So did ya check out the string references in W32dasm. Hehe none there were there...so what we gonna do??
Well remember making a note of this address in the last tut when we were in softice...
xxxx:004039FC 53 PUSH EBX xxxx:004039FD 56 PUSH ESI xxxx:004039FE 57 PUSH EDI xxxx:004039FF 89C6 MOV ESI,EAX xxxx:00403A01 89D7 MOV EDI,EDX xxxx:00403A03 39D0 CMP EAX,EDX xxxx:00403A05 0F848F000000 JZ 00403A9A<-this one...we gonna use that coz we can assume that we jump to the good message if the serials are equal. So write down the address (00403A05) and the hex code (0F848F000000), and we ready to make our changes.
Load the crackme into Hiew...making sure you have a BACK UP copy...and, you know what to do!
Exception EAccessViolation blah blah blahHmmmm, guess that wasnt the right change to make after all. Lucky we got a copy. If you werent smart enough to backup youll have to reload the crackme in hiew and undo the changes.
Well what we gonna do now. I'm gonna check out softice again, coz we got the correct serial, so we can compare what the code does with correct serial and incorrect serial.
So this was the code we found last time:
xxxx:0042FAFE E8F93EFDFF CALL 004039FC<-last time xxxx:0042FB03 751A JNZ 0042FB1F
We went into this call remember, and landed here:
xxxx:004039FC 53 PUSH EBX xxxx:004039FD 56 PUSH ESI xxxx:004039FE 57 PUSH EDI xxxx:004039FF 89C6 MOV ESI,EAX xxxx:00403A01 89D7 MOV EDI,EDX xxxx:00403A03 39D0 CMP EAX,EDX xxxx:00403A05 0F848F000000 JZ 00403A9A
...notice the JNZ at address xxxx:0042FB03???? We call something and then jump if its not equal to zero. I wonder if that jump takes us to the incorrect, or the correct message. Well I used the correct serial number, and went through softice like before, got to that jump, and didnt jump. So I'm assuming that that jump takes us to the buggar off message. We want to change it to JZ I think... you think about why.
We try it. Make a note of the address and, yeah, exit softice (ctrl d) and load up hiew.
We better try the other option too. Go to just the serial option, enter any number, and incorrect....bummer, looks like it back to softice!
Well this one be easy, we know what to do. Start crackme and go to the serial option. Back into softice and do the same as in tut 5. Now you remember this piece of code, coz we went into this call in tut 5:
xxxx:0042F4CA 8B45F0 MOV EAX,[EBP-10] xxxx:0042F4CD 8B55F4 MOV EDX,[EBP-0C] xxxx:0042F4D0 E82745FDFF CALL 004039FC<-here xxxx:0042F4D5 751A JNZ 0042F4F1...so we gonna change the JNZ at 0040F4D5 to a JZ, same as for serial/name.
Also while you in softice at this piece of code, have a look down. You will see an unconditional jump at address 0042F4EF. Unconditional jump means we gonna jump whatever, but if we put in the wrong serial, the JNZ that we gonna change in a minute, takes us over this and we miss it. We can assume that this unconditional jump takes us to the good guy message, but if we have the wrong serial we dont get there.
Anyway, load up hiew and make the change...you know what to do by now...then check it.
Hey works...cool, we done it. Now for both options we can stick in anything we want and we get the cool dude message...(although as Ralph pointed out to me, the name has to be more that 4 characters because of this piece of code where the length of names are compared: 0042FA57 cmp eax,04
0042FA57 cmp eax,04
So, hehe, make sure your name is longer than 4.
One thing that pisses me off is that nag...it got to go, so thats next tut.