AOB Scan and Inject | A Simple Illustration.

     A small collection of images (click to open gallery) illustrating the functionality on a simple dummy program.

One of my initial exercises into byte patching with assembly and shellcode and not just direct pointers. The most useful I got out of this was how jump to dynamically allocated memory to create a small "code cave" and return to the instruction address right after, so the execution continues as normal. I used CE to monitor and illustrate changes in memory done via C and C++. I'm using it mostly as a foundation for other things, and this is just to illustrate what happens in memory during an AOB/shellcode injection.





While I used an online disassembler to quickly figure out bytes, I also tried my own way. With the exception of padding (int3/0xCC) being added sometimes from the compiler to optimize alignment, this program worked pretty well for __asm functions and getting the bytes needed for shellcode. But I recompile it for every use as I'm always in VS anyways when/if using it, and often just use an online assembler instead.

Visual illustrations of patching real software

Below are some visual illustrations of what I achieved when educating myself further by practicing on real software, by simply backtracing and patching a few bytes in memory. I could lead full registrations without touching actual files. Other software I've touched on are WinRAR and WS_FTP, with full unlocked success, but not without patching their executables.

All software has after educational purposes been removed with Revo Uninstaller (the free version) - I encourage everyone to buy software they like, and their support developers! I highly recommend this software to anyone who wants a clean Windows computer. (As a hefty example, the game Elder Scrolls Online leaves over 60+ GB data left when uninstalling.)

The goal here is not to steal or destroy. Real software simply offers the best challenge and experience to learn from. Any software I've noticed obfuscation or encryption in, I've left alone, both due to difficulty level and respect for their efforts.

Revo Uninstaller Pro 4.0.5

HD Sentinel Pro 5.40

I've also checked off making a real keygen off my bucket list

(much later, with more experience)
This was my first keygen. I made it for Drive Snapshot 1.48, a rather random choice. It took me about 3 days to figure out.

The developer packs the file(s) and does pretty solid validation that I had to debug and reverse. It has the format of 0000-0000-0000-0000 where the first part is a result of the license info over the key, the second part is more of a unique identifier, the last two parts are based on everything else, and the license number above the key is sscanf read into 3 parts, where the 2 first %2d parts are critical to set correctly within hardcoded constraints. Making the keygen largely involved identifying validation functions within the program. Then adapting the functions involved, into my own program, using the resulting values as new valid license information, based on my custom input.

I had never made a real keygen before, as most software is is online activated today and takes cracking. This software offered a fun challenge.