Cracking 2

home *** CD-ROM | disk | FTP | other *** search

/ Cracking 2 / Cracking II..iso / Texty / crackme / risc-cm5-tut.txt < prev next >

Wrap

Text File | 1999-05-22 | 3.7 KB | 84 lines

------------ Duelist's Crackme #5 --------------- Minitutorial by R!SC -- risc@notme.com -- http://csir.cjb.net load due-cm5.exe into softice's symbol loader... after tracing a few lines with F10, we get to this code... 0137:00406651 8B8505344000 MOV EAX,[EBP+00403405] <--erm, entrypoint (1000) 0137:00406657 038519344000 ADD EAX,[EBP+00403419] <--the address it loaded into 0137:0040665D 5D POP EBP - (400000), which makes 0137:0040665E 5F POP EDI - 401000, the original entry point 0137:0040665F 5E POP ESI 0137:00406660 5A POP EDX 0137:00406661 59 POP ECX 0137:00406662 5B POP EBX 0137:00406663 FFE0 JMP EAX <-- yah, run the unpacked program 0137:00406665 8D857A344000 LEA EAX,[EBP+0040347A] 0137:0040666B 50 PUSH EAX 0137:0040666C FF95EC344000 CALL [EBP+004034EC] trace for a bit longer, you get to here 0137:004010C1 6800200000 PUSH 00002000 0137:004010C6 685C204000 PUSH 0040205C 0137:004010CB 6817204000 PUSH 00402017 0137:004010D0 6A00 PUSH 00 0137:004010D2 E894010000 CALL USER32!MessageBoxA <--the nag... 0137:004010D7 6A00 PUSH 00 0137:004010D9 68B8104000 PUSH 004010B8 0137:004010DE 6A00 PUSH 00 0137:004010E0 6A01 PUSH 01 to make the dialog box state 'Registered', the easiest way is just to overwrite ' Unregistered', with ' Registered', three spaces, and a capital R... to kill the first nag, just kill the call to the messagebox, overwrite the first byte 'e8' with 'b8' changes the call blah to a mov eax, blah, the pushes before it dont matter in this case.. but it is more professional to patch the first push with a 'jump over nag' okay, were gonna patch a packed file, so choose a space inside of the program to put our patch.. ah, after the version info, file offset 0x1a60 should do..enter 'sometext' here... reload the program with the symbol loader.. search for our text, s 0 l ffffffff 'sometext', :), we find it at 00405860...cool...trace through the unpacker code, until you get to the line where it puts the entrypoint into eax... we change this line from 0137:00406651 8B8505344000 MOV EAX,[EBP+00403405] to 0137:00406651 B860580000 MOV EAX,00005860 <--OUR NEW ENTRYPOINT (-IMAGEBASE) 0137:00406656 90 NOP it then adds the 00400000 to it, and when the JMP EAX happend, it jumps to our code.. now for our code... trace with F8 until you have executed the JMP EAX.. hmmm, eip=00405860? good.. type in 'a eip' to create our code.. sub ax, 4860 (make eax point to the right place) mov byte ptr [eax+d2],b8 (eax=401000+d2=the call nag, b8=killit) mov dword ptr [eax+105b],52202020 (eax+105b=40205b=start of string ' Unregistered') jmp eax <esc> then either copy down all the bytes to the code you just created, and write them into the 'exe at offset 0x1a60, or dump the memory, and use a hex editor to copy&paste it... with the hexeditor, search for '8B8505344000'--(yah, the entrypoint-imagebase) which will be the 'MOV EAX,[EBP+00403405]', and replace this with the new code aswell.. save the file, and bingo!! you cracked a packed program, without using a loader.. :) overwrite this to offset 0x1a60 66 2D 60 48 C6 80 D2 00 00 00 B8 C7 80 5B 10 00 00 20 20 20 52 FF E0 overwrite this to offset 0x2851 B8 60 58 00 00 90 R!SC -- risc@notme.com -- http://csir.cjb.net 22nd May 1999