| Found password at R10 register while debugging with x64dbg |
==> |
| My patches:
Address Length Original bytes Patched bytes
0049CD13 0x6 84 C0 0F 84 76 01 90 90 E9 51 02 00
0049CD1A 0x1 00 90
0049CF6D 0x8 84 C0 0F 84 0F FE FF FF 90 90 90 90 90 90 90 90 |
==> |
| 1. Unpacked UPX
2. Patched .text:0040150C:00401557 to nop's (0x90) - You can skip this step. I just wanted to cut out the verification call on the CD.
3. Patched .text:00401558 je to jmp |
==> |
| Just found "Fj42AxbLKak4F" at RDX register while debugging in x64dbg |
==> |
| The RNGCryptoServiceProvider.getBytes(array) call fills the array with a cryptographically strong random set of bytes. You can "get the code", for example, by patching the Retrieve_Key() method, but it seems to me that the task is incorrect. |
==> |
| Password can be founded and patched by finding "whatchu" string in file .rdata section |
==> |
| Just patched jnz instruction at 0x00001215 to "jmp loc_1376" (90 E9 5C 01 00 00) |
==> |