KeyGen Studio 2002

home *** CD-ROM | disk | FTP | other *** search

/ KeyGen Studio 2002 / KeyGen_Studio_2002.iso / Tutorials / Code Inside / Tut37.txt < prev next >

Wrap

Text File | 2001-09-21 | 10.3 KB | 248 lines

******************************************************************************************************************************************************* Win32Asm CrackMe 1 ******************************************************************************************************************************************************* Author: Acid_Cool_178's Protection: NAG URL: http://www.mesa-sys.com/~eternal/a-d/ac178-cm1.zip Tools: W32Dasm v8.93 Hex-Editor ProcDump v1.6.2 ---> Intro... Welcome to my next Tutorial !!! A very simple CrackMe, just remove 1 NAG ;) ---> Let's Begin... Ok, well first we're going to just open the CrackMe to see what's going on :) So open it, and you'll see a Message Box saying: "Acid_Cool_178's" "Win32Asm CrackMe 1" Press "Ok" and we see another Message Box saying: "Greetings goes too all my friends.." "Hellforge, tCA, FHCF, DQF, and the rest..." Press "Ok" again and we'll get another Message Box saying: "Remove Me!" "NAG NAG" Ah, that looks nice ;) So now we know that we need the 3rd Message Box. Click "Ok" 1 more time and the CrackMe exits. Now open the CrackMe in W32Dasm and click on "Strn Ref" (String Data References). Well not so much text here, but you'll notice the "Remove Me!" ;) Double click on it and you'll see this: ------------------------------------------------------------------------------------------------------------------------------------------------------- :0040101F 6A00 push 00000000 * Reference To: USER32.MessageBoxA, Ord:01BBh | :00401021 E81A000000 Call 00401040 :00401026 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"Remove Me!" <--- Here's the text :) | :00401028 6871304000 push 00403071 * Possible StringData Ref from Data Obj ->"NAG NAG" | :0040102D 687C304000 push 0040307C :00401032 6A00 push 00000000 * Reference To: USER32.MessageBoxA, Ord:01BBh | :00401034 E807000000 Call 00401040 :00401039 6A00 push 00000000 * Reference To: KERNEL32.ExitProcess, Ord:0075h | :0040103B E806000000 Call 00401046 ------------------------------------------------------------------------------------------------------------------------------------------------------- Ok, how can we solve this? :) There are several ways: 1. Notice the "push 00000000" at offset "00401026" we can let it jump to "ExitProcess" and then the CrackMe quits :) 2. We can NOP the call at offset "00401034". 3. We can make the call at offset "00401034" jump to the "ExitProcess" instead of the "MessageBoxA". 4. We can Inline Patch this "either with patch 1, 2 or 3" in the beginning of the CrackMe. You know what?, i'm gonna try them all ;) So first we're gonna do Method 1. *** Method 1 *** ok, we need the "push 00000000" at offset "00401026", double click on that instruction to see the "Raw Address" it's "00000426". Now open your Hex-Editor and close W32Dasm (Otherwise we can't save the File ;) and go to location "00000426". There you'll see this: ------------------------------------------------------------------------------------------------------------------------------------------------------- Call MessageBoxA Call ExitProcess | | 6A 00 68 71 30 40 00 68 7C 30 40 00 6A 00 E8 07 00 00 00 6A 00 E8 06 00 00 00 ------------------------------------------------------------------------------------------------------------------------------------------------------- We're going to replace the first "6A 00" with a Jump "EB 00" but now we need to count how much bytes we need to Jump :) So how are we going to do this? To count from some place to another place, always start counting behind the Instruction till you reach the beginning of the other Instruction where you want it to Jump to :) And don't forget to count in "Hexadecimal" format, that is: 0 1 2 3 4 5 6 7 8 9 A B C D E F 10 11 12 13 14 ... Let me show you (I hope you'll understand ;) : ------------------------------------------------------------------------------------------------------------------------------------------------------- Count from here To here (This is the beginning of ExitProcess) | | 6A 00 68 71 30 40 00 68 7C 30 40 00 6A 00 E8 07 00 00 00 6A 00 E8 06 00 00 00 0 1 2 3 4 5 6 7 8 9 A B C D E F 10 11 | | | | | | | | | | | | | | | | | | EB 00 68 71 30 40 00 68 7C 30 40 00 6A 00 E8 07 00 00 00 6A 00 E8 06 00 00 00 | | Our Replaced Jump Till we reach this place so "11" is our value ------------------------------------------------------------------------------------------------------------------------------------------------------- Well, it looks harder then it is :) So our final line to make it Jump from the beginning of the last Message Box to the ExitProcess looks like this: ------------------------------------------------------------------------------------------------------------------------------------------------------- EB 11 68 71 30 40 00 68 7C 30 40 00 6A 00 E8 07 00 00 00 6A 00 E8 06 00 00 00 ------------------------------------------------------------------------------------------------------------------------------------------------------- Ok, so replace the "6A00" with "EB11" at offset "00401026" and save the File and run it. It works ;) Now method 2. *** Method 2 *** We're going to replace the "call 00401040" with "NOP" :) In W32Dasm double click on the call 00401040" at offset "00401034" to get the "Raw Address" it's "00000434". So close W32Dasm and open the CrackMe in your HexEditor, then go to that Adress "00000434" and you'll see this: ------------------------------------------------------------------------------------------------------------------------------------------------------- E8 07 00 00 00 <--- This is the Call to the Message Box. ------------------------------------------------------------------------------------------------------------------------------------------------------- So just replace the E807000000" with "9090909090" and that's it :) Save the File and run it, it works ;) On to Method 3. *** Method 3 *** Ok, look just above on how to get to the correct place for the Call and now i'll show you a bigger line ;) : ------------------------------------------------------------------------------------------------------------------------------------------------------- MessageBoxA ExitProcess MessageBoxA ExitProcess | | | | E8 07 00 00 00 6A 00 E8 06 00 00 00 FF 25 08 20 40 00 FF 25 00 20 40 00 ------------------------------------------------------------------------------------------------------------------------------------------------------- We need to make the "E807000000" Jump to the ExitProcess (You can make it jump either to the first ExitProcess or the second, we'll take the second ;). So we're going to do this the same as with Method 1 :) ------------------------------------------------------------------------------------------------------------------------------------------------------- From here To here (ExitProcess) | | E8 07 00 00 00 6A 00 E8 06 00 00 00 FF 25 08 20 40 00 FF 25 00 20 40 00 0 1 2 3 4 5 6 7 8 9 A B C D | | | | | | | | | | | | | | E8 07 00 00 00 6A 00 E8 06 00 00 00 FF 25 08 20 40 00 FF 25 00 20 40 00 | | The Call Till this place so we need value "0D" ------------------------------------------------------------------------------------------------------------------------------------------------------- Ok, so replace the "E807000000" with "E80D000000" at offset "00000434" and save the File. Run it, it works ;P On to Method 4. *** Method 4 *** Ok, now we're going to Inline Patch :) So we're going to make the Entry Point Jump to our Code and then Patch the program (we use Method 1) and then Jump back to the Real Entry Point :) Fire up ProcDump and check out the Entry Point (I assume you know how to do this). The Entry Point is "00001000". Now open the CrackMe in your HexEditor and look in the Code Section, because we need some empty space ;) Well there's plenty of it at offset "00000500" so we need to replace the Entry Point with "00000500" :) Ok, your still in ProcDump? good ;) Because now replace the Entry Point "00001000" with "00001100". Why "00001100" ??? Because if you look in the Section you'll see that the "00001000" is the "Virtual Address" for "00000400" (The Raw Address). And we wanted our Code at "00000500" and so we need the "Virtual Address" "00001100" :) Ok, change it and close ProcDump and now we need to Code our own stuff ;) (do it in the way you want). We need to replace "6A00" with EB11" at offset "00401026" :) So i coded this at offset "00401100": ------------------------------------------------------------------------------------------------------------------------------------------------------- mov word ptr [00401026], EB11 push 00401000 ret ------------------------------------------------------------------------------------------------------------------------------------------------------- Ok, now the Code is there save the File and run it.... aarghhh !!! error ;) Hehe, i think i allready now what this is ;) the Size of the Section isn't large enough =) So open the CrackMe again in ProcDump and now look at the first Section, the "Raw Size" is "0000004C". That's too short change it to "00000200" and just in case change the Characteristics to "E0000040". That's it close ProcDump and run the File, now it works ;P That's All... ---> Greetings... To be honest i'm getting a bit sick of these greetings everytime ;P So i'll just say: Greetings to everyone i know, and to everyone who knows me, and You... ;P Don't trust the Outside, trust the InSiDe !!! Cya... CoDe_InSiDe Email: code.inside@home.nl Homepage: http://codeinside.cjb.net