dAKuRioUSCHiLD [ PC_'99 ] Tut Part Attack Angle Tools Needed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Part 2.-----------Jump Patch------------WinDasm and Hiew. Here we go! First we need to run startclean, cuz we need to get a feel for it and see how we can approch it. It gives us 2 options..."OK" or "Register...". We click "OK" just so we can see it run and stuff ( :) vague enough? ). Ok...now there is no "about" button that tells us whether we're registered or not, but there is a spot that says "Shareware Version". Ok... so if we register it won't say that. Let's close it, re-run it and this time click on "Register...". Now we have a little registration box...it wants our name and our code. So lets see how it works...don't enter anything and click "OK". It pops up a box titled "Error" and it says "Incorrect code!". Let try it again with the name "KuRioUS" ( of course without the quotes ) and the code "00998877" ( again without the quotes ) ( i use 00998877 because it's rarely in memory, it's unique and if i see it i know it's from this program and it's also easy to remember ). Again it says "Incorrect code!". Just like before. Ok, now we know enough to start working... First we need to make a back-up of our target! Just click on startcln.exe, press "ctrl+c" and then hit "ctrl+v". This copies it. Rename the copy to startcln.w32. Make another copy and name it startcln.bak. Fire up WinDasm...make sure the font is set to "Courier New" "Regular" Size "8" and save this as the default font...( this is configured from the "Disassembler Menu" near the top left, go to "Font", click "Select Font", set it as above. ) Again open the Disassembler Menu and click on "Open File to Disassemble...". Guide it to startcln.w32...it'll take a small while, just wait. Then !PooF! all this shit pops up! This is what we call a dead listing. You are looking at the program code as it is on your hard-drive. Now you are seeing it all in Asm ( assembly language ), asm uses mnemonics ( words that look or sound like what they do! ). Now we need to find the code that nagged us! Remember it...Incorrect code!? So we can either click on the Search Menu or the Refs Menu. I'm gonna use the Refs menu. Goto the String Data Refrences. We scroll through looking for Incorrect code!. FOUND IT!! Double click on it and you'll notice in the back-ground your windasm scrolled. It's now at the location where it bitchs. Double click Incorrect code! again while watching the addresses ( the numbers in the left column ). Notice that when you double- -clicked the second time, the addresses didn't change, that means it only says Incorrect code! in one spot. So we KNOW this is the right bitch! So we close the SDR window and we're back in windasm. We see that the bitch is highlighted. We scroll up just a bit and we see where it says that it was referenced by a jump from 004027A3, the (C) next to it mean that the jump was conditional ( basicly something set it off...there is another option ).* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004027A3(C) | :004027C1 6A00 push 00000000 :004027C3 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"Incorrect code!" | :004027C5 68AC634000 push 004063AC :004027CA 56 push esi
Now lets go up to 004027A3 and see what we can see...* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402787(C) | :00402794 8B742408 mov esi, dword ptr [esp+08] :00402798 56 push esi :00402799 E8B2E9FFFF call 00401150 :0040279E 83C404 add esp, 00000004 :004027A1 85C0 test eax, eax :004027A3 741C je 004027C1 :004027A5 C7054C72400001000000 mov dword ptr [0040724C], 00000001 :004027AF 6A01 push 00000001 :004027B1 56 push esi
The "je" means jump if equal, see the test right above it and the call above that is where it checks out your correct code and stuff. So if eax is equal to eax, then it jumps and we're not registered. The first eax is set before the call and the second eax is returned from the call. We can simply change the je to jne ( jump if not equal ), which would reverse the situation. So we put hiew in the startclean folder and drag startcln.exe onto hiew. Make sure in windasm, the line we're gonna change is high- -lighted, if it's not, just double-click on the line. In hiew press F4 and use you arrow key and enter key to select "DECODE". Now press F5 and enter 00001ba3. This is the offset we are going to change. We found it in windasm by looking at the status bar at the bottom of the window. See it says "Line:3225...Code Data@:004027A3 @Offset 00001BA3 in File:startcln.w32. Ok were doin' good now cuz the code in hiew looks like the code in windasm. 74 should be high-lighted, press F3, this is edit mode. Type over the 74 with 75 you'll notice that the je 000001BC1 changed to jne 000001BC1 Now we press F9 to update, and F10 to exit hiew. Lets run startcln.exe and see what happens...well it still asks us to register, lets do that... :D it took our reg. code!! Hm..it says Registered to...but not our name. Close startcln.exe and run it again... damn! It still wants us to register. My example is named jne.exe. Well the fact that it said registered to and no name, we can guess that it didn't properly enter our name in the registry, and it also checks the registration info more than once...when you enter it and on start-up ( hence the nag ) so let's try another attack...lets kill the nag screen. Please don't feel like your time was wasted...this simple jump change will work on some programs...but we need another approach for this program. That's the point of this tut...i'm gonna teach you different approaches. Only some methods work on some programs...but there is ALWAYS a way! ONTO Part 3!!