Wednesday, December 14, 2016

Disable message box on start in RDG Packer Detector

Disable message box "Do you want to Register RDG Packer Detector on Contextual Menu?" on start RDG Packer Detector.

  1. Run: RDG Packer Detector.exe
  2. Copy text from message box to clipboard (Ctrl+C), and cut substring "Do you want to Register"
  3. Open RDG Packer Detector.exe in IDA.
  4. Options | General | Strings | String type: Unicide | OK
  5. View | Open subviews | Strings | Find (Ctrl+F) "Do you want to Register"
  6. DbClick to jump on "Assembler View" ("IDA View")
  7. DbClick on comment DATA XREF: RDGMax:012787E3
  8. Find "conditional jump" asm instruction above
  9. Patch and apply to exe file
    • IDA: Edit | Patch program | …
    • See in IDA real file offset and use your hex-editor

Patch for RDG Packer Detector v0.7.5.exe:

  • SIZE 5124096
  • CRC 62DD4FA2
  • 00178749 90 90
RDGMax:01278740   movsx   eax, word ptr [ebp-0BACh]
RDGMax:01278747   test    eax, eax
RDGMax:01278749
RDGMax:01278749   ; Patch here, set 'nop' to disable 'Add menu..' on start.  
RDGMax:01278749   jz      short MSGBOX_ADD_MENU 
RDGMax:0127874B   jmp     loc_12788DC
RDGMax:01278750 
RDGMax:01278750 MSGBOX_ADD_MENU:
RDGMax:01278750   mov     dword ptr [ebp-4], 0Ch
RDGMax:01278757   mov     dword ptr [ebp-104h], 80020004h
RDGMax:01278761   mov     dword ptr [ebp-10Ch], 0Ah
RDGMax:0127876B   mov     dword ptr [ebp-0F4h], 80020004h
RDGMax:01278775   mov     dword ptr [ebp-0FCh], 0Ah
RDGMax:0127877F   mov     dword ptr [ebp-0B44h], offset aInfo ; "Info"
RDGMax:01278789   mov     dword ptr [ebp-0B4Ch], 8
RDGMax:01278793   lea     edx, [ebp-0B4Ch]
RDGMax:01278799   lea     ecx, [ebp-0ECh]
RDGMax:0127879F   call    __vbaVarDup
RDGMax:012787A5   push    offset unk_1145FA4
RDGMax:012787AA   push    offset aDeseasRegistra ; "Deseas Registrar RDG Pa"...
RDGMax:012787AF   push    offset asc_11483B0 ; "\r\n"
RDGMax:012787B4   call    __vbaStrCat
RDGMax:012787BA   mov     edx, eax
RDGMax:012787BC   lea     ecx, [ebp-0ACh]
RDGMax:012787C2   call    __vbaStrMove
RDGMax:012787C8   push    eax
RDGMax:012787C9   push    offset asc_11483B0 ; "\r\n"
RDGMax:012787CE   call    __vbaStrCat
RDGMax:012787D4   mov     edx, eax
RDGMax:012787D6   lea     ecx, [ebp-0B0h]
RDGMax:012787DC   call    __vbaStrMove
RDGMax:012787E2   push    eax
RDGMax:012787E3   push    offset aDoYouWantToReg ; "Do you want to Register"...
RDGMax:012787E8   call    __vbaStrCat

; Result:
RDGMax:01278749   nop
RDGMax:0127874A   nop
RDGMax:0127874B   jmp     loc_12788DC
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)