I am new to cracking but I understand the basics of assembly language, and
know how to use "w32dasm disaasembler" and the hex editor "hiew"




In the examples of the "w32dasm" disasseembles below, I show to examples of
the "jmp" instructions. Some of them I am able to enterpret like:

:0040117F 7504 jne 00401185 --- I can change this jmp by
changing the "75" in Hiew
:00401183 EB03 jmp 00401188 --- I can change this jmp
by changing the "EB" in Hiew

If i change the 75 to a 74 in the "jne" instruction it will change it to a
"je". And with the "jmp" I can change the "EB" to another jump instruction
if needed.




There are however some jump instructions that do not look familar to me and
I have be unable to change them. They appear as a regular "jmp" instruction,
but the hex is not familar to me and I do not know how to change it. Here is
an example of what I am talking about:

:00401C95 E99C6F0000 Jmp 00408C36 --- I do not know how to change these jmp's
:00401CA5 E916000000 jmp 00401CC0 --- I do not know how to change these jmp's

As you can see it interprets E99C6F0000 and E916000000 as "jmp" instructions, but the hex doesn't appear as a "jmp" instruction which should be "EB" like in the other example.

Are these special "jmp" instructions or are they misinterpreted by w32dasm?
Can anyone tell me how to change these? Everytime I try to change them I end up screwing the exe up.


Here is a more complete view of coding examples that I have used above:
----------------------------------------------------------------------------
--------------------------------------------------------------------
:00401178 8B442414 mov eax, dword ptr [esp+14]
:0040117C 85C0 test eax, eax
:0040117E 57 push edi
:0040117F 7504 jne 00401185 --- I can change this jmp by changing the "75" in Hiew
:00401181 33FF xor edi, edi
:00401183 EB03 jmp 00401188 --- I can change this jmp by changing the "EB" in Hiew

----------------------------------------------------------------------------
--------------------------------------------------------------------

:00401C95 E99C6F0000 Jmp 00408C36 --- I do not know how to change these jmp's
:00401C9A 90 nop
:00401C9B 90 nop
:00401C9C 90 nop
:00401C9D 90 nop
:00401C9E 90 nop
:00401C9F 90 nop
:00401CA0 E80B000000 call 00401CB0
:00401CA5 E916000000 jmp 00401CC0 --- I do not know how to change these jmp's
----------------------------------------------------------------------------
--------------------------------------------------------------------

Hello trojan !

There are 'short' and 'near' jumps (JMP) and jump-if-condition (JIC). The 7xh (JIC) and EBh (JMP) are 'short' ones. They can jump from the end of the current instruction (EIP+2) from -128 to +127 bytes further.

The 'near' JMPs have the opcode E9h. They jump from EIP+5 from -(2^32) to +(2^32-1) bytes further. For this we need the form E9h, xxh, xxh, xxh, xxh.

The 'near' JICs have no one-byte-equivalent, but they have a two byte opcode. It is 0Fh, 8xh, xxh, xxh, xxh, xxh. You must replace the 7xh with the 8xh opcode to get the same kind of JIC.

When you try to change a 'near' JIC to a 'near' JMP, you'll need only five bytes instead of six for the instruction, so the last byte of the JIC will be added to the next instruction. You can change the last byte of a JIC to 90h (NOP) when patching it to a JMP.

Changing 'near' JMP to 'near' JIC is not possible, since a JMP is five bytes long and a JIC needs six bytes.

Finally --- Thanks for clearing that up.

I can now move on --- whew

Hello trojan!

I don't know if you want to get this far into the code at this point, but there is one other thing that might be helpful in looking at assembly code that provides both additional information and an alternative method of changing certain jump instructions without nopping them out or changing the op code. I'll try to explain using two of the examples from your original question.

Looking at :00401C95 E99C6F0000 Jmp 00408C36 you will know that because of the E9 it is a "near" jump as DaikenDX stated in his reply. But you also know from the bytes which follow the E9 how far the jump will be. The way this is calculated is as follows:

:00401C95 to the end of the instruction is 5 bytes, so

:00401C95 + 5 = :00401C9A

To this address you add the next four bytes to find the next instruction, but you add the bytes in "reverse" order. 6F9C, not 9C6F

:00401C9A + 6F9C = :00408C36

Like wise,

:00401CA5 E916000000 Jmp 00401CC0 can be understood as

:00401CA5 + 5 (length of instructions bytes) = :00401CAA

:00401CAA + 0016 (not 1600) = :00401CC0

What this gives you is another possibility of "moving" the result of the instruction without changing the E9 operand. You might simply add (in reverse order) more to the Jmp instruction to have it jump to a different instruction, say for example skipping a subroutine you don't want called. Just a possibility.

Understanding this method of calculating where the jumps go, and why, will help you to understand the concept of the call relocation table and how you can determine it from the dead listing produced by the disassembler. There was a good article on this method of viewing the dead listing for cracking without a debugger, which I'll find and list in a following reply for those who might find it useful.

If you already knew this, no offense intended and it might be helpful for others.

p.s.
The article is entitled The "call relocation table and its importance" by reverser+. It's in the essay database and can be found at http://www.woodmann.net/fravia/frarul1.htm.

I had no prior knowledge of that.....Very interesting information and very helpful. Thanks for your reply.

I once had a sniplett of code that was supposed to mean somthing to me, but at the time I did not know what it did. From time to time I would look at it and try to comprehend its functionality. After gathering much more knowledge of programming I decided to try it again, and was finally able to do something with it.

Every little bit helps...even if it doesn't help you in the beginning.

Thanks