Winzip Tut #2
Adding Code To Replace Bad Serial With Good Serial In Memory
by ?ferret
Skill Level: Newbie
Attack Plan: Patching
Target: Winzip 8.0
Tools Needed: Softice
Hiew
W32Dasm
Hola Compadres!
In this tutorial, I'll be showing you how to add code to a program to make it behave the way we'd like it to. This is a very simple, introductory example of how to do this.
Set a breakpoint on GetDlgItemTextA and try to reg the program. Hit CTRL-D once and Softice will break again (once for name, once for serial). Hit F11 to return to Winzip code. Disable the breakpoint, as you won't need it for awhile.
Next, we want to search in memory for our bogus reg number. Type s 0 l ffffffff 'your_serial' in Softice. You should find it at address DS:48CDA4. Set a BPM DS:48CDA4 and Softice will break whenever this address is written to/read from. Hit CTRL-D a few times until you come to this code.
MOV AL, [ESI]
INC ESI
MOV AH, [EDI]
INC EDI
CMP AH, AL
JZ 4692EC
This is the part of the protection that compares our serial to the real serial, one byte at a time.
If you type D ESI, you'll see your fake serial in the data window.Type D EDI or D ECX + 128 and you'll see your real code.
Write down the addresses of ESI, EDI and the conditional jump after the compare (JZ 4692EC)
This is where we depart from standard serial fishing and decide to something a bit different. When I started this crack, I had just wanted to pop the good serial in the bad guy message box. Since our code redirection will bypass the actual check, it will pop up the good guy box (showing whatever number is at address DS:48CDA4). So, we'll replace our number with the reall number at that address. One thing to remember is that it's possible for other parts of the program to use these lines of code, so we will make it so that we enter zeros for our registration number. If the number is not zeros going into our inserted code, the program will jump back to the normal flow of execution.
Disable all breakpoints and set a new one on MessageBoxIndirectA. Try to register again. When Softice breaks, hit F11 to return to Winzip code again. Write down the address of the push above the call to MessageBoxIndirectA. (In previous versions you would want to write down the address of the first value pushed for MessageBoxA)
Now we need to find room to insert our new code. Disassemble the program in W32Dasm. Scroll to the bottom. See all those 0's? That's empty space....Use it ;-) Write dwon the address of the second line of 0's (just so that we can easily see where our code starts)
Open the program in Hiew. Change the image base setting to 400000 if you have to. Goto (F5) 4692F8. Edit (F3). ASM (F2) Change this line to JMP 47674A. Then add an NOP to straighten out the rest of the code again. hit ESC to get out of edit mode. Goto (F5) 47674A. Go into edit mode again. Now we add our new code.
JZ 4692EC //The Jump we replaced to redirect our code (goodguy)
CMP Byte [ESI], 30 //Is the first char in ESI 0?
JE 47675E //If it is Jump
Sub AL, 41 //The bytes we wrote over when we
CMP AL, 1A //changed the jump at 4692F8
JMP 469300 //Jump back to normal flow of execution
MOV EDI, 48CDA4 //Place this address in EDI
PUSH [ECX+12C] //Push the last four chars of good serial
PUSH [ECX+128] //Push the first four chars of good serial
POP [EDI] //Place first four chars in address at EDI
POP [EDI+4] //Place last four chars after 1st four
JMP 430143 //Jump to the MessageBoxIndirectA code
Esc out of edit mode again, hit F9 to update and save the changes. All done!
Hope you learned a few new tricks today, I did ;-)
Next stop.....Keygen!
GREETZ & THANX to all of the people who've helped me @ the Newbies Forum. (I'm too damn lazy to type all the names ;-))