First RE and patching with OllyDbg

Posted on July 5, 2007. Filed under: Debugging, Reverse Engineering |

For the first time I have tried and successfully patched Sify broadband client I’m using. I’ve a bband connection with SIFY. The client which connects to the server and authenticates is pathetically written. There are two annoying issues about it.

1. When I login as non-admin user (usually I connect to net, work as non-admin) BBImpSec.exe module shows message box with just “catch” as message. Pathetic.

2. After connecting, every five minutes SIFY sends advertisement message which causes IE browser to open and show their advertisement. Bad!

It is time to resolve these two issues. So I analyzed these programs BBImpSec.exe and BBClient.exe with OllyDbg and patched them. I’m thinking of writing a tutorial on how I did it, would be helpful for newbies like me, but too lazy at the moment.

In the first case I simply found the call to MessageBox API and NOP’d the whole PUSH arguments + the CALL. Double checked to see ESP is not corrupted due to this NOPing. Done!

Second case, After debugging I found that SIFY is sending XML data along with authorization reply information. Fired up Ethereal and captured packets. XML revealed a tag . This clearly indicates every 5 minutes it tries to show custom message. Actually BBClient uses a particular URL to get XML which inturn points to advertisement site. Following the code where this custommsg interval is being read I have found BBClient setup a timer with this value. So, either I could remove the call to the settimer or simply set the value to some large number. I’ve chosen the second since it simply involves patching one byte.


> SHL EDX, 5

After this call, EDX has 300000 value. [300,000 ms timeout interval]. I simply changed this to


Changing this way will not affect the whole program and no fixups are required since no extra bytes are added.

Patched, Saved and Happy. OM!

Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: