************************************************************************************************* Muad'Dib's ReverseMe #1 ************************************************************************************************* Author: Muad'Dib Protection: Make the Exit Button work as an Exit Button URL: http://www.immortaldescendants.org/users/santmat/reversemes/rm_muaddib.zip Tools: W32Dasm V8.93 Hex-Editor ---> Intro... Welcome to my next Tutorial !!! This time it's a ReverseMe from Muad'Dib :) The only thing we need to do is making the Exit Button work as an Exit Button, very simple :) ---> Let's Begin... Ok open up the ReverseMe and you'll see a window with just one button the Exit Button :) Click on it and you'll see a Message Box saying: "Your job is to make me work as an exit button!" Ok this explains it all :) Now close the ReverseMe and open the file in W32Dasm. Then click on "Strn Ref" (String Data References) and you'll see just two strings: "GOAL:" "Your job is to make me work as " Then double click on the first one and you'll see this: ------------------------------------------------------------------------------------------------- :00401035 8B4510 mov eax, dword ptr [ebp+10] :00401038 6683F864 cmp ax, 0064 :0040103C 752A jne 00401068 <--- Interesting Jump ;) :0040103E 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"GOAL:" | :00401040 682F304000 push 0040302F * Possible StringData Ref from Data Obj ->"Your job is to make me work as " ->"an exit button!" | :00401045 6800304000 push 00403000 :0040104A FF7508 push [ebp+08] * Reference To: USER32.MessageBoxA, Ord:01BBh | :0040104D E832000000 Call 00401084 :00401052 EB14 jmp 00401068 ------------------------------------------------------------------------------------------------- Now look at that "Interesting Jump" :) Let's see where it leads to: ------------------------------------------------------------------------------------------------- :00401068 C9 leave <--- It Jumps to this place :00401069 C21000 ret 0010 * Referenced by a CALL at Address: |:00401024 | * Reference To: KERNEL32.ExitProcess, Ord:0075h | :0040106C FF2504204000 Jmp dword ptr [00402004] <--- Hmm... ExitProcess API ;) ------------------------------------------------------------------------------------------------- As you can see here it jumps to the instructions "leave, ret 0010" so the Message Box just disappears and nothing more happens, but do you see the nice ExitProcess API just below ;) We're going to let it jump to that API instead of to "leave, ret 0010". So change: jne 00401068 into jmp 0040106C And now the program Exits correctly :) I think i don't need to tell how to change this in your Hex-Editor, well i do it anyway ;) Go to offset 0000043C and you'll see: 752A Change it into this: EB2E That's all :) Now when you press the Exit Button the program quits. Job done... ---> Greetings... Everybody from TrickSoft (www.TrickSoft.net) Everybody from Cracking4Newbies (www.Cracking4Newbies.com) Everybody from Keygenning4Newbies (Keygenning4Newbies.cjb.net) Everybody from ReverseMes (ReverseMes.cjb.net) And You... Don't trust the Outside, trust the InSiDe !!! Cya... CoDe_InSiDe Email: code.inside@home.nl