Patching Using W32dasm and Hiew

Crackme 2 by Acid Burn

By Krobar / Dec 1999

So did ya check out the string references in W32dasm. Hehe none there were what we gonna do??

Well remember making a note of this address in the last tut when we were in softice...

xxxx:004039FC    53             PUSH   EBX
xxxx:004039FD    56             PUSH   ESI
xxxx:004039FE    57             PUSH   EDI
xxxx:004039FF    89C6           MOV    ESI,EAX
xxxx:00403A01    89D7           MOV    EDI,EDX
xxxx:00403A03    39D0           CMP    EAX,EDX
xxxx:00403A05    0F848F000000   JZ     00403A9A<-this one
...we gonna use that coz we can assume that we jump to the good message if the serials are equal. So write down the address (00403A05) and the hex code (0F848F000000), and we ready to make our changes.

Load the crackme into Hiew...making sure you have a BACK UP copy...and, you know what to do!

  • F4 and change to code mode if Hiew doesnt open in this mode. (It should if you changed Hiew.ini from a previous tut).
  • F5, put in address...(.00403A05) push enter.
  • we gonna change the JZ to we jump if the serials not match.
Wow, look at that hex code we gotta change...0F848F000000...what we do here? Well you might have had a look at the Opcode reference earlier, but if you didnt, all we gonna change is 0F84 to 0F85. So...
  • F3...the cursor square will be on 0F, and type in 0F85...(or you can use the right arrow button to move the cursor over the 4, and just push 5). The code will now be 0F858F000000.
  • F9 to make the changes permanent, and F10 (or Esc) to exit Hiew
We ready to see if it worked. Start crackme and...SHIT WHAT THIS???
Exception EAccessViolation blah blah blah
Hmmmm, guess that wasnt the right change to make after all. Lucky we got a copy. If you werent smart enough to backup youll have to reload the crackme in hiew and undo the changes.

Well what we gonna do now. I'm gonna check out softice again, coz we got the correct serial, so we can compare what the code does with correct serial and incorrect serial.

So this was the code we found last time:

xxxx:0042FAFE    E8F93EFDFF    CALL   004039FC<-last time
xxxx:0042FB03    751A          JNZ    0042FB1F  

We went into this call remember, and landed here:

xxxx:004039FC    53             PUSH  EBX
xxxx:004039FD    56             PUSH  ESI
xxxx:004039FE    57             PUSH  EDI
xxxx:004039FF    89C6           MOV   ESI,EAX
xxxx:00403A01    89D7           MOV   EDI,EDX
xxxx:00403A03    39D0           CMP   EAX,EDX
xxxx:00403A05    0F848F000000   JZ    00403A9A

...notice the JNZ at address xxxx:0042FB03???? We call something and then jump if its not equal to zero. I wonder if that jump takes us to the incorrect, or the correct message. Well I used the correct serial number, and went through softice like before, got to that jump, and didnt jump. So I'm assuming that that jump takes us to the buggar off message. We want to change it to JZ I think... you think about why.

We try it. Make a note of the address and, yeah, exit softice (ctrl d) and load up hiew.

  • F4 if you not on code mode, select code, then push enter (or you can toggle the three modes by just pushing enter).
  • F5 (goto) and enter the address .0042FB03 (lower or uppercase, doesnt seem to matter)and push enter.
  • F3 (edit) and change the 75 to a 74.
  • F9 (update) to make changes permanent.
  • F10 (or Esc) to exit hiew.
  • I just mention here that in Hiew you might notice that instead of JZ or JNZ, you might see JE or JNE. These mean the same so no worries!
Now click on the crackme (shit we gotta get rid of that nag), go to serial/name, and enter anything. Click check it baby, and yeah, good job dude.

We better try the other option too. Go to just the serial option, enter any number, and incorrect....bummer, looks like it back to softice!

Well this one be easy, we know what to do. Start crackme and go to the serial option. Back into softice and do the same as in tut 5. Now you remember this piece of code, coz we went into this call in tut 5:

xxxx:0042F4CA    8B45F0          MOV    EAX,[EBP-10]
xxxx:0042F4CD    8B55F4          MOV    EDX,[EBP-0C]
xxxx:0042F4D0    E82745FDFF      CALL   004039FC<-here
xxxx:0042F4D5    751A            JNZ    0042F4F1 we gonna change the JNZ at 0040F4D5 to a JZ, same as for serial/name.

Also while you in softice at this piece of code, have a look down. You will see an unconditional jump at address 0042F4EF. Unconditional jump means we gonna jump whatever, but if we put in the wrong serial, the JNZ that we gonna change in a minute, takes us over this and we miss it. We can assume that this unconditional jump takes us to the good guy message, but if we have the wrong serial we dont get there.

Anyway, load up hiew and make the know what to do by now...then check it.

Hey, we done it. Now for both options we can stick in anything we want and we get the cool dude message...(although as Ralph pointed out to me, the name has to be more that 4 characters because of this piece of code where the length of names are compared:

0042FA57 cmp eax,04
0042FA5A jge...

So, hehe, make sure your name is longer than 4.

One thing that pisses me off is that got to go, so thats next tut.