TARGET 		: abexcrackme1.exe
GOAL		: Patch the program so it thinks the Harddisk is a CD-ROM.
TOOLS USED 	: W32DASM, Hexworkshop
LEVEL		: Absolute Newbies

Before we start patching this proggy, look at the following theory :

------------------------------------------------------------------------------------
UINT GetDriveType(

    LPCTSTR lpRootPathName 	// address of root path 
   );	
 

Return Values

The return value specifies the type of drive. It can be one of the following values: 

Value			Meaning
0			The drive type cannot be determined.
1			The root directory does not exist.
2	DRIVE_REMOVABLE	The drive can be removed from the drive.
3	DRIVE_FIXED	The disk cannot be removed from the drive.
4	DRIVE_REMOTE	The drive is a remote (network) drive.
5	DRIVE_CDROM	The drive is a CD-ROM drive.
6	DRIVE_RAMDISK	The drive is a RAM disk.
-------------------------------------------------------------------------------------

How did I find this information? Download win32.hlp (link on this site).
Now, what use is this information? The return value will be placed in eax.
So what we want is a return value 5, but windows will return 3. 
We will have to patch this... :)
This can be done in 2 ways, patch the check after Drivetype (**), or patch the parameter(***) to your cdrom-drive-letter.

Fire up w32dasm, and search the import table for GetDriveTypeA. Found it? It brings you here:


:00401000 6A00                    push 00000000
:00401002 6800204000              push 00402000

* Possible StringData Ref from Data Obj ->"Make me think your HD is a CD-Rom."
                                  |
:00401007 6812204000              push 00402012
:0040100C 6A00                    push 00000000

* Reference To: USER32.MessageBoxA, Ord:0000h
                                  |
:0040100E E84E000000              Call 00401061

* Possible StringData Ref from Data Obj ->"c:\"
                                  |
:00401013 6894204000   	(***)     push 00402094 ; parameter for GetDriveTypeA

* Reference To: KERNEL32.GetDriveTypeA, Ord:0000h 
                                  |
:00401018 E838000000              Call 00401055	; return value in eax
:0040101D 46                      inc esi	; move pointer
:0040101E 48                      dec eax	; decrement eax 
:0040101F EB00                    jmp 00401021

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040101F(U)
|
:00401021 46                      inc esi	; move pointer
:00401022 46                      inc esi	; move pointer
:00401023 48                      dec eax	; decrement eax
:00401024 3BC6    	(**)      cmp eax, esi	; compare (return value-2) with a pointer address 
:00401026 7415                    je 0040103D	; if equal, jump to CDROM-Msgbox

; HARDDISK-MessageBox

:00401028 6A00                    push 00000000  

* Possible StringData Ref from Data Obj ->"Error"
                                  |
:0040102A 6835204000              push 00402035

* Possible StringData Ref from Data Obj ->"Nah... This is not a CD-ROM Drive!"
                                  |
:0040102F 683B204000              push 0040203B
:00401034 6A00                    push 00000000

* Reference To: USER32.MessageBoxA, Ord:0000h
                                  |
:00401036 E826000000              Call 00401061
:0040103B EB13                    jmp 00401050

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401026(C)

; CDROM-MessageBox

:0040103D 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"YEAH!"
                                  |
:0040103F 685E204000              push 0040205E

* Possible StringData Ref from Data Obj ->"Ok, I really think that your HD "
                                        ->"is a CD-ROM! :p"
                                  |
:00401044 6864204000              push 00402064
:00401049 6A00                    push 00000000

* Reference To: USER32.MessageBoxA, Ord:0000h
                                  |
:0040104B E811000000              Call 00401061

Ok, what have we seen in the code?

The crackme calls GetDriveTypeA, subtract 2 from the return value, and compares it with a pointer address. That means we will never get the CDROM-MessageBox without patching the check itself.
So solution (***) is useless...




SOLUTION :

Let's patch the jump after the check. Find it in W32Dasm (address = 401026). And look at the bottom bar. We see the FileOffset there. (626h) 
Now fire up Hexworkshop and go to that offset (edit->goto).
As you can see in W32Dasm the corresponding bytes for 'je 40103D' are 74 15.
What do these digits mean? 

	74 = jump if equal
	15 = number of bytes to jump forward

We don't want a jump if equal, but an unconditional jump. Therefor we have to change the 75 to EB. How? Just type 'EB' over the '74'. Save the file, and run the crackme...did it work? It did here :))

I hope this tutorial was clear, if you have any questions, mail me.
If you find this tutorial to easy, try a harder one :)

Greetings,

Detten
Detn@hotmail.com
