Good evening ladies and gentlemen. Today we'll patch a crackme. Our task is to make it always work no matter what serial key we enter into it. So at first download this Crackme . You should be able to run the process in debugger by this time. So open this crackme in your olly debugger and look for a string that states that serial is wrong. Select Search For -> All referenced text strings... Ups. Looks like we don't have any strings here, only some elven runes which meaning was lost in time. Than we need something else. Most of windows applications use Windows API for its purposes. For example kernel32.dll, user32.dll are often called within the application to perform certain actions. Olly allows us to search for places in code that triggers other modules (libraries). There is a function called GetDialogItemTextA in WinAPI. It is used for retrieving string value from the process. Very likely, our crackme uses this function to get the value of the entered Serial Key. Lets search for it: Search for -> All intermodular calls... You'll get something like this: Address=00401264 Disassembly=CALL <JMP.&user32.GetDlgItemTextA> Destination=user32.GetDlgItemTextA Select this function and set a breakpoint to it (press F2). Double click this line to go to this code in debugger window. Before running this application lets take a look a little bit more on a code below current breakpoint We have 4 calls of the SetWindowTextA functions and 4 jumps JB, JNZ, JNZ, JMP. The first operation after our breakpoint is CMP EAX, 0B. What could that be? Lets run this app now. Press F9 to execute app until the breakpoint. Enter some Serial Key, remember it and confirm this key. Ok, now I am at the breakpoint 00401264. I used this key: "test123". Press F8 to make one step further. Now I am at the CMP EAX, 0B. Now application checks that EAX register contains 0B value. I have 7 in EAX at this step according to registers window. Out of everything I've entered the only logical way to get 7 is to calculate the length of the string that I've entered. "test123" is 7 chars length. So, at this point application checks that enter serial key length is 11 symbols (0x0B == 11). Well, bad news for the application, the length is not 11. So next operation JB should bring me to a peace of code that will result "Correct Serial" flow only in case when entered serial is 11 chars length. But I want it to be any length. JB is conditional jump that uses result of comparison after CMP operation. So if I change JB to JMP the code flow would go to "good" flow in any case, because JMP is non conditional jump that happens in any case. In order to change JB to JMP we'll need to fix binary code a bit. Pay attention to the 2-nd collumn in the debugger window: JB - 72 10. 0x72 is a JB operation. 0x10 is how much bytes ahead application will jump. Take a look at any JMP jump in the debugger window below or above. For example: 004012BE EB 10 JMP SHORT Crackme6.004012D0 We see that JMP is equal to 0xEB in hex code. So, we need to change 0x72 to 0xEB. Select JB jump. Press Ctrl + E and instead of 72 enter EB. Save it. Now JB should be changed to JMP. Lets continue to execute the code step by step until we are on this jump JNZ (00401280). In the flags window see that Z flag is equal to 0 at the moment. JNZ is also a conditional jump which goes to the "desired" place only if Z flag is not 0. And Z flag would be not 0 only when our serial match the correct one, I guess. Again, this is not what I want. I want successful result with any serial code. So we can change JNZ jump to JMP again to make sure that it always happens. But this time I'll teach you to change it in another way. Select JNZ and press Space. Instead of JNZ enter JMP and press Assemble. This way is easier, right? First time I just wanted to show you what binary code means and that it is possible to edit any application even without a debugger, just in any binary or hex editor. Ok, run step by step until next JNZ jump. This jump wants to make us jump over the good peace of code which leads us to successful flow. So this time we don't want to jump and updating it to JMP will not work. We could change it to JZ jump, but there is also another way. I think it is even better. We can remove this JNZ by filling it with NOP operator. When you changing binary code you should remember that the size of the application should be preserved. So we cannot just remove bytes from it. We should change it for something instead. Operator NOP is what suits best for it. This operator does nothing. Literally. What it does is do nothing. It used for Sleep, Pause operations. And we can use it just to feel the space that is used by JNZ. So right click on JNZ and select Binary -> Fill with NOPs. Looks like that is all. Press F9 and see that ACCESS IS GRANTED. Close the application. Restart it by pressing Ctrl + F2. If you'll take a look at the restarted code, you see that your changes are gone. What!!! Curse on you Olly! I did that so long! Oh, wait, sorry. My biggest apologizes to Olly and its developer. There is a combination Ctrl + P. Patches window that thing is called young jedi! Pay attention to the State column. It shows enabled or disabled this patch.Select each patch and press Space to activate those. Now all your changes are back in place. Lets save our patched binary into a new file. Right click in the debugger window and select Copy to executable -> All modifications... Select Copy All in the appeared window. Now you have a smaller window with patched code. Right click in it and select Save File. Save this as separate file as we want to keep the original just in case. Now navigate to this file in your explorer and run it as you do with every application with a double left click. You even can enter nothing (thanks to patch #1) and click Check at once. How's that?
ACCESS_GRANTED, my friend. Soon there will be next tutorial. As always, if you like it, you write comments below and share your feelings, click on banner below so advertiser show me your appreciation. If you like it a lot, you buy me a coffee because it is my fuel for next article. If you don't like it... Well, this case is obvious. For guys like me there is no undesired flows ;) Thanks for reading until this lines.
0 Comments
Leave a Reply. |
NoticeI have removed Russian content from my website and now will post articles in English only. This is not because of some politics, Russian speaking people you are great, but just it is very hard to support bilingual web site in Weebly. For those who read my articles as usual I ask to click on a single advertisement banner on my web site. This gives me some credits and is free of charge for you. Archives
August 2016
Categories
All
|