
mov esi,offset Base10
mov ecx,10
xor edx,edx
idiv ecx
mov al,byte ptr [esi+edx]
stosb
invoke GetTickCount
add Rndm,eax

mov eax,Rndm
mov esi,offset Base10
mov ecx,10
xor edx,edx
idiv ecx
mov al,byte ptr [esi+edx]
stosb
invoke GetTickCount
add Rndm,eax
invoke MD5Init
invoke MD5Update,addr ID,5
invoke MD5Final
mov esi,offset MD5Digest
mov edi,offset Serial
mov ecx,4
xor eax,eax
.repeat
lodsb
and eax,8000001Fh
mov al,byte ptr [eax+Base32]
stosb
dec ecx
.until ecx == 0
invoke lstrcat,addr Serial,addr Tab
mov esi,offset MD5Digest+4
mov edi,offset Serial+4+1
mov ecx,4
xor eax,eax
.repeat
lodsb
and eax,8000001Fh
mov al,byte ptr [eax+Base32]
stosb
dec ecx
.until ecx == 0
invoke lstrcat,addr Serial,addr Tab
mov esi,offset MD5Digest+4+4
mov edi,offset Serial+4+4+1+1
mov ecx,4
xor eax,eax
.repeat
lodsb
and eax,8000001Fh
mov al,byte ptr [eax+Base32]
stosb
dec ecx
.until ecx == 0
invoke lstrcat,addr Serial,addr Tab
mov esi,offset MD5Digest+4+4+4
mov edi,offset Serial+4+4+4+1+1+1
mov ecx,4
xor eax,eax
.repeat
lodsb
and eax,8000001Fh
mov al,byte ptr [eax+Base32]
stosb
dec ecx
.until ecx == 0
invoke SetDlgItemText,hWnd,IDC_NAME,addr ID
invoke SetDlgItemText,hWnd,IDC_SERIAL,addr Serial
invoke RtlZeroMemory,addr ID,sizeof ID
invoke RtlZeroMemory,addr Serial,sizeof Serial
.endif
.elseif eax == WM_CLOSE
invoke EndDialog, hWnd, 0
.endif
xor eax,eax
ret
DlgProc endp
end start

Keygen.inc:
include
include
include
include
include
include
include

windows.inc
user32.inc
kernel32.inc
comctl32.inc
shlwapi.inc
winmm.inc
\masm32\macros\macros.asm

includelib
includelib
includelib
includelib
includelib

user32.lib
kernel32.lib
comctl32.lib
shlwapi.lib
winmm.lib

DlgProc

PROTO :DWORD,:DWORD,:DWORD,:DWORD

.code
HexToChar Proc HexValue:DWORD,CharValue:DWORD,HexLength:DWORD
mov esi,[ebp+8]
mov edi,[ebp+0Ch]
mov ecx,[ebp+10h]
@HexToChar:
lodsb
mov ah, al
and ah, 0fh
shr al, 4
add al, '0'
add ah, '0'
.if al > '9'
add al, 'A'-'9'-1
.endif
.if ah > '9'
add ah, 'A'-'9'-1
.endif
stosw
loopd @HexToChar
Ret
HexToChar endp
.const
IDD_MAIN equ 1000
IDC_NAME equ 1012
IDC_SERIAL equ 1013
IDB_GENERATE equ 1016
IDB_EXIT equ 1017
.data
Base32 db "0123456789ABCDEFGHJKLMNPQRTUVWXY",0
Base10 db "0123456789",0
Base26 db "ABCDEFGHIJKLMNOPQRSTUVWXYZ",0
Tab
db "-",0
Rndm
dd 0,0
.data?
hInstance dd ?
pData
dd ?
SizeRes
dd ?
hResource dd ?
ID
db 10h dup(?)
Serial
db 20h dup(?)

Md5.asm:
.data?
MD5HashBuf db 64 dup(?)
MD5Digest dd 4 dup(?)
MD5Len dd ?
MD5Index dd ?
.code
MD5FF macro dwA, dwB, dwC, dwD, locX, rolS, constAC
mov edi,dwC
xor edi,dwD
and edi,dwB
xor edi,dwD
add dwA,[locX]
lea dwA,[edi+dwA+constAC]
rol dwA,rolS
add dwA,dwB
endm
MD5GG macro dwA, dwB, dwC, dwD, locX, rolS, constAC
mov edi,dwC
xor edi,dwB
and edi,dwD
xor edi,dwC
add dwA,[locX]
lea dwA,[edi+dwA+constAC]
rol dwA,rolS
add dwA,dwB
endm
MD5HH macro dwA, dwB, dwC, dwD, locX, rolS, constAC
mov edi,dwC
xor edi,dwD
xor edi,dwB
add dwA,[locX]
lea dwA,[dwA+edi+constAC]
rol dwA,rolS
add dwA,dwB
endm
MD5II macro dwA, dwB, dwC, dwD, locX, rolS, constAC
mov edi,dwD
xor edi,-1
or edi,dwB
xor edi,dwC
add dwA,[locX]
lea dwA,[edi+dwA+constAC]
rol dwA,rolS
add dwA,dwB
endm
align dword
MD5Transform proc
pushad
mov esi,offset MD5Digest
mov edi,offset MD5HashBuf
mov eax,[esi+0*4]
mov ebx,[esi+1*4]
mov ecx,[esi+2*4]
mov ebp,edi
mov edx,[esi+3*4]
;==============================================================
MD5FF eax, ebx, ecx, edx, dword ptr [ebp+ 0*4], 7, 0D76AA478H
MD5FF edx, eax, ebx, ecx, dword ptr [ebp+ 1*4], 12, 0E8C7B756H
MD5FF ecx, edx, eax, ebx, dword ptr [ebp+ 2*4], 17, 0242070DBH
MD5FF ebx, ecx, edx, eax, dword ptr [ebp+ 3*4], 22, 0C1BDCEEEH
MD5FF eax, ebx, ecx, edx, dword ptr [ebp+ 4*4], 7, 0F57C0FAFH
MD5FF edx, eax, ebx, ecx, dword ptr [ebp+ 5*4], 12, 04787C62AH
MD5FF ecx, edx, eax, ebx, dword ptr [ebp+ 6*4], 17, 0A8304613H
MD5FF ebx, ecx, edx, eax, dword ptr [ebp+ 7*4], 22, 0FD469501H
MD5FF eax, ebx, ecx, edx, dword ptr [ebp+ 8*4], 7, 0698098D8H
MD5FF edx, eax, ebx, ecx, dword ptr [ebp+ 9*4], 12, 08B44F7AFH
MD5FF ecx, edx, eax, ebx, dword ptr [ebp+10*4], 17, 0FFFF5BB1H
MD5FF ebx, ecx, edx, eax, dword ptr [ebp+11*4], 22, 0895CD7BEH

MD5FF eax, ebx, ecx, edx, dword ptr [ebp+12*4], 7, 06B901122H
MD5FF edx, eax, ebx, ecx, dword ptr [ebp+13*4], 12, 0FD987193H
MD5FF ecx, edx, eax, ebx, dword ptr [ebp+14*4], 17, 0A679438EH
MD5FF ebx, ecx, edx, eax, dword ptr [ebp+15*4], 22, 049B40821H
;==============================================================
MD5GG eax, ebx, ecx, edx, dword ptr [ebp+ 1*4], 5, 0F61E2562H
MD5GG edx, eax, ebx, ecx, dword ptr [ebp+ 6*4], 9, 0C040B340H
MD5GG ecx, edx, eax, ebx, dword ptr [ebp+11*4], 14, 0265E5A51H
MD5GG ebx, ecx, edx, eax, dword ptr [ebp+ 0*4], 20, 0E9B6C7AAH
MD5GG eax, ebx, ecx, edx, dword ptr [ebp+ 5*4], 5, 0D62F105DH
MD5GG edx, eax, ebx, ecx, dword ptr [ebp+10*4], 9, 002441453H
MD5GG ecx, edx, eax, ebx, dword ptr [ebp+15*4], 14, 0D8A1E681H
MD5GG ebx, ecx, edx, eax, dword ptr [ebp+ 4*4], 20, 0E7D3FBC8H
MD5GG eax, ebx, ecx, edx, dword ptr [ebp+ 9*4], 5, 021E1CDE6H
MD5GG edx, eax, ebx, ecx, dword ptr [ebp+14*4], 9, 0C33707D6H
MD5GG ecx, edx, eax, ebx, dword ptr [ebp+ 3*4], 14, 0F4D50D87H
MD5GG ebx, ecx, edx, eax, dword ptr [ebp+ 8*4], 20, 0455A14EDH
MD5GG eax, ebx, ecx, edx, dword ptr [ebp+13*4], 5, 0A9E3E905H
MD5GG edx, eax, ebx, ecx, dword ptr [ebp+ 2*4], 9, 0FCEFA3F8H
MD5GG ecx, edx, eax, ebx, dword ptr [ebp+ 7*4], 14, 0676F02D9H
MD5GG ebx, ecx, edx, eax, dword ptr [ebp+12*4], 20, 08D2A4C8AH
;==============================================================
MD5HH eax, ebx, ecx, edx, dword ptr [ebp+ 5*4], 4, 0FFFA3942H
MD5HH edx, eax, ebx, ecx, dword ptr [ebp+ 8*4], 11, 08771F681H
MD5HH ecx, edx, eax, ebx, dword ptr [ebp+11*4], 16, 06D9D6122H
MD5HH ebx, ecx, edx, eax, dword ptr [ebp+14*4], 23, 0FDE5380CH
MD5HH eax, ebx, ecx, edx, dword ptr [ebp+ 1*4], 4, 0A4BEEA44H
MD5HH edx, eax, ebx, ecx, dword ptr [ebp+ 4*4], 11, 04BDECFA9H
MD5HH ecx, edx, eax, ebx, dword ptr [ebp+ 7*4], 16, 0F6BB4B60H
MD5HH ebx, ecx, edx, eax, dword ptr [ebp+10*4], 23, 0BEBFBC70H
MD5HH eax, ebx, ecx, edx, dword ptr [ebp+13*4], 4, 0289B7EC6H
MD5HH edx, eax, ebx, ecx, dword ptr [ebp+ 0*4], 11, 0EAA127FAH
MD5HH ecx, edx, eax, ebx, dword ptr [ebp+ 3*4], 16, 0D4EF3085H
MD5HH ebx, ecx, edx, eax, dword ptr [ebp+ 6*4], 23, 004881D05H
MD5HH eax, ebx, ecx, edx, dword ptr [ebp+ 9*4], 4, 0D9D4D039H
MD5HH edx, eax, ebx, ecx, dword ptr [ebp+12*4], 11, 0E6DB99E5H
MD5HH ecx, edx, eax, ebx, dword ptr [ebp+15*4], 16, 01FA27CF8H
MD5HH ebx, ecx, edx, eax, dword ptr [ebp+ 2*4], 23, 0C4AC5665H
;==============================================================
MD5II eax, ebx, ecx, edx, dword ptr [ebp+ 0*4], 6, 0F4292244H
MD5II edx, eax, ebx, ecx, dword ptr [ebp+ 7*4], 10, 0432AFF97H
MD5II ecx, edx, eax, ebx, dword ptr [ebp+14*4], 15, 0AB9423A7H
MD5II ebx, ecx, edx, eax, dword ptr [ebp+ 5*4], 21, 0FC93A039H
MD5II eax, ebx, ecx, edx, dword ptr [ebp+12*4], 6, 0655B59C3H
MD5II edx, eax, ebx, ecx, dword ptr [ebp+ 3*4], 10, 08F0CCC92H
MD5II ecx, edx, eax, ebx, dword ptr [ebp+10*4], 15, 0FFEFF47DH
MD5II ebx, ecx, edx, eax, dword ptr [ebp+ 1*4], 21, 085845DD1H
MD5II eax, ebx, ecx, edx, dword ptr [ebp+ 8*4], 6, 06FA87E4FH
MD5II edx, eax, ebx, ecx, dword ptr [ebp+15*4], 10, 0FE2CE6E0H
MD5II ecx, edx, eax, ebx, dword ptr [ebp+ 6*4], 15, 0A3014314H
MD5II ebx, ecx, edx, eax, dword ptr [ebp+13*4], 21, 04E0811A1H
MD5II eax, ebx, ecx, edx, dword ptr [ebp+ 4*4], 6, 0F7537E82H
MD5II edx, eax, ebx, ecx, dword ptr [ebp+11*4], 10, 0BD3AF235H
MD5II ecx, edx, eax, ebx, dword ptr [ebp+ 2*4], 15, 02AD7D2BBH
MD5II ebx, ecx, edx, eax, dword ptr [ebp+ 9*4], 21, 0EB86D391H
;==============================================================
add [esi+0*4],eax ; update digest
add [esi+1*4],ebx
add [esi+2*4],ecx
add [esi+3*4],edx
popad
retn
MD5Transform endp
MD5BURN macro
xor eax,eax
mov MD5Index,eax
mov edi,Offset MD5HashBuf
mov ecx,(sizeof MD5HashBuf)/4
rep stosd
endm
align dword
MD5Init proc uses edi
xor eax, eax
mov MD5Len,eax

MD5BURN
mov eax,offset MD5Digest
mov dword ptr [eax+0*4],067452301h
mov dword ptr [eax+1*4],0EFCDAB89h
mov dword ptr [eax+2*4],098BADCFEh
mov dword ptr [eax+3*4],010325476h
ret
MD5Init endp
align dword
MD5Update proc uses esi edi ebx lpBuffer:dword, dwBufLen:dword
mov ebx,dwBufLen
mov esi,lpBuffer
add MD5Len,ebx
.while ebx
mov eax,MD5Index
mov ecx,64
sub ecx,eax
lea edi,[MD5HashBuf+eax]
.if ecx <= ebx
sub ebx,ecx
rep movsb
call MD5Transform
MD5BURN
.else
mov ecx,ebx
rep movsb
add MD5Index,ebx
.break
.endif
.endw
ret
MD5Update endp
align dword
MD5Final proc uses esi edi
mov ecx, MD5Index
mov byte ptr [MD5HashBuf+ecx],80h
.if ecx >= 56
call MD5Transform
MD5BURN
.endif
mov eax,MD5Len
xor edx,edx
shld edx,eax,3
shl eax,3
mov dword ptr [MD5HashBuf+56],eax
mov dword ptr [MD5HashBuf+60],edx
call MD5Transform
mov eax,offset MD5Digest
ret
MD5Final endp

whatever.rc:
;This Resource Script was generated by WinAsm Studio.
#define IDD_MAIN 1000
#define IDB_EXIT 1017
#define IDC_NAME 1012
#define IDB_GENERATE 1016
#define IDC_LIC 1013
#define IDC_STATIC1009 1009
#define IDC_STATIC1010 1010
IDD_MAIN DIALOGEX 10,10,171,57
CAPTION "MBAM 1.50b kg"
FONT 8,"Tahoma"
STYLE 0x90c80804
EXSTYLE 0x00000000
BEGIN
CONTROL "ID:",IDC_STATIC1009,"Static",0x50000000,7,6,14,10,0x00000000
CONTROL "Serial:",IDC_STATIC1010,"Static",0x50000000,7,22,23,10,0x00000000
CONTROL "",IDC_NAME,"Edit",0x50010080,33,3,127,13,0x00020000
CONTROL "",IDC_LIC,"Edit",0x50010000,33,18,127,13,0x00020000
CONTROL "Generate",IDB_GENERATE,"Button",0x50010001,7,37,47,13,0x00000000
CONTROL "Exit",IDB_EXIT,"Button",0x50010000,123,37,37,13,0x00000000
END

Compiled:

Patching
Call this a bonus or what’s you want but it’s also easy to patch malwarebytes’ Anti-Malware.
V1,50b
dUP2:
RAW Offset |Old Byte|New Byte
-----------------+----------+---------00077340
55
66
00077341
8B
B8
00077342
EC
01
00077343
83
00
00077344
EC
C3
Adding a regfile:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes' Anti-Malware]
"ID"="$Registered to ?$"
"Key"="RED CReW 2K10"

When registered MBAM will create you a registry key of your name and serial,
Add some breakpoints in all api about registry and reload mbam for search the good,
The patch do that:

Dont forget to make a regfile like:

[HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes' Anti-Malware]
"ID"="Patched"
"Key"="Fake-Fake-Whatever"

Greetings
qpt^J for is nice stuff 


Aperçu du document Keygening Malwarebytes.pdf - page 1/28

 
Keygening Malwarebytes.pdf - page 3/28
Keygening Malwarebytes.pdf - page 4/28
Keygening Malwarebytes.pdf - page 5/28
Keygening Malwarebytes.pdf - page 6/28
 




Télécharger le fichier (PDF)


Télécharger
Formats alternatifs: ZIP Texte



Documents similaires


warez nedir
2p95yvv
getpdfattachment
magic
spellduel
wizard

Sur le même sujet..




🚀  Page générée en 0.013s