So as you can see for the SoftICE check the "je 00442772" decides if we are the Good Boy or the Bad Boy ;)
So we need to make it Jump, and so remember the "Virtual Address" 00442759 for our Inline Patching :)
For now when your on the "je 00442772" type "r fl z" this will set the Z flag and so we jump.
But...
Have you seen where it jumps to?
To our lovely NAG screen :)
Heh, we need to make it jump a little further, and i suggest to let it jump just behind the next Call.
Why?
Notice the String "SoftICE is DETECTED" behind it is a Call the same as with the String "Kill me !! My name is NAG SCREEN!" so it's probably the Message Box
(You can check it out with SoftICE if you want :).
So we need to change the length of the Jump as well.
Now just jump till you get the NAG and press "Ok" and we're back in SoftICE (Remember the Protection "Enable Button" ? ;).
Now trace and go into "call [ecx+60]" and you'll see this:
Hmm.. you see that Compare with DL and [eax+48]? :)
If equal we jump to the ret and nothing changes, else it puts DL in [eax+48] and does all kinds of other stuff :)
This is probably the "Enable Button" check ;P How are we going to find out? Simple...
Just let the "je 00423CEA" jump and we'll see :)
So when your on the "je 00423CEA" type "r fl z" to let it jump and press (CTRL+D) to exit SoftICE.
Now the main program pops up and i see no Button Disabled or something :)
Now quit the CrackMe and do the same but without letting the last "je" (the Enable Button check) jump and now you'll see in the main window that the Button
"Register" is disabled ;)
Hehe, right we got it :)
But now we need to let this program patch itself.
(Ok, one other thing, i don't want to explain this to much ;) but like i mentioned above in the File there's also a W32Dasm check.
It uses FindWindowA to locate W32Dasm (If running) you can easily defeat this by changing the next line in W32Dasm or the CrackMe itself :)
"URSoft W32Dasm Ver 8.93 Program Disassembler/Debugger" <--- In CrackMe
"URSoft W32Dasm Ver %s Program Disassembler/Debugger" <--- In W32Dasm
Anyway have you noticed something in the Code above (the second above ;) where those 2 Message Boxes are?
It checks for "//./SICE" if equal we get a Message Box and then quit, else we get the NAG and Enable Button" check, and then followed by a:
:00442789 5B pop ebx
:0044278A C3 ret
So why not change the "je 00442772" to "pop ebx, ret" :)
Then we don't need to patch so much and it's more easy then the other thing we had in mind.
(Well much we can still patch the "je" to a jump and skip all of it but crap, i'm gonna do it this way ;)
So what we're actually going to do is at the Address "00442759" patch the bytes "7417" with "5BC3" :)
Ok, if you want you can delete the Unpacked CrackMe now ;)
Now we need to find some space in the Packed CrackMe for our Code.
So open the Packed CrackMe in your HexEditor and go to the OEP (not the real OEP that's not there now ;) and press "Page-Down" 1 time.
You see some little space below the Code, excellent :)
I suggest to put our Code at "Raw Address" 00020BE0 and my Code looks like this (put your Code there in whatever language you want ;) :
Then it Multiplies EBX with 00000063 and puts the result in EAX (result in EAX is now = 000019E9)
Move EAX in EBX
Then it XOR's EBX with 00000006 (EBX = 000019EF)
Move EBX in EDX
Move DL into some place in the Memory
Increase EDI (Point to our next Char)
Decrease ESI (Are we at the end of our Name?)
If not we jump and repeat this loop else we're finished :)
So, very simple when your on the instruction "call 00403B44" type "d eax" and you'll see your "Real" Serial :)
In my case it weren't any readable Characters so i had this for my Name:
Name: CoDe_InSiDe
Serial: hex = EFEB4A09BB3D8C1F9D4A09
Ok, that's All...
You can patch this CrackMe by simply NOP the "jne 00442925" but i'll leave that up to you :)
*** NOTE ***
Remember where i said above "If equal we jump and fail (well almost fail ;), else continue with the loop" ? ;)
It was the check if we entered a Name, now the funny thing is if we haven't entered a Name we still go to the Compare stuff.
So then it Compares nothing (00 our Name) with the created Serial (which is also 00 because it hasn't created any Serial from our Name) and so we continue
and get the Good Boy Message :P
Just try it enter nothing as your Name and Serial and your Registered.
Well, a weird thing about this one is that in the Title bar it says "CrackMe 7 by Fr1c - UNREGISTERED" and after we Registered it, it isn't changed ;)
But who cares...
---> Outro...
And another big Tutorial ;)
You maybe also think now "Hmmm... why have we Unpacked this program it wasn't necessary?" and your right it wasn't :P
But hey i like to Unpack stuff ;) I hope you learned something from this Tutorial...
(Btw, this CrackMe checks for W32Dasm if it's running, with the Inline Patch you can easily fix that ;)
---> Greetings...
To be honest i'm getting a bit sick of these greetings everytime ;P
So i'll just say:
Greetings to everyone i know, and to everyone who knows me, and You... ;P
