I have two exe files one is original file and another one is cracked exe file of software Vector magic and cracked file is vmbe.zip Both files have exactly same size.
I am using ghidra to decompile those binary files Then i just export those files to format c/c++ program by just using option File->Export Program (O)
then i open those files into Visual studio and apply Diff extention to find difference between those files and i can navigate to differences by just pressing ALT+F5
Then i observed that some functions just failed to decompiled showing following error but i just search those functions in Ghidra by using Windows->Functions and again i decompiled those functions one by one and then put those functions into overall .c file at appropriate positions.
/*
Unable to decompile 'FUN_004475d0'
Cause: Exception while decompiling 004475d0: process: timeout
*/
Now i have two .c files one is decompiled version of original exe file and another one is of cracked exe file
and after fixing fewer variables names we can easily find that there is only one difference between those two files at the end of function FUN_0043a620
Original exe's decompiled .c file
_bVar2 = uVar3 & 0xffffff00 | (uint)bVar2;
}
*in_FS_OFFSET = local_c;
return _bVar2;
}
Cracked exe's decompiled .c file
_bVar2 = uVar3 & 0xffffff00 | 1;
}
*in_FS_OFFSET = local_c;
return _bVar2;
}
And in Ghidra we can see there is just one assembly instruction is changed at Memory location 0043a687
Original file
0043a687 b3 01 MOV BL,AL
Cracked file
0043a687 b3 01 MOV BL,0x1
Now i changed that instruction in original exe file and just export binary file from option File->Export Program (O)
Then i try my version of cracked binary file by just replacing ogrinal file with my cracked file and it just don't work but when i try cracked file it work like a charm.
And this patch is just looks like a correct solution because this is the function that decides weather the software is registered or not by just observing returned value and we just make it to always return 1. We can search uses of that function FUN_0043a620 in decomplied .c file
For example
if (local_65 != 0) {
uVar5 = FUN_0043a620();
if ((char)uVar5 != '\0') {
pQVar7 = (QString *)FUN_0043a580((char *)&local_54,"Thank you for activating!");
local_4._0_1_ = 5;
pQVar8 = (QString *)FUN_0043a580((char *)¶m_1,"Activation succeeded");
And
uVar4 = FUN_0043a620();
if ((char)uVar4 == '\0') {
pQVar5 = (QString *)
FUN_0044b910((char *)&local_14,
"Not activated. Click the \'Activate\' button on the first page to enable saving."
);
That exacly what i was discovered even before looking at cracked binary and i tried it but it did not worked then i find this cracked file tried to understand differences between working cracked binary vs original binary.
Use hex editors (FlexHex, BeyondCompare, ...) and look for differences between the two files, maybe there are other differences that are not code differences, for example - some changes in global data.
In order to understand what are those other bytes, you can analyze the binary either
statically: Open it in Ghidra or IDA and look for x-refs to this data, and where it used. Good chance it is somehow related to the other change that you saw in the code.
dynamically: Try to set Hardware breakpoint on access to this location.