home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Reverse Code Engineering RCE CD +sandman 2000
/
ReverseCodeEngineeringRceCdsandman2000.iso
/
RCE
/
Mendoza
/
flux6.txt
< prev
next >
Wrap
Text File
|
2000-05-25
|
3KB
|
98 lines
Flu[X]'s cracking tutor #6 - Dealing wit a packed EXE
Getting past Disassembler Protection
Tools
-Softice 3.2+
-Live Image v1.29D Build 52
-Hackersview 5.65+
-Brain
Ok ... recently programmers are using techniques or programs to "pack"
their EXEcutables or DLL's in an attempt to add additional copyright
protection. A popular one is shrinker. If your a cracker.. believe me you
know about it :) Ok enough lets get started..
Ok lets examine our target, Live Image v1.29D Build 52, it asks for a name/serial.
So we begin tracing (hmemcpy). Eventually we come to these lines of code:
mov eax,[ebp-20]
mov ecx,[ebp-0C]
mov esp, ebp
Ret
----- After return is executed -----
cmp eax,0
je BAD_Cracker
OK, what it does is move a value into EAX, and if that value is 0
it means you failed the serial check... Now.. if we could make it
always pass the test... we would have a full regged copy (because
the programmer always uses the above routine to check his serials).
OK, i also notice that ebp-20 is 0 unless it is right serial..
but wait.. EBP is always non zero.. so if we moved ebp into eax
it will always pass the test.
so the above code would become:
mov eax,[ebp] ; line changed...
mov ecx,[ebp-0C]
mov esp, ebp
Ret
Ok we think this is going to be some simple patch... So we opan up
W32Dasm to find the file offset (we did write down the address
from SoftIce didnt we?). Ok we disassemble the file.. and what?!?!
what is this crap? i cant find that code anywhere!
This EXE is packed..ARGHHH...So after a bit of analyzing we notice
that it is packed by shrinker.. so we must De-pack it. I used
Unshrinker v1.2 (on my web page http://tuts98.cjb.net).
Ok we now have an unshrinked EXE file :) Things should be good right?
No, wrong. Lets disassemble the unpacked EXE with W32Dasm, what it wont
work? It seems as if the author not only used Shrinker, but also added
a bit of his own protection! ok.. now what do we do here? wait a sec,
remember what the code we are looking for is? Maybe if we used our
heads a bit (a very little bit) we would recall taht Hiew allows
for Hex Searches :)
mov eax,[ebp-20]
mov ecx,[ebp-0C]
mov esp, ebp
This translates to: 8B45E08B4DF48BE5
so if we open the file in Hiew we can do a search for 8B45E08B4DF48BE5.
Hit the F7 key in Hiew and type it in the hex string area.. and find it.
Hey.. it worked.. we found our code..
so change it from:
8B45E0
8B4DF4
8BE5
to:
8B4500 ;note the 00.
8B4DF4
8BE5
save the file and run.. Hey look its registered.. crack done!
Also about a patch.. a patch for this program would be virtually
seeing as it is improbable to modify a packed file.
I hope to see you again in Flu[X] tutor #7
As always if you like a program buy it! Thi essay is for
educational purposes ONLY! Software authors deserve your support!
Flu[X]/PC98
http://tuts98.cjb.net