Two compiled binary files with exactly same assembly code behaves differently while cracking binary file ? Or may be i am missing something?

[NavpreetDevpuri]

I have two exe files one is original file and another one is cracked exe file of software Vector magic and cracked file is vmbe.zip
Both files have exactly same size.

I am using ghidra to decompile those binary files
Then i just export those files to format c/c++ program by just using option File->Export Program (O)

then i open those files into Visual studio and apply Diff extention to find difference between those files and i can navigate to differences by just pressing ALT+F5

Then i observed that some functions just failed to decompiled showing following error but i just search those functions in Ghidra by using Windows->Functions and again i decompiled those functions one by one and then put those functions into overall .c file at appropriate positions.

/*
Unable to decompile 'FUN_004475d0'
Cause: Exception while decompiling 004475d0: process: timeout
*/

Now i have two .c files one is decompiled version of original exe file and another one is of cracked exe file
and after fixing fewer variables names we can easily find that there is only one difference between those two files at the end of function FUN_0043a620

Original exe's decompiled .c file

    _bVar2 = uVar3 & 0xffffff00 | (uint)bVar2;
  }
  *in_FS_OFFSET = local_c;
  return _bVar2;
}

Cracked exe's decompiled .c file

    _bVar2 = uVar3 & 0xffffff00 | 1;
  }
  *in_FS_OFFSET = local_c;
  return _bVar2;
}

And in Ghidra we can see there is just one assembly instruction is changed at Memory location `0043a687`

Original file

        0043a687 b3  01           MOV        BL,AL

Cracked file

        0043a687 b3  01           MOV        BL,0x1

Now i changed that instruction in original exe file and just export binary file from option File->Export Program (O)

Then i try my version of cracked binary file by just replacing ogrinal file with my cracked file and it just don't work but when i try cracked file it work like a charm.

And this patch is just looks like a correct solution because this is the function that decides weather the software is registered or not by just observing returned value and we just make it to always return 1. We can search uses of that function FUN_0043a620 in decomplied .c file

For example

 if (local_65 != 0) {
    uVar5 = FUN_0043a620();
    if ((char)uVar5 != '\0') {
      pQVar7 = (QString *)FUN_0043a580((char *)&local_54,"Thank you for activating!");
      local_4._0_1_ = 5;
      pQVar8 = (QString *)FUN_0043a580((char *)&param_1,"Activation succeeded");

And

 uVar4 = FUN_0043a620();
  if ((char)uVar4 == '\0') {
    pQVar5 = (QString *)
             FUN_0044b910((char *)&local_14,
                                                    
                          "Not activated. Click the \'Activate\' button on the first page to enable saving."
                         );

That exacly what i was discovered even before looking at cracked binary and i tried it but it did not worked then i find this cracked file tried to understand differences between working cracked binary vs original binary.

I want to know why my cracked version not working even i copied exact changed assembly instruction from working cracked file ?

[saruman9]

Dup of #19. You can use PR #1505 by @astrelsky.

[NavpreetDevpuri]

Dup of #19. You can use PR #1505 by @astrelsky.

Can you please help me with that ?
I don't know to insert those changed files into Ghidra.
I downloaded released zip.

[saruman9]

You don’t have to merge the changes from PR, you can use the script.

1. Download FixedBinaryExporter.java.txt.
2. Save it as FixedBinaryExporter.java in ${HOME}/ghidra_scripts directory (in fact you can save it anywhere).
3. Open the Script Manager (in menu bar Window → Script Manager) in the Tool with opened target file.
4. Find the script and run. If you save the script in another directory, than firstly you should set it (right click in the Script Manager, Script Directories and add the directory).

[NavpreetDevpuri]

Thanku for that but it still not working as expected i think i am missing something may be there is something that is not visible in c/c++ decompiled .c files.

i used that FixedBinaryExporter.java for my cracked file and it exported binary file.

[NavpreetDevpuri]

Is may way of detecting patch correct ?

[saruman9]

Reimport the patched file again and find correct patched bytes. If changes is very small, than you can use binary diff utilities: diff, radiff2, binwalk for example.

[NavpreetDevpuri]

i am curious to learn cracking or reverse engineering ! But i don't find any really useful tutorials or guidance !
So, i decided to learn that by compairing cracked and uncracked files.

[saruman9]

I suggest you "Reverse Engineering for Beginners" book.

[NavpreetDevpuri]

I suggest you "Reverse Engineering for Beginners" book.

Thanku! thats GREAT !

[emteere]

You can also compare the two files with the version tracking included with Ghidra. It is meant to compare two closely related binary versions.

[NavpreetDevpuri]

You can also compare the two files with the version tracking included with Ghidra. It is meant to compare two closely related binary versions.

I am trying but it takes too much time to Adding 1241255 match objects... and i noticed that it just using 20% of CPU.
But when i am decompiling it then it used upto 100% CPU and takes very less time.
Is this normal ? Why it is not using full capability of CPU ?

[NavpreetDevpuri]

I tried version tracking but i observe that there is only one function FUN_00433070 that shows code changes in assembly(Listing view) But when i look at decompile view then both functions are exactly same.

Even i tried this But shows no difference at all.

[NavpreetDevpuri]

resolved