x64dbg guides / Expertise required.

[Screen]

Hi,

I'm trying to learn about the premise and would love to follow up on the footsteps of experts and to get my hands dirty and patch a piece of software I have.

If any one can send in some help this way.. would be appreciated.

Thank you! ^^

[Dodel]

A guide on starting out reverse engineering.

 

https://0x00sec.org/t/re-guide-for-beginners-methodology-and-tools/2242

 

[Sponpa]

Please do not message me.

Personally I reverse things out of pure entertainment/interest/boredom.

 

Watch some videos and read tutorials. Also watch some Malware analysis videos, like from OALab also very good content.

I can give some tips about simple instructions you will likely use.

Keep in mind there is not one single way to patch applications, sometimes lots of digging required (or far to complex), sometimes really easy and you will wonder why nobody has done it before you.

You can enable mnemonics to help you explain what the instructions do in the disassembly view (CTRL+Shift+F1) if you don't understand what it does.

Lots of patching involves these instructions inside a call, or right after a call, it's often actually that simple. Even for programs no public 'key-less' patches exist.

 

"mov eax. 0x1" or 0x0

"mov eax, some specific value"

"mov al. 0x1" or 0x0

 

Somewhere

"xor al, al"
"inc al"

 

Top of function sometimes useful to just do that instead of patching after return of function.
"xor eax, eax"
"inc eax"
"ret"

(whatever end of call should actually return, obviously don't increase eax  (inc eax) when it should actually be 0, xor eax, eax sets eax to 0)

JE/JNE (and all other jumping instructions) usually replaced with whatever makes it jump (or not jump.. in which case you can also nop it out) or just "jmp".

Sometimes use a jump, move a call from a nested function out, and jump directly to that call to bypass the entire nested verification stuff.

You will also often encounter things like this, at the right place will unlock the doors with the right value fed
"mov qword ptr ds:[register], al"

"mov dword ptr ds:[register], value"

Breakpoints, lots of breakpoints.
Search for strings in current module, look for 'key' 'serial' 'auth' 'license' stuff like that, or warning msgs (serial is invalid etc), netapi32 (internet auth, or license re-check etc), have a website popup? look for url and bp, Intermodular calls and bp on ShellExecuteA.

If something is protected really good (not same as the packing) (only garbage strings, clearly obfuscated code flow), don't bother. That requires some really good understanding if it's still doable or just a true waste of time.

 

Free Tools you probably want:
HxD (simple, free hex editor) or really any good hex editor
x64dbg which you already have (GET THE PLUGINS! Like autopatchexporter)

Cutter
Ida Pro .-. (not very free)
dnSpy for .Net applications

Maybe this post was more confusing rather than useful, i don't know.