Flu[X]'s cracking tutor #6 - Dealing wit a packed EXE
                             Getting past Disassembler Protection

Tools
-Softice 3.2+
-Live Image v1.29D Build 52
-Hackersview 5.65+
-Brain


Ok ... recently programmers are using techniques or programs to "pack"
their EXEcutables or DLL's in an attempt to add additional copyright
protection. A popular one is shrinker. If your a cracker.. believe me you
know about it :)  Ok enough lets get started..

Ok lets examine our target, Live Image v1.29D Build 52, it asks for a name/serial.
So we begin tracing (hmemcpy). Eventually we come to these lines of code:



mov eax,[ebp-20]
mov ecx,[ebp-0C]
mov esp, ebp
Ret

----- After return is executed -----

cmp eax,0
je BAD_Cracker



OK, what it does is move a value into EAX, and if that value is 0
it means you failed the serial check... Now.. if we could make it
always pass the test... we would have a full regged copy (because
the programmer always uses the above routine to check his serials).
OK, i also notice that ebp-20 is 0 unless it is right serial..
but wait.. EBP is always non zero.. so if we moved ebp into eax
it will always pass the test.

so the above code would become:

mov eax,[ebp]      ; line changed...
mov ecx,[ebp-0C]
mov esp, ebp
Ret


Ok we think this is going to be some simple patch... So we opan up
W32Dasm to find the file offset (we did write down the address
from SoftIce didnt we?). Ok we disassemble the file.. and what?!?!
what is this crap? i cant find that code anywhere!

This EXE is packed..ARGHHH...So after a bit of analyzing we notice
that it is packed by shrinker.. so we must De-pack it. I used
Unshrinker v1.2 (on my web page http://tuts98.cjb.net).

Ok we now have an unshrinked EXE file :) Things should be good right?
No, wrong. Lets disassemble the unpacked EXE with W32Dasm, what it wont
work? It seems as if the author not only used Shrinker, but also added
a bit of his own protection! ok.. now what do we do here? wait a sec,
remember what the code we are looking for is?  Maybe if we used our
heads a bit (a very little bit) we would recall taht Hiew allows
for Hex Searches :)

mov eax,[ebp-20]
mov ecx,[ebp-0C]
mov esp, ebp

This translates to:  8B45E08B4DF48BE5

so if we open the file in Hiew we can do a search for 8B45E08B4DF48BE5.
Hit the F7 key in Hiew and type it in the hex string area.. and find it.
Hey.. it worked.. we found our code..

so change it from:
 8B45E0
 8B4DF4
 8BE5

to:
 8B4500        ;note the 00.
 8B4DF4
 8BE5

save the file and run.. Hey look its registered.. crack done!

Also about a patch.. a patch for this program would be virtually
seeing as it is improbable to modify a packed file.



I hope to see you again in Flu[X] tutor #7
As always if you like a program buy it!  Thi essay is for
educational purposes ONLY! Software authors deserve your support!

Flu[X]/PC98
http://tuts98.cjb.nets commented and should be easy to follow.