los parches se deben hacer de forma dinámica, por otro lado muchas veces se relaciona con apis de integridad, quizas no es themida este tutorial pero te ayudará a quitarte la duda
Patching the Winlicense 2.0.5.0 Checksum.
by quosego/snd
------------------------------------------
Intro;
In this tut I'll try to explain how Winlicense checks if the app has been
tampered with and how to patch it.
The checking;
Winlicense his anti patching procedure only holds an simple checksum check, it
uses imagehlp.CheckSumMappedFile to compute this checksum and then compares it
to the one stored by Winlicense and if it isn't the same it fails.
To be exactly it does the following,
-Alloc an memorybuffer to store itself from disk.
-Store the PE in this memorybuffer.
-Use GetProcaddress to obtain CheckSumMappedFile.
-Use CheckSumMappedFile to compute a checksum.
-Use some logical instructions to modify the checksum.
-Compare the checksum to the one stored at the end of the file.
-If it passes proceed, if it fails give an error.
Analysis;
If you'd breakpoint GetProcaddress and wait for quite some while sooner or later
WL will obtain the CheckSumMappedFile location. If you'd then bp this api and
return to WL code you'll end up somwhere similar to here;
(If the app is using cisc VM, risc VM has a different VM entry.)
0112A5AF 68 2C31AA09 PUSH 9AA312C
0112A5B4 ^ E9 3B7BF9FF JMP 010C20F4
This'll of course leads you to nowhere since it's VM and studying it obfuud is
greatly annoying. However if you look at the stack and scroll up four dwords
you'll see the following;
(these are simply the arguments pushed into CheckSumMappedFile)
(
http://msdn.microsoft.com/en-us/library/ms679281(VS.85).aspx)
0007FF6C 012A0000
0007FF70 000B41FC
0007FF74 0112A4D0 cisc_+_f.0112A4D0
0007FF78 0112A4D4 cisc_+_f.0112A4D4
and their meaning;
PIMAGE_NT_HEADERS CheckSumMappedFile(
__in PVOID BaseAddress,
__in DWORD FileLength,
__out PDWORD HeaderSum,
__out PDWORD CheckSum
);
The checksum is the most important (located at 0112A4D4). If you'd check out
that dword you'll find the checksum. You can, if you've patched WL, feed it here
the correct checksum. But that would include hooking the WL decrypting routines
or GetProcAddress or similar. There are easier methods.
WL does not directly compare the CheckSumMappedFile generated checksum with a
checksum it has stored, instead it does some computations before comparing the
checksum.
In my case it did the following computations, extracted from the Cisc Virtual
Machine.
ROL {checksum}, {last byte checksum}
;ROL 000B6D92,92 = B648002D
XOR B648002D,2AC8914C = 9C809161
ADD 9C809161,87C05B78 = 2440ECD9
XOR 2440ECD9,6D10B8E2 = 4950543B
In this case 4950543B is considered the final calculated checksum. If you now set
a memory breakpoint on access on the BaseAddress of the mapped PE (see the
CheckSumMappedFile structure) in the memory map. You'll see the VM accessing the
very last dword in the mapped file. This will if the executable is unmodified be
the same as the calculated checksum. WL will next do a compare and fail or proceed.
Patching the checksum;
So if you've modified your WL protected app you must update the checksum located in
a dword at the end of the file, however as I stated all calculations of this
checksum are done within the VM and it would be tedious to extract them everytime.
However WL stores the calculated checksum in the VM registers before comparing it
with the stored one. So to find it easily you can do the following;
- When you've returned from CheckSumMappedFile API memory bp the BaseAddress on
access in the memory map. Press shift-f9. (It now has obtained the last dword of
the mapped PE.)
- Follow edi in dump and look for the first dword that appears two times, this is
the calculated checksum. In cisc VM's it should be [edi+4] and [edi+8], in risc
VM's it should be further down with some empty dwords between it.
- Copy the calculated checksum to the end of the file (search for the old one or
just scroll down). It'll now run again with it's new checksum.
Have fun,
q.
------------------------------------------