Finding Where To Patch Using W32dasm.

Crackme 1 by Brad Soblesky.

By Krobar / Nov 1999

Well it good we found the correct serial using softice in the last tut, but there another way we can register it, using W32dasm and Hiew. We can make it so we can enter any serial and it will be accepted. That is, we can patch it.
Hehehe you might wonder what the point of this is, if we got the correct serial. Well there no point, but we gonna do it anyway, coz we wanna know how to do it!

In this tut we use W32dasm to check out the code location that we want to change, and next tut we use Hiew to make the changes. You can of course use other hex editors, but in that tut we using Hiew.

So, open W32dasm (double click the W32dasm.exe in the folder you placed it...(or if you smart you'll make a shortcut to your desktop) and go to the 'Disassembler' menu (top left) and click 'open file to disassemble'. Find Crackme1 and double click it, or click it once then click on Open in the dialog box, and Crackme1 will load and start to disassemble.

Once it done (make sure you on full screen), you'll see a 'dead listing' of the program code.

Well what we do now, you say!

How we gonna find the place to patch?

If you read the earlier mini tut about W32dasm, you know that we gonna look at the String References. If you didnt, I say it one more time. Look at the top right of W32dasm, beneath the menu item Refs, you'll see some buttons. Second button in is 'Strn Ref'.

Click it, (or hit the menu item Refs and select 'string data reference) and a box opens with bits of text in it...string references actually.

Well what we looking for is the message that tells us we entered a wrong serial, coz we want to change the program so we dont see that message.

And what do we see?? "Incorrect try again!!"

Now double click on that string and we get taken to the place in the program that it is. You'll see this:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:004015AD       6A40             push 00000040

* Possible StringData Ref from Data Obj ->"CrackMe"
:004015AF    686C304000      push 0040306C

* Possible StringData Ref from Data Obj ->"Incorrect try again!
:004015B4       6874304000    push 00403074  
<— we land here
:004015B9     8B4DE0           mov ecx, dowrd ptr [ebc-20]

So we land at address 004015B4 Push 00403074...this line will be highlighted!!!!

We know we dont want to end up here, because this means we've put in an incorrect number. But if you look up a few lines, you'll see:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

Hmmm, it seems that we got to the incorrect message because we jumped from address :00401595....lets go there!

Remember from the W32Dasm mini tut how we go to a code didnt read it? Bummer for ya, you'll have to read it now.

This is what we see:

* Reference To: KERNEL32.lstrcmpA, Ord:02FCh

:0040158D       FF1500204000        Call dword ptr [00402000]
:00401593        85C0                      test eax, eax
:00401595        7516                      
jne 004015AD <— bad jump
:00401597        6A40                      push 00000040

What we gotta do is change this jump so we dont jump.

If you read any of the assembly tuts, you'll know that 'jne' means jump if not equal, and you'll also notice that this jump comes just after the KERNEL32.IstrcmpA, which if you remember from the last tut, is a string compare. Look at both of these for a refresher Api mini ref and Op codes.

So whats happening is that our serial is getting compared to the correct serial, and if they arent equal, you jump to piss off. We dont want to do this, so we gonna change the jump. We could nop (means 'no operation') it out so the program ignores that line, but +ORC has said that this isnt the best way. Or we could change the jump to 'je' which means 'jump if equal'. So if the serials dont match, we wont jump. Of course if they do match, we will jump, so once we've patched it, dont put in the serial we found in softice.

Ok, we nearly finished this'll have to read the next one to learn how to patch it...but we'll just discuss how we would nop the jump if we were going to do it that way. You'll notice that this line:

:00401595        7516                      jne 004015AD

has four numbers (7516) before the jne. This is hex code that is equivalent to the instruction jne 004015AD. Each set of two numbers is equal to one byte, so the four numbers equals two bytes. The hex for nop is 90 so if we were to nop out the jump, we'd have to use two of them....that 9090...two bytes. Simple!!

One more thing to do before we exit W32dasm and spark up Hiew, is to take a note of the address of the instruction that we going to change. We already know remember it. We'll also get the offset (if you read the mini Hiew tut you'll know we can use either in Hiew). Make sure the jne line is highlighted, then look at the bottom of the W32dasm screen. You'll see 'line blah blah..Pg blah blah, Code data @ blah blah, and Offset 00001595h. Forget the zeros at the beginning, and the h at the end means hex. Take note of the remaining numbers...1595...that the offset.

Thats it. We'll carry on in the next tut.