dead listening/Patching Tutorial ================================ -----------------------------------------------------| Writer: Bengaly | date: 23/6/01 | Author: cW_ | Protection: serial/name | URL: http://www.mesa-sys.com/~eternal/a-d/cycle.zip | Tools: | Hex-Editor (Hview) | W32DASM | -----------------------------------------------------| Hello! Welcome to my 24th tutorial, today we will talk about Patching. the author says: ---------------- -> no brute force, since there are a lot off keys for your name -> no patching * but who listen to them ;D...naaa sometimes rulz are rulz, but hey nothing is perfect! Let's get started: ----------------- Run the crackme, it informs u to enter serial/name... So enter any name and serial..and click the "Check" button. u will see nothing happens...hmm that's wired. so open up w32dasm and diassemble the crackme... u will notice that the "strn-ref" button is enable ;P heh so we have some text in the crackme, so click the "strn-ref" so will see that text used in the crackme...: "hmm no!" "congratulations" "please enter valid serial"... ok we will explore this, i see that when we enter a name/serial and click the "check" button and nothing happens, but im the above text we must somehow get "please enter valid serial"... so open the crackme again, enter any name, and enter exactly 16 chars or above for a serial. *how did i know i need 16 chars??... well i enter chars for the serial check box untill i got this message! =) so now we get the nice message box eh? ;D ok that's what i wanted to get from the crack. now, i am goona patch the crackme, but in the way we all know: jne<->je nope! i will change the "please enter valid serial" message box to the "congratulations" message box, it will be the same result as the jne<->je approch, but sometimes i wan't to try diff approaches ;P ===================================[ Patching ]=============================================== click "strn-ref" button and double click on "please enter valid serial" we will be here: ============================================================================= * Referenced by a CALL at Address: | |:0040111A <- caller | | | :00401166 6A00 push 00000000 | * Possible StringData Ref from Data Obj ->"Ahm. No!" | | | :00401168 68DE204000 push 004020DE | * Possible StringData Ref from Data Obj ->"Please enter a valid serial for "| ->"your name!" | | | :0040116D 68E7204000 push 004020E7 | :00401172 FF7508 push [ebp+08] | * Reference To: USER32.MessageBoxA, Ord:0000h | | | :00401175 E843010000 Call 004012BD | :0040117A C3 ret | ============================================================================= Good, so we see that the call to that place was at 0040111A. so what's in 004011A...just do search->find text (in 32dasm) and enter: 0040111A *do search in the up direction , and press FIND TEXT 2 time (the first 0040111A caller) u will see this: =========================================== :0040111A E847000000 call 00401166 | =========================================== so we see that 40111A call to some location ;P....what is that location?? let's check, again do a search for 401166...yes it's taking us to the same place as i have pasted above!! ;D that's good for me, so i know now which place i can patch. so our target patching is: 0040111A E847000000 -> [call 00401166] <- now, click on "strn-ref" button again, and choos: "Congratulations!" we will be here: ================================================================ * Referenced by a CALL at Address: | |:0040114B | | | :0040117B 6A00 push 00000000 | | * Possible StringData Ref from Data Obj ->"Wow!" | | | :0040117D 6812214000 push 00402112 | | * Possible StringData Ref from Data Obj ->"Congratulations!" | | | :00401182 6817214000 push 00402117 | :00401187 FF7508 push [ebp+08] | | * Reference To: USER32.MessageBoxA, Ord:0000h | | | :0040118A E82E010000 Call 004012BD | :0040118F C3 ret | ================================================================ so u see this is the place where the good jump is going to if u enter the good serial! so this is a MessageBoxA type! the caller of the MessageBoxA is 0040117B 6A00 push 00000000. write 40117b down. (we will patch to this location) so the only thing we have to do now is to patch 0040111A E847000000 -> [call 00401166] to the above messageboxa.. how we do it?? ok, so back to :0040111A location, and look at the @Offset..it's 71A(h) write it down. Open Hview, and load the crackme...press F4 and choose "decode" and press F5 fill in 71A and we will be at the right asm instruction! :0040111A E847000000 call 00401166 <= That instruction.. but we already know that we need to change that call to the good messagebox. so, call 00401166 will be 0040117B. So Press F3 (edit), u will notice the the location adress (at left side) is changed to hex values ;P....so adress :0040117B will be 00000077B ;D (F9 to return to normal mode) now back to location :0040111A, just move on this location and press F3 (convert to hex mode now), and Press F2 (asm edit line)....u will see this: ====Aseembler============ | Call 000000776 | ========================= now, we need to chage the call to: :0040117B (good messagebox), but u need to type the hex value, so we know the Hex value is: 0000077B ;D so just edit and change it to : ====Aseembler============ | Call 00000077B | ========================= press ...and then Esc then F9 to save the file...and F10 to exit the Hex Editor! now, load the crackme again, enter any name (no metter langht) and a 16+ chars (any) for the serial...u will get the "Wow! Congratulations!...." CrackMe Patched. Have fun ;D My thanks and gratitude goes to: -------------------------------- ----CoDe_InSide----- ;for helping in cracking -----BLAcKgH0sT------;for being good friend :) -------FusS------ ;asm / keygenning helper