ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º PatchMe-1 by cRyPt º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ This Tutorial is best viewed in Terminal font :) Tools: SoftICE v4.05 Hex Editor (Or atleast something to change it's code) Hi, me here ;) Been a long time since i've done a CrackMe hehe. Hmm... "PatchMe-1 by cRyPt" and at the CrackMe Website the name was "Gulhadore" :) Ah well, who cares :P I don't think that i'm going to explain this CrackMe too much since it's not difficult but maybe a little bit confusing for the Newbie ;) (Or maybe i'm still gonna explain it more then i actually want, damn why does that always happens to me? ;) I think it's because i like to write about simple things :P Take for example that CrackMe from Acid_Cool_178. That was also a CrackMe where you needed to Patch away a NAG, and i wrote a pretty big Tutorial for just Patching a NAG away ;) Anyway, let's continue... As the ReadMe (And the Title of this CrackMe) says, we need to Patch it. Our only goal is to remove the NAG. Well, how hard can it be? right? ;) I'm going to break on the EP (Entry Point) and show you a deadlisting made with IceDump. But first, let's just run the CrackMe. Open it and we'll be presented with a Message Box saying: Hello-World-Demo PatchMe by cRypt Hey, now it's made by cRypt mrhm... (cRyPt, Gulhadore, cRypt <- Typo i'm sure ;) Click on "Ok" and we'll get another Message Box: Hello-World-Demo Send solutions to: kamikaze2@edsamail.com.ph Ok, his Email for sending solutions to ;) Click "Ok" again and we get another Message Box: -ReMOVe Me- --Please Register Now-- Aha, this is probably the NAG we're looking for ;) Press "Ok" again and the CrackMe quits. So we need to be on the lookout for the third Message Box. Now here's the deadlisting made with IceDump from the CrackMe's EP (Entry Point). (Btw, you can also just use W32Dasm but i'll use SoftICE :P) ------------------------------------------------------------------------------------------------- 00401000 jmp 0040100E <- EP, jump to 0040100E 00401005 nop 00401006 nop 00401007 nop 00401008 jmp [USER32!MessageBoxA] 0040100E mov ecx, 00000000 ECX = 00000000 00401013 push ecx Save ECX (Style of the Message Box) 00401014 push 00403000 "Hello-World-Demo" 00401019 push 00403011 "PatchMe by cRypt" 0040101E push 00000000 Save 00000000 (No owner window) 00401023 call USER32!MessageBoxA Call Message Box 1 00401028 push 00403000 "Hello-World-Demo" 0040102D push 00403022 "Send solutions to: kamikaze2@edsamail.com.ph" 00401032 push 00000000 Save 00000000 (No owner window) 00401037 call USER32!MessageBoxA Call Message Box 2 0040103C push 0040304F "-ReMOVe Me-" 00401041 push 0040305B "--Please Register Now--" 00401046 push 00000000 Save 00000000 (No owner window) 0040104B call USER32!MessageBoxA Call Message Box 3 00401050 pop ecx Restore ECX 00401051 push 00000000 Save 00000000 00401056 push 00401061 Save 00401061 (Useless Offset ;) 0040105B jmp [KERNEL32!ExitProcess] And exit the process ------------------------------------------------------------------------------------------------- This is all there is :) First thing you need to know is the structure of the MessageBoxA API, here it is: int MessageBox( HWND hWnd, // handle of owner window LPCTSTR lpText, // address of text in message box LPCTSTR lpCaption, // address of title of message box UINT uType // style of message box ); Now take a look at the Deadlisting... Notice something weird? :) The first Message Box is just normal (4 pushes) but the next Message Box has only 3 pushes, and the third one also just 3 pushes. He's just playing with the Stackdump ;) Ofcourse you can just use 3 pushes for a Message Box, but the problem is that the Stackdump will be "corrupted". BUT because he's using the API ExitProcess it's not a problem :) If he would use the "ret" instruction instead then he first needs to fix the Stackdump ;) So, how are we going to Patch the NAG away? One option could be to simply NOP away the third call to the MessageBoxA API (Like i said before, because of ExitProcess right after it the pushes aren't a problem). Another option could be to jump to the ExitProcess after the call to the second MessageBoxA (So that it simply doesn't call the third Message Box ;). And another option could be to fix the Stackdump after the second MessageBoxA call, and then call ExitProcess (Or just use ExitProcess straight away after it, without fixing the Stackdump). I'm gonna do the third option, i'll leave any other kind of options to you ;) So after the second call to the MessageBoxA API, we're going to insert a call to ExitProcess. First here's the structure of the ExitProcess API: VOID ExitProcess( UINT uExitCode // exit code for all threads ); Let's just say: push 00000000 jmp ExitProcess is enough to know ;)) The Offset we're going to patch is at 0040103C. (This is in memory/Virtual, not in the file itself/Raw). I'm not going to explain now how to convert it, you can also use W32Dasm then go to this Virtual Offset, and look at the bottom of W32Dasm ;) Anyway, the Raw Offset is 0000043C. But wait a second, what's the Hex for "push 00, jmp ExitProcess" ? ;) I haven't showed the Hex in the Deadlisting above because otherwise the comments would go too far to the right :) But if you're in SoftICE you can see the Hex for it, in the last instructions. push 00000000 = 6A 00 (Ok, in the CrackMe it's 6800000000 but 6A is shorther ;) jmp ExitProcess = FF 25 08 20 40 00 (00402008 is the place in the IAT for ExitProcess) Now open your Hex Editor or whatever and go to Offset 0000043C. Change this: 68 4F 30 40 00 68 5B 30 40 00 into: 6A 00 FF 25 08 20 40 00 xx xx (xx can be anything because that won't be executed anymore :) Now save the file (Or make a backup...?) and run it. It works right? after the second Message Box the CrackMe quits? If so that's good and it was supposed to do that ;) Ok, i'm gonna quit now... --- Comments Hmm... the Tutorial hasn't become too big ;) I hope you learned something from this Tutorial, and i also hope that i explained it a bit good to you :) Now in this CrackMe we could use ExitProcess with no problems, but if you would do that in a program then that whole program would quit (Or in the worst case crash (?) hehe ;P). Then you could use the NOP's, and fix the Stack, or just simply a "ret" if the Message Box routine has been called with a "call", but keep track with return values... You figure it out, you go wild, i'm gonna quit... Btw, has the CrackMe now been made by "cRyPt" or "Gulhadore" ......... (?) :P --- Greetings "Everyone i know and everyone who knows me !!!" Don't trust the Outside, Trust the InSiDe !!! Cya... CoDe_InSiDe Homepage: http://members.home.nl/code.inside Unpacking page: http://www.lunarpages.com/codeinside Email: code.inside@home.nl