------------ Duelist's Crackme #5 ---------------
Minitutorial by R!SC -- risc@notme.com -- http://csir.cjb.net

load due-cm5.exe into softice's symbol loader...

after tracing a few lines with F10, we get to this code...

0137:00406651  8B8505344000        MOV     EAX,[EBP+00403405] <--erm, entrypoint (1000)
0137:00406657  038519344000        ADD     EAX,[EBP+00403419] <--the address it loaded into
0137:0040665D  5D                  POP     EBP                 - (400000), which makes
0137:0040665E  5F                  POP     EDI                 - 401000, the original entry point
0137:0040665F  5E                  POP     ESI
0137:00406660  5A                  POP     EDX
0137:00406661  59                  POP     ECX
0137:00406662  5B                  POP     EBX
0137:00406663  FFE0                JMP     EAX                 <-- yah, run the unpacked program
0137:00406665  8D857A344000        LEA     EAX,[EBP+0040347A]
0137:0040666B  50                  PUSH    EAX
0137:0040666C  FF95EC344000        CALL    [EBP+004034EC]

trace for a bit longer, you get to here

0137:004010C1  6800200000          PUSH    00002000
0137:004010C6  685C204000          PUSH    0040205C
0137:004010CB  6817204000          PUSH    00402017
0137:004010D0  6A00                PUSH    00
0137:004010D2  E894010000          CALL    USER32!MessageBoxA <--the nag...
0137:004010D7  6A00                PUSH    00
0137:004010D9  68B8104000          PUSH    004010B8
0137:004010DE  6A00                PUSH    00
0137:004010E0  6A01                PUSH    01

to make the dialog box state 'Registered', the easiest way is just to overwrite 
' Unregistered', with '   Registered', three spaces, and a capital R...

to kill the first nag, just kill the call to the messagebox, overwrite the first byte 
'e8' with 'b8' changes the call blah to a mov eax, blah, the pushes before it dont matter
in this case.. but it is more professional to patch the first push with a 'jump over nag'

okay, were gonna patch a packed file, so choose a space inside of the program to put our patch..
ah, after the version info, file offset 0x1a60 should do..enter 'sometext' here...

reload the program with the symbol loader.. search for our text, s 0 l ffffffff 'sometext',
:), we find it at 00405860...cool...trace through the unpacker code, until you get to the line
where it puts the entrypoint into eax... we change this line from
0137:00406651  8B8505344000        MOV     EAX,[EBP+00403405]
to
0137:00406651  B860580000          MOV     EAX,00005860     <--OUR NEW ENTRYPOINT (-IMAGEBASE)
0137:00406656  90                  NOP

it then adds the 00400000 to it, and when the JMP EAX happend, it jumps to our code..

now for our code...

trace with F8 until you have executed the JMP EAX.. hmmm, eip=00405860? good..

type in 'a eip' to create our code..
sub ax, 4860                      (make eax point to the right place)
mov byte ptr [eax+d2],b8          (eax=401000+d2=the call nag, b8=killit)
mov dword ptr [eax+105b],52202020 (eax+105b=40205b=start of string ' Unregistered')
jmp eax
<esc>

then either copy down all the bytes to the code you just created, and write them into the 'exe
at offset 0x1a60, or dump the memory, and use a hex editor to copy&paste it...

with the hexeditor, search for '8B8505344000'--(yah, the entrypoint-imagebase)
which will be the 'MOV     EAX,[EBP+00403405]', and replace this with the new code aswell..

save the file, and bingo!! you cracked a packed program, without using a loader.. :)

overwrite this to offset 0x1a60
66 2D 60 48 C6 80 D2 00 00 00 B8 C7 80 5B 10 00 00 20 20 20 52 FF E0

overwrite this to offset 0x2851
B8 60 58 00 00 90

R!SC -- risc@notme.com -- http://csir.cjb.net

22nd May 1999



