Cracking Tutorial for Duelist's Crackme #5

Memory Patching

THE NAG SCREEN

Start softice and enter the breakpoint:

bpx messageboxa

Exit softice, and start the crackme.  You will break into Softice, press F11 and you will see the nag screen appear. Click on okay on the nag and you will break back into softice. Scroll back a little and you will see the jump reference:

To bypass the Nag screen, change the jump at 0040105C

0040105C   EB63     JMP 004010C1
to
0040105C   EBE9     JMP 004010D7

REGISTER THE PROGRAM

The second part of this crackme is to change the status box to read Registered. Cancel all breakpoints and enter

bpx senddlgitemmessagea

Exit softice and start the program again. Ignore the NAG screen, and press OK.

If you dump what is at 0040205C you will see 'Unregistered'. Notice just before it (00402050) is the word Registered.  To have the status box show Registered, change 00401130

00401130   685C204000      PUSH 0040205C
to
00401130   6850204000       PUSH 00402050

MEMORY PATCHING

In order to patch this program, we have to find exactly where the decompression routine ends, calling the real program.  Close the crackme, clear all breakpoints, and open the crackme using softice's symbol loader.  Enter softice again and enter a breakpoint for the messagebox:

bpx messageboxa

Exit softice and start the crackme using the symbol loader.  Press F11 once in softice, and OK on the nag screen to break back into softice.  We want to find something from the program, in memory, before it is unpacked. Cancel the breakpoint and search for 'Please obtain a valid' from the nag screen. Enter a breakpoint at that memory location:

BPMB 00402017

Exit softice and immediately start the program again, using loader.  Press F10 until you come to:

Notice that the program is in memory location 00406xxx, versus 00401xxx that we saw earlier.  Make sure that your registers window is open in softice, and watch the memory locations change (especially keep an eye one EAX).   Write down the hex numbers for this location, since we will need to find it in the program (0285Dh).

We have to figure out where to apply our memory patch (a place where the program is not compressed).  Open the crackme with you hex editor, and search for any text that doesn't appear to be scrambled.   I choose .I.n.t.e.r.n.a.l.N.a.m.e, found at 0189Dh.  To find this location in memory, start the crackme one last time, using the previous breakpoint.  Once back in softice, search for I.n.t.e.r.n.a.l.N.a.m.e (notice the wide format).  Write down the memory location 0040569E.

The patch will go as follows:

1. at 0040665D jump to an unpacked location in the program,
2. in the unpacked location apply the memory patch,
3. jump to the start of the real program once the patch is applied.

APPLYING THE PATCH

Open the crackme in your hex editor and go to 0285Dh.  We are going to change

0040665D   POP EBP
to
0040665D   JMP 0040569E<---jump to the unpacked location of our file

In the unpacked location of the crackme, we are going to change look like

0040569E    5D      POP EBP<---clear registers
0040669F    5F      POP EDI
004066A0    5E      POP ESI
004066A1    5A     POP EDX   
004066A2    59      POP ECX     
004066A3    5B      POP EBX
004056A4    C7055C104000EB796A00     MOV DWORD PTR [0040105C],006A79EB<---jump around nag screen
004056AE    C7053011400068502040       MOV DWORD PTR [00401130],40205068<---change to show registered
004056B8     FFE0     JMP EAX

FINAL NOTES

Thanks to all of those coders that make these crackmes, and especially to varroa, whose tutorial helped me immensely.

Sanhedrin
stachi@geocities.com