|
In this tut we use W32dasm to check out the code location that we want to change, and next tut we use Hiew to make the changes. You can of course use other hex editors, but in that tut we using Hiew.
Here a couple of tuts about w32dasm that you might want to check out if you never used it before: So, open W32dasm (double click the W32dasm.exe in the folder you placed it...(or if you smart you'll make a shortcut to your desktop) and go to the 'Disassembler' menu (top left) and click 'open file to disassemble'. Find Crackme1 and double click it, or click it once then click on Open in the dialog box, and Crackme1 will load and start to
disassemble.
Once it done (make sure you on full screen), you'll see a 'dead listing' of the program code.
Well what we do now, you say!
How we gonna find the place to patch?
If you read the earlier mini tuts about W32dasm, you know that we gonna look at the String References. If you didnt, I say it one more time. Look at the top right of W32dasm, beneath the menu item Refs, you'll see some buttons. Second button in is 'Strn Ref'.
Click it, (or hit the menu item Refs and select 'string data reference) and a box opens with bits of text in it...string references actually.
Well what we looking for is the message that tells us we entered a wrong serial, coz we want to change the program so we dont see that message.
And what do we see?? "Incorrect try again!!"
Now double click on that string and we get taken to the place in the program that it is. You'll see this:
So we land at address 004015B4 Push 00403074...this line will be highlighted!!!!
We know we dont want to end up here, because this means we've put in an incorrect number. But if you look up a few lines, you'll see:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
Hmmm, it seems that we got to the incorrect message because we jumped from address :00401595....lets go there!
Remember from the W32Dasm mini tut how we go to a code location...no? didnt read it? Bummer for ya, you'll have to read it now.
This is what we see:
* Reference To: KERNEL32.lstrcmpA, Ord:02FCh
:0040158D FF1500204000 Call dword ptr [00402000]
What we gotta do is change this jump so we dont jump.
If you read any of the assembly tuts, you'll know that 'jne' means jump if not equal, and you'll also notice that this jump comes just after the KERNEL32.IstrcmpA, which if you remember from the last tut, is a string compare. Look at both of these for a refresher Api mini ref and Op codes.
So whats happening is that our serial is getting compared to the correct serial, and if they arent equal, you jump to piss off. We dont want to do this, so we gonna change the jump. We could nop (means 'no operation') it out so the program ignores that line, but +ORC has said that this isnt the best way. Or we could change the jump to 'je' which means 'jump if equal'. So if the serials dont match, we wont jump. Of course if they do match, we will jump, so once we've patched it, dont put in the serial we found in softice.
Ok, we nearly finished this tut...you'll have to read the next one to learn how to patch it...but we'll just discuss how we would nop the jump if we were going to do it that way. You'll notice that this line:
:00401595 7516 jne 004015AD
has four numbers (7516) before the jne. This is hex code that is equivalent to the instruction jne 004015AD. Each set of two numbers is equal to one byte, so the four numbers equals two bytes. The hex for nop is 90 so if we were to nop out the jump, we'd have to use two of them....that 9090...two bytes. Simple!!
One more thing to do before we exit W32dasm and spark up Hiew, is to take a note of the address of the instruction that we going to change. We already know it....00401595.....so remember it. We'll also get the offset (if you read the mini Hiew tut you'll know we can use either in Hiew). Make sure the jne line is highlighted, then look at the bottom of the W32dasm screen. You'll see 'line blah blah..Pg blah blah, Code data @ blah blah, and Offset 00001595h. Forget the zeros at the beginning, and the h at the end means hex. Take note of the remaining numbers...1595...that the offset.
Thats it. We'll carry on in the next tut.
|