In the previous tutorial we learned about unpacking a UPX packed program. In this tutorial, I'm going to show you how to make an inline patch.
First of all, what is an inline patch?
An inline patch patches the code at runtime. To be more exact, we wait till the program is completely unpacked, and at the point where the program is going to jump to the OEP, we jump to our own code that patches te neccessary bytes. Next, we jump to the OEP. Now the patched program can run happily :)
Why would we make an inline patch if we can unpack it?
Well, if we unpack the target, the file size will be much larger. And, you can't write a small patch for it. So if you want to spread your crack, you have to spread the entire executable...:( If you use an inline patch, you can make a very small standalone patch. As more and more software is packed, this is the way of patching for the future!
To show you how to make an inline patch, I packed the editor with nagscreen from the 'How to remove nagscreens' tutorial with UPX and scrambled it. Get it here[inlinebins.zip - MISSING].
TOOLS : SoftIce, Hexeditor
Ok, if you read the 'Kill nagscreens' tut, you know how to patch the nagscreen
:
I showed you 3 ways for doing this. I'll use the second way, cuz it only requires a 1 byte patch :
00401258 EB2D jmp 00401287
We ahve to change the EB2D to EB1D
So, only one byte has to change.
I always use softice for inline patching.
Before we start tracing for the OEP, we need to find a little free space
for our code. Fire up your hexeditor, and load the executable. I always
try to use free space at the end of a section. I do this for 2 reasons
:
- There is less chance that the space is going to be used by the packer
- If we need more space than available, we can easily create more space.
(Making the section larger)
Ok, I found some space after the ImportTable (RVA : 4171D6, offset : 67D6)
Let's patch this baby ;)
Trace the code till you find the jump to the OEP. (If you don't know how, check the previous tutorial about UPX unpacking)
0041606D 09C0 or eax, eax 0041606F 7407 je 00416078 00416071 8903 mov dword ptr [ebx], eax 00416073 83C304 add ebx, 00000004 00416076 EBE1 jmp 00416059
* Referenced by a (U)nconditional or (C)onditional Jump at Address:0041606F(C) 00416078 FF9620610100 call dword ptr [esi+00016120]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:00416040(C) 0041607E 61 popad 0041607F E97CAFFEFF jmp 00401000 ; Jump to OEP
Instead of jumping to the OEP,we are going to redirect that jump to our
free space.
Step till address 41607F, and press 'a' then typ 'jmp 4171D6' (our free
space)
Press enter twice, and F10 once to take the jump.
Ok, now we are at the free space, press 'a' again, now we can enter our
patching commands :
mov byte ptr [401259], 1D ; Change the byte
jmp 401000 ; jump to OEP
This code changes the byte at address 401259 from 2D to 1D (check nagscreen
tut if you don't know why we change this byte), so after this line is
executed, the program is patched. So, next we jump to the OEP and executed
the patched program.
Write down or dump the bytes we changed, and change them in your hexeditor.
Load the target...yup, it worked, tha nag is gone!
If you have questions, or remarks abou this tutorial, feel free to mail
me.
Detten
Detn@hotmail.com
Greetz to
Miele, Denoader, Figugegl, woody, and to all crackers out there!