I have an application that calls a subroutine before sending the data over socket and in that subroutine the packet is being encrypted. Is there any way to make application skip that subroutine and send the packet as non-encrypted ?
19.2k 29 29 gold badges 87 87 silver badges 150 150 bronze badges asked Sep 14, 2015 at 8:38 301 1 1 gold badge 3 3 silver badges 11 11 bronze badgesReplace the call by a NOP if the encryption is in-place, or modify the function to just copy the input if it's not. Without more information about how the program & the call work, it's hard to help you further.
Commented Sep 14, 2015 at 8:42 Here's a screenshot from IDA: i.imgur.com/zurZc9f.png Commented Sep 14, 2015 at 8:48 There are two calls in you screenshot. edit : I guess it's encoder_func Commented Sep 14, 2015 at 8:58 Yeah that's the subroutine i want to skip. Commented Sep 14, 2015 at 9:03As Dillinur wrote, you need to NOP out this call. To do that you may need a hex editor, like WinHex. To NOP out the subroutine, you have to determine from which address it is called. To see that address, in IDA go to Options -> General and mark Line Prefixes.
It's also nice to see which Opcodes you would like to NOP out. Go to Options -> General and write 6 in the field Number of opcode bytes. Then your IDA graph mode will look like that:
In my example, if I want to skip the foo-subroutine while execution, I need to set the opcode bytes E8 DF E6 FF FF to 90 90 90 90 90 (E8 is the call mnemonic and the rest are the offset bytes). 0x90 is the NOP opcode.
To NOP out these bytes I open the executable in WinHex and search the offset 0x31CC (not 0x4031CC, because 0x400000 is the load address of my executable in IDA). Finally, when I've found the offset 0x31CC I look for the sequence of bytes E8 DF E6 FF FF and then edit them to 90 90 90 90 90. Save it.
Also you may think about NOPing out of the PUSH-instruction(s) preceding your subroutine in order to avoid errors in the succeeding code.
