ActiveMARK 6.xx (Inline Patching)

ActiveMARK 6.xx (Inline Patching) Part 1

Quote

Basic idea of inline patching AM6 is this:

At certain point of executable file we insert the unconditional jump command (JMP) which leads to an empty space in our executable file, called "code cave" where we will write our own code (inline patch) in order to force execution in desired direction (i.e. bypassing nag screen, time trial etc.etc.)

Advantage of inline patching method I will show in this tutorial is that it is highly reproducible. It means that you can make an inline template and then simply change some parameters which differs from application to application.

Disadvantage (heh, there must be some) of this method is that it is not applicable to Flash games and applications with encrypted resources.

ActiveMARK 6.xx (Inline Patching) Part 2

Quote

In order to inline patch browser, timer/timeout, expiration function (BT/TE) of AM6 we need to find following parameters:

1. We must check raw size of application PE header *
2. Last address of layer 2 (JMP to layer 3) **
3. DWORD pointer in IAT to kernal32.GetFullPathNameA API ***
4. Call to expiration function and its corresponding TEST AL,AL check
6. DWORD pointer in IAT to user32.SetTimer API and RVA or returning point from call to SetTimer function
7. DWORD pointer in IAT to kernal32.CreateProcessA API

*)**)***) NOTE: First three issues wont be shown in this tutorial because we assume that you are familiar on how to find these values from our previous [ARTUT] AM6 Inline Patching Magic Call.

ActiveMARK 6.2 (Inline Patching)

Quote

This tutorial is not meant to be a "crack" tutorial. It is to provide general information that can be used to successfully find main features necessary for building inline patch for ActiveMARK version 6.2 protected targets. Many of its features from previous 6.1 version are gone (like active memory scanning), and many new are introduced, but I won't bother describing them here, because all of them are well documented in "Dumping & Analysing ActiveMark v6.2x" paper tutorial by Condzero.

Manual dumping of AM6.2 protected targets is "tough" job, but luckily no need for that, again thanks to Condzero's AM6.2x Dumper Tool (version 1.3). This tool will dump target clean, and you'll only need to assemble one line of code 'extra' in order to stabilize dump (will be shown in this tutorial).