Welcome to Cracking Tutorial #27! Ah finally, sorry for delays but no modem at my home yet. :-/ For a bonus I'll do 5 versions today. (#26, 27, 28, 29, and 30) *HELL!* Like I said earlier, nothing is gonna stop me now! :) Anyway, enjoy it! :) Ok, let's rave! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftIce 3.25 W32Dasm 8.93 Hacker's View 6.10 SmartCheck 6.03 TASM 5.00 Windows Commander 3.53 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good cracking sites where you can grab tools from: http://surf.to/HarvestR or http://harvestr.cjb.net http://atlantez.nl.eu.org/Iczelion http://protools.cjb.net or ask any crackers to get you these tools! Are you ready?! OK! ;) Cloud Strikes again... bringing you a new tut =) Target game: Anno 1602 (english) Some things that may come handy: Hiew 6.04 Soft-Ice 3.2x W32Dasm89 No drink this time... I just didn't happen to have any...=) I assume you have the proggies I mentioned... Let's go! I installed the game with minimum install (you know my HD space...). After the installation throw the cd away from the drive and start the game. Everything seems to be fine until you press "New Game" and select scenario or "Continue game". An annoying message box tells us something like: "Please insert the original cd...". Memorize this message and load 1602.w32 on W32Dasm (you made those backups, didn't you?). After the procedure is finished we (of course) try to find that message. But no matter how hard we try, we just can't find it... what now?... What to do? Hmm... How about this?... Start the game again and goto New game menu. Before you choose any scenario Ctrl-D to Soft-Ice and set a breakpoint: "bpx messageboxa". Now F5 back to game and choose any scenario. As you press mouse button on any scenario Soft-Ice grabs you in it. Don't mind this... just press F11... Now you should be back in the game with an error message box complaining about the cd. Just press Retry and *BAM*... back in Soft-Ice. Only thing you have to do is take the hex number where we landed (in my case it's 015F:4961BB)... in fact we only need 4961BB... that's enough for us. Clear the breakpoint in Soft-Ice (bc*) and exit Soft-Ice. Now load 1602.w32 back on W32Dasm89 (in case you exited it earlier). Press "Goto code location" button and enter 4961BB. This is how it should look like: :00496194 E817CEFFFF call 00492FB0 <--- The message box :00496199 85C0 test eax, eax :0049619B 7530 jne 004961CD * Reference To: USER32.MessageBoxA, Ord:0195h | :0049619D 8B3570E24900 mov esi, dword ptr [0049E270] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004961CB(C) | :004961A3 8B1538AC4A00 mov edx, dword ptr [004AAC38] :004961A9 A134AC4A00 mov eax, dword ptr [004AAC34] :004961AE 8B0D30565600 mov ecx, dword ptr [00565630] :004961B4 6A05 push 00000005 :004961B6 52 push edx :004961B7 50 push eax :004961B8 51 push ecx :004961B9 FFD6 call esi :004961BB 83F804 cmp eax, 00000004 :004961BE 0F85A1060000 jne 00496865 :004961C4 E8E7CDFFFF call 00492FB0 <--- The check :004961C9 85C0 test eax, eax :004961CB 74D6 je 004961A3 It should be quite clear what can we do to the calls. Yes... let's just nop them. Write down the @offset codes. Then exit W32Dasm89 and load 1602.exe to Hiew. Use "decode mode" and "goto line" commands and enter 95594. And nop the call by typing F3 and enter 9090909090 (five times 90): E8E7CDFFFF -> 9090909090 Do the same thing to another call at 955C4. Note! There are two of these calls left. We nopped the calls at 4961C4 & 496194. The two other calls are at 49607E & 496052... Just nop them out too. Easy, huh?... Yes... when finished, exit Hiew and start the game. Select any scenario in New game menu or try to Continue Game and no error messages and the game goes on! Yes.. we did it! Enjoy this fine game! -Cloud [StarGazer] Greetz to: Same persons as last time (too lazy to write their names) and tKC If you have any questions or comments contact me via e-m@il zakeman@hotmail.com or find me from Kiss' chat (www.kiss.fi/chatropol/town/playstation) If you happen to have any problems with my crack, please let me know. Written 26th of May 1999 How to crack 3D Studio Max R2.5 *DONGLE* using Softice and HIEW by Killer_3K/Harlem k, for this tut i'll show u ONE of the methods to remove a pasky dongle from a prog... i used DOD's release of 3dsmax r2.5... ok, install it using the serials (this is a donlge only tut, remember? :)), and once u finished, DON'T use their patch.. we want to crack it ourselves don't we? :) just remember, this is the easy way, and it doesn't work on all dongle progs since some of them have an encrypted jmps that get decrypted by the data in the dongle.. and this method only works on stupid lameass dongle protections like this one :) (btw incase anyone wonders, it uses Sentinal's dongle) (btw b4 u run it, i recommend to set faults trap off in softice, since for some strange reason it crashes (at least on my comp) right after u click ok on the msgbox and when u quit (no it's not because of the crack, i even tried dod's&siege's cracks for it and it still happened...) run 3dsmax, as u can see, it starts loading, and then it says: "Hardware lock is not attached, bla bla bla bla" Alrighty, no problem, lets dasm 3dsmax.exe with out favorite dissasembler, Win32dasm.. wtf?! just as we opened 3dsmax.exe, 3dsmax ran, and w32dasm did nathing! arg! hmm probably some anti-w32dasm thingy in it... although we can fix it, we don't care much about it right now... we'll just use softice... 1) put a bpx on messageboxa and then press F5 to go back to windows. now make a copy of 3dsmax.exe and run the copy, since although it seems that 3dsmax has been "closed", it's still running, so we won't be able to patch it... let it load, and then softice is in ur face, press F11, and u see the msgbox.. press Ok, and ur back in softice, and u should be in here: 0177:00450F23 85DB TEST EBX,EBX 0177:00450F25 750C JNZ 00450F33 0177:00450F27 E87424FBFF CALL 004033A0 0177:00450F2C 53 PUSH EBX 0177:00450F2D FF15B8365700 CALL [KERNEL32!ExitProcess] 0177:00450F33 5F POP EDI 0177:00450F34 5E POP ESI 0177:00450F35 5D POP EBP 2) ok, so the messagebox appears and then 3dsmax quits... so what do we do? start scrolling up, we'll be looking for a jump to take us away from that ugly place :) so lets go up and up and lets see what we got: 0177:00450E70 50 PUSH EAX 0177:00450E71 E8DA1B1000 CALL 00552A50 <--- call dongle check 0177:00450E76 6685C0 TEST AX,AX 0177:00450E79 0F84A4000000 JZ 00450F23 <--- far far far! :) 0177:00450E7F 8B0D44125600 MOV ECX,[00561244] 0177:00450E85 81F1AD730000 XOR ECX,000073AD 0177:00450E8B 51 PUSH ECX 0177:00450E8C 8D942414020000 LEA EDX,[ESP+00000214] 0177:00450E93 52 PUSH EDX 0177:00450E94 E8B71B1000 CALL 00552A50 0177:00450E99 6685C0 TEST AX,AX 0177:00450E9C 7528 JNZ 00450EC6 <-- won't bring us too far, only will skip abit but will still display msgbox and die 0177:00450E9E A140125600 MOV EAX,[00561240] 0177:00450EA3 35AD730000 XOR EAX,000073AD 0177:00450EA8 50 PUSH EAX 0177:00450EA9 8D8C2414020000 LEA ECX,[ESP+00000214] 0177:00450EB0 51 PUSH ECX 0177:00450EB1 E89A1B1000 CALL 00552A50 0177:00450EB6 6685C0 TEST AX,AX 0177:00450EB9 7468 JZ 00450F23 <-- won't bring us too far, only will skip abit but will still display msgbox and die 0177:00450EBB A170925600 MOV EAX,[00569270] 0177:00450EC0 85C0 TEST EAX,EAX 0177:00450EC2 741C JZ 00450EE0 <-- won't bring us too far, only will skip abit but will still display msgbox and die 0177:00450EC4 EB09 JMP 00450ECF 0177:00450EC6 A170925600 MOV EAX,[00569270] 0177:00450ECB 85C0 TEST EAX,EAX 0177:00450ECD 7411 JZ 00450EE0 <-- won't bring us too far, only will skip abit but will still display msgbox and die 0177:00450ECF 6825100000 PUSH 00001025 0177:00450ED4 E887F0FBFF CALL 0040FF60 0177:00450ED9 50 PUSH EAX 0177:00450EDA FF15B83A5700 CALL [USER32!KillTimer] 0177:00450EE0 68FF000000 PUSH 000000FF 0177:00450EE5 8D942414010000 LEA EDX,[ESP+00000114] <---- abit below comes the msgbox and the exitprocess ok goodie we found it :) now what do we do? u can simply patch 0177:00450E79 0F84A4000000 JZ 00450F23 to 0177:00450E79 90E9A4000000 JMP 00450F23 BUT! 3) what about other future dongle checks (during runtime etc)? well, if we patch that jz we will only pass the first dongle check, and the prog will run, but we might have some probs later on... so what do we do?? well, we will patch the dongle check itself! :) there's couple of ways of doing it.. i'll choose the fastest one, so we'll go into the call at 00450E71... but wait, how do we make softice break there? welp, we would usually put a bpx on it and run the exe from 3dsmax, but in this case, if we try to run it threw symbol loader, it just runs, and softice never pops up.. ok np we'll use the all mighty CC :) we'll place a CC at 00450E70 (push eax).. ok write down the heximal-code 50E8DA1B10006685C0 (taken from 450E70-450E76) and search for it in hiew.. now replace the 50 with CC and save the file.. now, put bpint 3 in softice so softice will break when u reach the CC. 4) run 3dsmax (ur CC patched exe) and wait for softice to break when softice breaks, u will have to change the CC back to it's original 50 using softice, or else it will crash, if u don't know how to do it, here's how u do it: make sure u got the little hex window in softice (type E if u don't) once u see it, simply type D EIP, click on the CC in the hexwindow, and type 50 and then press Enter to apply the change now u will see: 0177:00450E70 50 PUSH EAX 0177:00450E71 E8DA1B1000 CALL 00552A50 <--- call dongle check 0177:00450E76 6685C0 TEST AX,AX 5) if u pass the call, when u'll reach the TEST AX,AX u will see that the heximal value of eax is 3, which means failed :) now, we want eax to be 0 right? cause then it will jump... ok go back to the call (re-run 3dsmax and re-do part 4) when u reach the call press F8 to go into it.. u'll see the following: 0177:00552A50 53 PUSH EBX 0177:00552A51 56 PUSH ESI 0177:00552A52 8B44240C MOV EAX,[ESP+0C] 0177:00552A56 0BC0 OR EAX,EAX 0177:00552A58 7509 JNZ 00552A63 <-- prog will jump here 0177:00552A5A 66B80200 MOV AX,0002 0177:00552A5E 5E POP ESI 0177:00552A5F 5B POP EBX 0177:00552A60 C20800 RET 0008 <-- return from the call 6) ok after couple of F10s, u will reach this part: 0177:00552AD7 7509 JNZ 00552AE2 <-- won't jump (when jumps it re-do the dongle checking thingy) 0177:00552AD9 66B80300 MOV AX,0003 <-- put 3 in ax (meaning it fails) 0177:00552ADD 5E POP ESI 0177:00552ADE 5B POP EBX 0177:00552ADF C20800 RET 0008 <-- returns from the call 7) ok, as we can see here, this part is executed when the dongle is not found/fails so, since we want the heximal value of AX to be 0, we will patch the MOV AX,0003 so it will look like this: MOV AX,0000 so fireup hiew, and search for 750966B803005E5BC20800, once u found it patch 66B80300 to 66B80000 and save it... remember that CC we put earlier in the EXE? patch it back to 50, so the prog won't crash, now save it... run 3dsmax... vwalla! it runs :) now u can remove the plastic piece of shit dongle from ur computer (if u had the dongle..), and still be able to use 3dsmax! :) - Killer_3K/Harlem How to crack Bleem! **DEMO** by Killer_3K/Harlem PLZ NOTE THAT THIS TUT WAS MADE TO TEACH ABOUT GOOD PROTECTIONS, *NO* FEATURES (such as D3D, sound etc) WILL BE ENABLED SINCE THE CODE WAS REMOVED FROM THE EXE! THIS TUT IS SIMPLY TO SHOW U ON HOW TO DEAL WITH PACKING/Nags/Debuggers Detector ANOTHER NOTE: i will *NOT* write a tut on how to crack the FULL version of bleem, since Randy (the author of bleem) made a great job at this prog, and he deserves the money, he worked very hard on this prog, so he should at least earn the money he worked so hard for... and again: i only made this tut to show u how to deal with advanced protections that are abit better then the normal piece of crap protections we normally see on other progs.. nice work Randy. btw the final's protection is alot nastier then the demo's protection... ok now lets get started shoul we? d/l the latest ver of bleem from bleem.com now, since the file is packed, don't even think about trying to disasemble it... btw i don't recommend on unpacking it, since it has settings for each machines, and it modifies the exe by each machine, this is btw the reason the full cracked ver of bleem is so slow and buggy on many machines, if u will try using uncracked bleem with the keycd u will notice a huge difference... ok, now that u have softice loaded, lets see what we have here.. lets run bleem.. wtf?! "This program is not designed to operate with a system debugger! bla bla bla bla" allrighty, an anti-ice, np, as we learned from the meltice example (made by David Eriksson) that most anti-ice detects softice using createfilea (opens SICE.VXD), and tries to write it if fails, it means softice is currently running, if filenotfound/writing worked, softice isn't running.. ok lets try using this method with bleem. 1) put a bpx on createfilea, and run bleem. *bang* softice pops in ur face, now make sure ur in bleem, and NOT in explorer... ok now press F11, and this is what u see: 0177:00401077 E8F6130000 CALL KERNEL32!CreateFileA 0177:0040107C 83F8FF CMP EAX,-01 0177:0040107F 746B JZ 004010EC <-- will jump if file wasn't found 0177:00401081 A328114000 MOV [00401128],EAX 0177:00401086 6A00 PUSH 00 0177:00401088 6A00 PUSH 00 0177:0040108A 6A00 PUSH 00 0177:0040108C 6A02 PUSH 02 0177:0040108E 6A00 PUSH 00 0177:00401090 50 PUSH EAX 0177:00401091 E8E2130000 CALL KERNEL32!CreateFileMappingA 0177:00401096 85C0 TEST EAX,EAX 0177:00401098 7447 JZ 004010E1 0177:0040109A A32C114000 MOV [0040112C],EAX 0177:0040109F 6A00 PUSH 00 0177:004010A1 6A00 PUSH 00 0177:004010A3 6A00 PUSH 00 0177:004010A5 6A04 PUSH 04 0177:004010A7 50 PUSH EAX 0177:004010A8 E8E3130000 CALL KERNEL32!MapViewOfFile 0177:004010AD 85C0 TEST EAX,EAX 0177:004010AF 7425 JZ 004010D6 0177:004010B1 A330114000 MOV [00401130],EAX 0177:004010B6 FF0D24114000 DEC DWORD PTR [00401124] 0177:004010BC 8D90F4CE0400 LEA EDX,[EAX+0004CEF4] 0177:004010C2 FFD2 CALL EDX 0177:004010C4 7505 JNZ 004010CB 0177:004010C6 A324114000 MOV [00401124],EAX 0177:004010CB FF3530114000 PUSH DWORD PTR [00401130] 0177:004010D1 E8C0130000 CALL KERNEL32!UnmapViewOfFile 0177:004010D6 FF352C114000 PUSH DWORD PTR [0040112C] 0177:004010DC E88B130000 CALL KERNEL32!CloseHandle 0177:004010E1 FF3528114000 PUSH DWORD PTR [00401128] 0177:004010E7 E880130000 CALL KERNEL32!CloseHandle 0177:004010EC F70524114000FFFFFFFFTEST DWORD PTR [00401124],FFFFFFFF 0177:004010F6 7424 JZ 0040111C 0177:004010F8 6A10 PUSH 10 0177:004010FA E89D130000 CALL USER32!MessageBeep 0177:004010FF 6810100100 PUSH 00011010 0177:00401104 68E5124000 PUSH 004012E5 0177:00401109 A124114000 MOV EAX,[00401124] 0177:0040110E FF3485C4114000 PUSH DWORD PTR [EAX*4+004011C4] 0177:00401115 6A00 PUSH 00 0177:00401117 E886130000 CALL USER32!MessageBoxA 0177:0040111C 6A00 PUSH 00 0177:0040111E E85B130000 CALL KERNEL32!ExitProcess 2) hmm.. allrighty this is probably the place where we will need to patch lets check it shoul we? go back to the place, and type R FL Z to reverse the zero flag, so it will jump.. now press F5 to see what happens... wtf?! "Error loading program!" hmmmm, lets go back to that place and see where that jz leads as to.. so we reverse the zero flag again so it will jump, and we land here: 0177:004010EC F70524114000FFFFFFFFTEST DWORD PTR [00401124],FFFFFFFF 0177:004010F6 7424 JZ 0040111C 0177:004010F8 6A10 PUSH 10 0177:004010FA E89D130000 CALL USER32!MessageBeep 0177:004010FF 6810100100 PUSH 00011010 0177:00401104 68E5124000 PUSH 004012E5 0177:00401109 A124114000 MOV EAX,[00401124] 0177:0040110E FF3485C4114000 PUSH DWORD PTR [EAX*4+004011C4] 0177:00401115 6A00 PUSH 00 0177:00401117 E886130000 CALL USER32!MessageBoxA 0177:0040111C 6A00 PUSH 00 0177:0040111E E85B130000 CALL KERNEL32!ExitProcess 3) wtf?! it brought us to the same place! hmm odd.. lets check all other jumps.. wtf?! they all bring us to almost the exact same place (only couple of bytes away from each other..), and that JZ above the msgbeep leads us to ExitProcess.. damn't! what are we missing? lets take a closer look at our code: 0177:004010A8 E8E3130000 CALL KERNEL32!MapViewOfFile 0177:004010AD 85C0 TEST EAX,EAX 0177:004010AF 7425 JZ 004010D6 0177:004010B1 A330114000 MOV [00401130],EAX 0177:004010B6 FF0D24114000 DEC DWORD PTR [00401124] 0177:004010BC 8D90F4CE0400 LEA EDX,[EAX+0004CEF4] 0177:004010C2 FFD2 CALL EDX <--- here! 0177:004010C4 7505 JNZ 004010CB 4) hmmm, whats this lil thing? :) lets go into it, type F8... we get some INVALID shit, ignore it, just keep going threw the code, till u reach here: 0177:82827EF9 8D9C899A000000 LEA EBX,[ECX*4+ECX+0000009A] 0177:82827F00 8D149D30000000 LEA EDX,[EBX*4+00000030] 0177:82827F07 2BE2 SUB ESP,EDX 0177:82827F09 8BFC MOV EDI,ESP 0177:82827F0B AB STOSD 0177:82827F0C 8B0414 MOV EAX,[EDX+ESP] 0177:82827F0F 2DC4104000 SUB EAX,004010C4 0177:82827F14 AB STOSD 0177:82827F15 83C728 ADD EDI,28 0177:82827F18 33C0 XOR EAX,EAX 0177:82827F1A 8BD1 MOV EDX,ECX 0177:82827F1C F3AB REPZ STOSD 0177:82827F1E 897C2420 MOV [ESP+20],EDI 0177:82827F22 8D3C97 LEA EDI,[EDX*4+EDI] 0177:82827F25 897C2424 MOV [ESP+24],EDI 0177:82827F29 8D3C97 LEA EDI,[EDX*4+EDI] 0177:82827F2C 897C2428 MOV [ESP+28],EDI 0177:82827F30 8D3C97 LEA EDI,[EDX*4+EDI] 0177:82827F33 897C242C MOV [ESP+2C],EDI 0177:82827F37 8D7C97FC LEA EDI,[EDX*4+EDI-04] 0177:82827F3B E800000000 CALL 82827F40 0177:82827F40 897C240C MOV [ESP+0C],EDI 0177:82827F44 E8F9010000 CALL 82828142 0177:82827F49 7521 JNZ 82827F6C 0177:82827F4B E801050000 CALL 82828451 0177:82827F50 741A JZ 82827F6C <--- hmm whats this? 5) hmm as we can see, the prog jumps at that jz.. i wonder what it does.. lets trace and see where it leads us to: 0177:82660F6C 8B442420 MOV EAX,[ESP+20] 0177:82660F70 B905000000 MOV ECX,00000005 0177:82660F75 8D94899A000000 LEA EDX,[ECX*4+ECX+0000009A] 0177:82660F7C 8D649434 LEA ESP,[EDX*4+ESP+34] 0177:82660F80 83F801 CMP EAX,01 0177:82660F83 1BD2 SBB EDX,EDX 0177:82660F85 C3 RET <-- go back from the call edx.. 6) as we can see, this part will return from call edx, leading us to that msgbox "debugger is running blablabla", so this must mean that the jz is our jump.. go back to that part, and when u reach that jz (82827F50) type R FL Z so it won't jump, now press F5.. yes! bleem works :) now open bleem with hiew, and search for the jump (write down the hex of it and the call above it, so u won't reach a dif jump since theres more then one 741A jumps..) so search for E801050000741A, and nop the jz (741A --> 9090) save the file, and run bleem... ya! it works! debugger detector is now eliminated :) now we can get with the other things.. 7) let's remove that pasky disclaimer.. put a bpx on DialogBoxParamA, and run bleem. softice breaks, press F11, and u see the disclaimer, press ok or cancel and ur back at softice, seeing the following: 0177:00682A3B E8A1058DBF CALL USER32!DialogBoxParamA 0177:00682A40 85C0 TEST EAX,EAX 0177:00682A42 7408 JZ 00682A4C 0177:00682A44 83F8FF CMP EAX,-01 0177:00682A47 7403 JZ 00682A4C 0177:00682A49 83F802 CMP EAX,02 0177:00682A4C C3 RET 8) as u probably noticed, eax=1 if u pressed on Ok, and eax=2 if u pressed cancel.. now, how do we get rid of this pasky nag? u see that RET in the end? this will lead us to the place, where the call for creating the nagbox is in... so lets trace till we pass the RET, u will land here: 0177:0066882F B834750000 MOV EAX,00007534 0177:00668834 E8EBA10100 CALL 00682A24 <-- calls nag 0177:00668839 746E JZ 006688A9 <-- check answer 0177:0066883B E804D0FFFF CALL 00665844 0177:00668840 7562 JNZ 006688A4 9) as we can see here, JZ checks the answer, it jumps if eax=2, and it doesn't jump if eax=1, so we need to nop CALL 00682A24 and JZ 006688A9... we will do the patching abit la8r, so write down the bytes and virtual offsets (00668834 E8EBA10100 and 00668839 746E) cause we will need them for the patching.. and now for the exiting nag ("Thanks for trying bleem! demo, blablabla") put the same bpx as b4 (bpx dialogboxparama), u land here: 0177:00682A3B E8A1058DBF CALL USER32!DialogBoxParamA 0177:00682A40 85C0 TEST EAX,EAX 0177:00682A42 7408 JZ 00682A4C 0177:00682A44 83F8FF CMP EAX,-01 0177:00682A47 7403 JZ 00682A4C 0177:00682A49 83F802 CMP EAX,02 0177:00682A4C C3 RET this is the same place as b4, so we'll just trace till we pass the RET, u land here: 0177:006688C7 B833750000 MOV EAX,00007533 0177:006688CC E853A10100 CALL 00682A24 <-- calls nag 0177:006688D1 33C0 XOR EAX,EAX <-- eax xored with itself, meaning eax hexvalue will be 0 0177:006688D3 E8A87FFEFF CALL 00650880 <-- exit bleem so, we need to nop that lil call too, so write down the bytes&virtual offset (006688CC E853A10100), and u need to nop it.. Patching: well, since the file is packed, we can't simply search for the bytes in the exe and patch them, since that part is packed, the reason we could patch that anti-ice by searching the bytes in the exe and patch was, that the part with it wasn't packed.. so what do we do? there's two ways: A) use a ready-to-go mempatcher/maker ur own mempatcher B) use the method R!SC uses the patch shrinker packed files, it should be in tKC's cracking tutor #19 remember, making a mempatcher is alot faster, but requires a special launcher for the exe.. while patching a packed file doesn't require a separate patcher, but it takes some time to make one, and can be really annoying.. since this tut is already long enough, i'll only show u on how to use&fix the mempatcher..: allrighty, i chose to use R!SC's PROCESS PATCHER v1.2i, since all the others i tried made alot of probs. *NOTE* for some reason this one (the only that works) makes some probs with bleem (although it works without any probs in anything else i tried), so we will need to make some patching the the launcher.. don't worry, it takes 2-3secs doing it :) first lets make our script, here's how mine looks like: T=60000: f=bleem!.exe: ; filename o=B!_loader.exe: ; loader to create p=668834/E8,EB,A1,01,00/90,90,90,90,90: ; First nag call p=668839/74,6E/90,90/90,90: ; always think we pressed Ok p=6688CC/E8,53,A1,01,00/90,90,90,90,90: ; Exit nag $ 2) ok, now compile it, and place the exe in the same dir where u put ur bleem exe and run it.. wtf!??! "ReadProcessMemory Error" or sometimes it works, or sometimes it doesn't patch the first nag... lets fix the patcher shoul we? put a bpx on ReadProcessMemory, and run B!_loader.exe, softice will pop in ur face, press F11, and u should see this: 0177:0040108F 85C0 TEST EAX,EAX 0177:00401091 61 POPAD 0177:00401092 0F84A6000000 JZ 0040113E <-- here 0177:00401098 60 PUSHAD 0177:00401099 FC CLD 0177:0040109A BE08214000 MOV ESI,00402108 0177:0040109F 8BCB MOV ECX,EBX 0177:004010A1 F3A6 REPZ CMPSB 0177:004010A3 61 POPAD as u can see, that jz jumps when the loader shows that ugly error msg.. btw if it doesn't jump (sometimes happen), then u were just abit lucky this time :) simply re-run the loader, and then it should jump, so heres what u do, nop the jz! thats it! :) open the loader with hiew, and look for the bytes of it 0F84A6000000, and nop it (909090909090). now save it, and try using the loader.. ya! it works perfectly! try again.. ya! still works :) no nag can be seen :) thats it! hope u learned something from this tut :) -Killer_3K/Harlem THE SAINT Man IS BACK AGAIN 14.06.1999 REGISTRATION DEFEATING Notes: This little tutorial is on how to make a valid registration. I suggest you to get my 1 tutorial on how to defeat cd-protections, because it could be hard for you to understand my way of writing things. My first tutorial is available on this address http://surf.to/tools . If you want me to keep making these tutorials on cracking then please give me a feedback and I will keep making more tutorials. (my email address is zaaz12@post.tele.dk ) If you have any suggestions on how to make my tutorials more understandable or want me to make a tutorial of something like a special game then you are still free to e-mail me. Difficult Level: As easy as reading this doc. (ok that's going to be hard. Just kidding.) Tools needed: windasm8.9(or IDA PRO ANY ONE) and any hex editor (in my case Hiew6.03). Were to get these tools: http://surf.to/tools this page is the best page on earth but remember to click on his Sponsor before you can download anything(hi hi). English: Little bad but I'm Danish so if you don't like my tutorial simply don't read it. Target: Any kind of registration protection.(well there is some registration protections that is a little harder to crack. If you have a program like that then e-mail me and tell me that you really want me to make a tutorial on registration with Soft ice. Well now it's time to crack that little bastard. Ok! 1. step Start the program you want to crack. Go to help and then registration. Type any name you like and any number in the key box, then press ok. A box pops up and says....invalid registration key or something like that. Remember this error message.(in some cases there isn't any error message the program just ignore the invalid key you entered if you have this problem e-mail me and tell me to make a tutorial on these stupid protections). Exit the program. Load windasm8.9. Ok! 2. Step In Windasm8.9(or newer version) Dissemble the programs exe. This could take a while in some cases. When it is finished its process you have to click on the Strn.REF next to print. A little box pops up. Scroll down and look fore the error message. Good you found it. Double click on the error message, and close the little window. As you can see you are not in the beginning of the dissembled text but somewhere in the middle. Double click on all the jmp's and all the call's and write down the offset without the @ and the h. Let's say the offset looks like this: @000458962h The you only write down the numbers like this: 000458962 Exit windasm8.9 and load Hiew. Ok! 3. Step In Hiew6.03 (or newer version) Use the coursers to move with. Find the programs exe and push enter button. Push F4 and then decode. Push F5 and enter the offset you wrote down and then push enter. I explained you something about how to nop. That's why you should download my first tutorial, but I'll explain it in this tutorial to. When you typed the offset in Hiew and pushed the enter you landed on some numbers. Let's say the numbers were: 6821236972 Then fore every to numbers you should type 90. Example: 68=90 21=90 23=90 69=90 72=90 Ps. Every time you typed 90 the line jumps, but that doesn't matter.(90 simply means no operation) When you are done you press F9 for update and F10 fore exit. Ok! 4. Step Run the program go to registration and type anything ass your name and key. Success The program is fully cracked Final notes: Remember any tips comments or anything just write to me at zaaz12@post.tele.dk THE SAINT Man Petite 2.1 Patching Tutorial -- by R!SC / May 1999 (almost tut #3 on packed files) Petite 2.1 (c) 1998-99 Ian Luck Target file---PETITE.EXE 46,214 bytes 13/05/99 http://www.icl.ndirect.co.uk/petite/ Petite, oh Petite, how i love you.... Wow, 4 months on, and a lot of changes, but 'Petite' is still patcher friendly, decompression code has seriously been optimized, it packs the import table, the tamper check is still lame and it has a lovely shell extension now.... its almost a decent packer! (well, it is, and its almost unpack proof) Well, i downloaded Petite 2.1 a few days ago, but today i got home from work, and thought to myself i'll just have a look at it, see how much it has changed, see if my old tutorial will help people patch this version... heh, damn it! it wont, theres been a lot of changes, and finding the packer exit point was quite a challenge (*g* theres only 0x170 bytes of code to trace through!) Well, tracing for a while, i noticed theres no 'jmp we've finished' or 'jmp eax' or anything to signify that it has done and is transferring execution to a whole different area of memory. The unpacker code just jumps around inside itself, and calls inside itself.. hmm.. This is the closest you get to an exit point 0137:004DA042 B800A04D00 MOV EAX,004DA000 <-- where symbol loader breaks 0137:004DA047 682A1C4100 PUSH 00411C2A 0137:004DA04C 64FF3500000000 PUSH DWORD PTR FS:[00000000] 0137:004DA053 64892500000000 MOV FS:[00000000],ESP 0137:004DA05A 669C PUSHF 0137:004DA05C 60 PUSHAD 0137:004DA05D 50 PUSH EAX 0137:004DA05E 33DB XOR EBX,EBX 0137:004DA060 8D9078010000 LEA EDX,[EAX+00000178] 0137:004DA066 6800004000 PUSH 00400000 0137:004DA06B 8B0A MOV ECX,[EDX] 0137:004DA06D 0FBAF11F BTR ECX,1F 0137:004DA071 7316 JAE 004DA089 0137:004DA073 8B0424 MOV EAX,[ESP] 0137:004DA076 FD STD 0137:004DA077 8BF0 MOV ESI,EAX 0137:004DA079 8BF8 MOV EDI,EAX 0137:004DA07B 037204 ADD ESI,[EDX+04] 0137:004DA07E 037A08 ADD EDI,[EDX+08] 0137:004DA081 F3A5 REPZ MOVSD 0137:004DA083 83C20C ADD EDX,0C 0137:004DA086 FC CLD 0137:004DA087 EBE2 JMP 004DA06B 0137:004DA089 83C210 ADD EDX,10 0137:004DA08C 8B5AF4 MOV EBX,[EDX-0C] 0137:004DA08F 85DB TEST EBX,EBX 0137:004DA091 74D8 JZ 004DA06B 0137:004DA093 8B0424 MOV EAX,[ESP] 0137:004DA096 8B7AF8 MOV EDI,[EDX-08] 0137:004DA099 03F8 ADD EDI,EAX 0137:004DA09B 52 PUSH EDX 0137:004DA09C 8D3401 LEA ESI,[EAX+ECX] 0137:004DA09F EB17 JMP 004DA0B8 0137:004DA0A1 58 POP EAX <-- nice 0137:004DA0A2 58 POP EAX <-- a few pops 0137:004DA0A3 58 POP EAX 0137:004DA0A4 5A POP EDX 0137:004DA0A5 74C4 JZ 004DA06B <-- a jz carryon 0137:004DA0A7 E95CFFFFFF JMP 004DA008 <-- and a jump to a piece of code <-- that hasn't been used yet Well, i set a BPX 4DA0A7, on the JMP 4DA008, then ran the program (F5), but it didn't break :( so i reloaded it into the symbol loader, and set a BPX 4DA0A5, the JZ 4DA06B, just before the (hopefully) important jump. F5, it runs / breaks, the jz gets taken, F5, same again, F5, same thing again, F5, damn! it ran... I decide to trace after the third break, as on the fourth one, it runs...this is not looking good.. Reloaded it into the symbol loader, i still have my breakpoint set on 4DA0A5, F5 three times, then trace with F10, very soon it runs again... do you remember where? oh my god! its when a MOVSB instruction is executed... how does this work? 0137:004DA0F0 6A00 PUSH 00 0137:004DA0F2 32D2 XOR DL,DL 0137:004DA0F4 4B DEC EBX 0137:004DA0F5 A4 MOVSB <-- this is where the program runs 0137:004DA0F6 33C9 XOR ECX,ECX 0137:004DA0F8 83FB00 CMP EBX,00 0137:004DA0FB 7EA4 JLE 004DA0A1 0137:004DA0FD E8AAFFFFFF CALL 004DA0AC 0137:004DA102 7217 JB 004DA11B 0137:004DA104 A4 MOVSB 0137:004DA105 305FFF XOR [EDI-01],BL 0137:004DA108 4B DEC EBX 0137:004DA109 EBED JMP 004DA0F8 <-- this loops back to 4DA0F8 (just to let you know for later...) Yah, i reload it again! into the symbol loader, clear all previous breakpoints, and set one on the MOVSB at address 4DA0F5. MOVSB moves a byte from [ESI] to [EDI] and increments them both so i run the program with F5, and keep on looking at the two important registers on every break. 1,2,3,4,5th F5 it runs... reload it, 1,2,3,4,5th F5 it runs, reload it, F5 1,2,3,4.. ESI=00400000, EDI=00400000, try tracing into it this time with F8, hmm, damn thing runs. How does this instruction make the program run? where does program execution go to when this instruction has been executed? well, it doesn't matter, maybe one day i'll know, but for know, i have all i need, i know that when ESI==00400000, the program has unpacked, and that doing a MOVSB instruction, i can run the program, so all i need to do is alter the code a bit :) So the we have the important information for the patch, we replace the bit of code around / just before the MOVSB with a JMP MYCODE, then at MYCODE, we check ESI for 00400000, if its equal, we patch the unpacked code, then do the MOVSB to run the newly patched program, and if ESI!=00400000 we execute the instructions we replaced with the JMP MYCODE, then jump back.. My idea for the patch is the same as for the old version of Petite, just replace the text string '$HAREWARE - see REGISTER.TXT for details',0A,00 with something a little more subtle, like er, 'Patched by R!SC',0A,00 Load petite.exe into a hexeditor, to find a good place for our code, ah, offset 4F0, just after the imports, enter 'sometext', then leave a bit of space for the code, then at offset 540, enter 'Patched by R!SC',0A,00 (hmm, 0x11 bytes...) We have to put a jmp inside of the unpacker code, the file offset for this is 2F2, and since the jump will take up 5 bytes, we will use half the XOR ECX,ECX instruction aswell, so we have to NOP the other half of it... Load petite into the symbol loader again, s 0 l ffffffff 'sometext', we get the address of where we want to jump to, 4DA2F0... s 0 l ffffffff '$HAREWARE', we get the address we want to patch, 412B1B, s 0 l ffffffff 'Patched by R!SC', we get the address of our really important data, 4DA340... ...still in softice... We have to change these lines 0137:004DA0F2 32D2 XOR DL,DL <-- yah, we recode this bit 0137:004DA0F4 4B DEC EBX 0137:004DA0F5 A4 MOVSB 0137:004DA0F6 33C9 XOR ECX,ECX 0137:004DA0F8 83FB00 CMP EBX,00 <-- where the jump below lands , so we 0137:004DA0FB 7EA4 JLE 004DA0A1 - cant change the code at/after 4DA0F8 0137:004DA0FD E8AAFFFFFF CALL 004DA0AC 0137:004DA102 7217 JB 004DA11B 0137:004DA104 A4 MOVSB 0137:004DA105 305FFF XOR [EDI-01],BL 0137:004DA108 4B DEC EBX 0137:004DA109 EBED JMP 004DA0F8 <-- loop back up to 0137:004DA0F2 E9F9010000 JMP 4DA2F0 <-- Jump to space after the imports 0137:004DA0F7 90 NOP <-- make it look neat, cant leave half an 0137:004DA0F8 83FB00 CMP EBX, 00 - instruction there 0137:004DA0FB 7EA4 JLE 004DA0A1 0137:004DA0FD E8AAFFFFFF CALL 004DA0AC 0137:004DA102 7217 JB 004DA11B 0137:004DA104 A4 MOVSB 0137:004DA105 305FFF XOR [EDI-01],BL 0137:004DA108 4B DEC EBX 0137:004DA109 EBED JMP 004DA0F8 So follow what i did here inside softice Break due to Symbol Loader :a 4da0f2 0137:004DA0F2 jmp 4da2f0 0137:004DA0F7 nop 0137:004DA0F8 :a 4da2f0 0137:004DA2F0 cmp esi, 0400000 0137:004DA2F6 jz 4da306 0137:004DA2F8 xor dl,dl 0137:004DA2FA dec ebx 0137:004DA2FB movsb 0137:004DA2FC xor ecx,ecx 0137:004DA2FE jmp 4da0f8 0137:004DA303 nop 0137:004DA304 nop 0137:004DA305 nop 0137:004DA306 pushad 0137:004DA307 mov esi, 4da340 0137:004DA30C mov edi, 412b1b 0137:004DA311 mov ecx, 11 0137:004DA316 rep 0137:004DA317 movsb 0137:004DA318 popad 0137:004DA319 movsb 0137:004DA31A See, then dump the memory??? pagein 4da2f0 30 c:\newcode.dat, then copy & paste it over 'sometext' in petite.exe, then replace the code at offset 2F2 with the jump to this new code, then all is well... the new code, & instruction bytes... :u 4da2f0 l 30 0137:004DA2F0 81FE00004000 CMP ESI,00400000 <-- check see if its finished unpacking 0137:004DA2F6 740E JZ 004DA306 <-- if yes! jump to patch code 0137:004DA2F8 32D2 XOR DL,DL <-- otherwise, do the instructions 0137:004DA2FA 4B DEC EBX - we replaced with the jmp 4da2f0 0137:004DA2FB A4 MOVSB - 0137:004DA2FC 33C9 XOR ECX,ECX - 0137:004DA2FE E9F5FDFFFF JMP 004DA0F8 - and jump back to unpack code 0137:004DA303 90 NOP 0137:004DA304 90 NOP 0137:004DA305 90 NOP 0137:004DA306 60 PUSHAD <-- save the registers 0137:004DA307 BE40A34D00 MOV ESI,004DA340 <-- source ('Patched by R!SC',0a,00) 0137:004DA30C BF1B2B4100 MOV EDI,00412B1B <-- destination ('$HAREWARE') 0137:004DA311 B911000000 MOV ECX,00000011 <-- how many bytes we want to copy 0137:004DA316 F3A4 REPZ MOVSB <-- repeat movs byte thingy 0137:004DA318 61 POPAD <-- restore the registers 0137:004DA319 A4 MOVSB <-- fuck the rest of the code, and - run the program Sooooo, at file offset 0x2F2, we replace 6 bytes with E9F901000090, then at offset 0x4F0, we replace a lot more bytes(42), with 81FE00004000740E32D24BA433C9E9F5FDFFFF90909060BE40A34D00BF1B2B4100B911000000F3A461A4 then at offset 0x540 (which we have already changed, but just to be sure), we replace a few more bytes with 'Patched by R!SC',0A,00 Well, the tutorial started off so good, then it all went? ahem, sorry, but if you understand whats been said so far, you are now able to patch petite 2.1, the weirdest compressor i have come across... Just a couple of file dumps follow, to make sure you know where to patch.. 000002F0 6A 00 E9 F9 01 00 00 90 83 FB 00 7E A4 E8 AA FF j..........~.... <-- the jump mycode 000004D0 32 2E 64 6C 6C 00 75 73 65 72 33 32 2E 64 6C 6C 2.dll.user32.dll <-- end of imports 000004E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000004F0 81 FE 00 00 40 00 74 0E 32 D2 4B A4 33 C9 E9 F5 ....@.t.2.K.3... <-- mycode 00000500 FD FF FF 90 90 90 60 BE 40 A3 4D 00 BF 1B 2B 41 ......`.@.M...+A 00000510 00 B9 11 00 00 00 F3 A4 61 A4 00 00 00 00 00 00 ........a....... 00000520 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000530 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000540 50 61 74 63 68 65 64 20 62 79 20 52 21 53 43 0A Patched by R!SC. <-- mydata 00000550 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ The tamper check is pretty much the same as for petite 1.3a, but harder to locate.. in Petite 2.1 it is at RVA 411D9B (but will change from program to program) :u 411d90 l 50 0137:00411D90 D3C3 ROL EBX,CL 0137:00411D92 83C604 ADD ESI,04 0137:00411D95 49 DEC ECX 0137:00411D96 75F6 JNZ 00411D8E <-- loop calculate checksum?? 0137:00411D98 395804 CMP [EAX+04],EBX <-- check it 0137:00411D9B 7408 JZ 00411DA5 <-- jump if equal not tampered with 0137:00411D9D 83C42A ADD ESP,2A 0137:00411DA0 E970820C00 JMP 004DA015 <-- otherwise, jump back to unpack code 0137:00411DA5 BEA4160100 MOV ESI,000116A4 - and NAG user 0137:00411DAA 8B8D00010000 MOV ECX,[EBP+00000100] 0137:00411DB0 03F5 ADD ESI,EBP I can only trigger the tamper check if i alter the pe-header, altering the unpacker code does not alter the calculated checksum, so you don't really have to worry about it.. R!SC 19th May 1999, risc@notme.com, http://csir.cjb.net (yah, your packer friendly cracker, wonder what happened to my Neolite tutorial? hmm, it may come along, probably do one for aspack / upx / wwpack aswell) oops, i missed a bit.... i packed a few programs with petite 2.1, and traced through them, noticed that without a commandline, the unpacker code is slightly different.. 'petite notepad.exe -r* -9' (compress all resources but icons..best compression level) the unpackcode was the same as in petite.exe 'petite notepad.exe -3' (compression level 3) the unpackcode was the same as in petite.exe 'petite notepad.exe -r*' (normal compression, with resources) the unpackcode had changed (fig.1) 'petite notepad.exe' the unpackcode had changed (fig.1) Fig.1 instead of using a 'MOVSB' & ESI & EDI==00400000, it uses 'MOV [EDI],AL' & EAX & EDI==00400000... 0137:0040C1D3 55 PUSH EBP 0137:0040C1D4 8BEC MOV EBP,ESP 0137:0040C1D6 8807 MOV [EDI],AL 0137:0040C1D8 81ECD8BA0000 SUB ESP,0000BAD8 0137:0040C1DE 8D8D887FFFFF LEA ECX,[EBP+FFFF7F88] from the PUSH EBP to the end of the MOV [EDI],AL, you have 5 bytes, where the jump can go, then jump to code a bit like this CMP EAX,00400000 JZ PATCHIT PUSH EBP MOV EBP,ESP MOV [EDI],AL JMP 40C1D8 PATCHIT: MOV WORD PTR [BLAHBLAH],BLAH MOV [EDI],AL well, thats it for me.. i'm outta here, i think i have about finished R!SC - 21st May 1999 - http://csir.cjb.net varroa - how to crack The Bat! 1.32 "how to crack" written by varroa Tools used: softice nt 3.24, ultraedit32 Overview: The Bat! uses a key/code registration procedure, which is NOT the target of this crack. Instead, we are going to bypass the time-limitation by patching the program. NOTE: this patch does not make the program think it's registered, but since there's no difference between registered/not registered version (apart from the time limit) we don't need to do it. Killing the nag and timelimit is all we need to do. This objective is not as easy as it looks like. First - The Bat! crashes w32dasm so checking the dead-listing doesn't work here. Also, The Bat! is packed with a compressor called UPX, which makes it unable to be patched directly. Imagine that a small routine of UPX is in front of the actual application. Everytime The Bat! is being loaded, this small routine unpacks the real program and runs it after decompression. Normally, the unpacker is very fast, so you won't notice anything at all. This means, we need to patch The Bat! AFTER decompression, but BEFORE actual execution. In other words: we need to find the jump that starts the real program, redirect it to a small patch-routine and start the real program after patching. But first, let's find the nag-screen-call: Start softice, run the symbol loader, load thebat.exe and wait until the nag-screen is displayed. Don't close the nag-window. Switch to softice and do a breakpoint on the closing of the window: BPX destroywindow Let softice run and press either the OK or Exit button of our nag-screen. Softice will pop-up, disable the breakpoint (type BC *) and start a search for the text that is displayed through the nag-window: s 0 l 90000000 'This program is' Softice will find a few locations somewhere in memory, but the one we need is located in the TheBat!UPX0-part. Softice should find the text at the address 6936C9. Now, set a memory access breakpoint at this address: BPMB 6936C9 Let softice go, exit The Bat! and restart it right away (use the symbol loader menu Module/Load). Softice will now stop at the first memory access at our address. Ignore the first one - it's done by the UPX-unpacker, which is decompressing our program. Press F5 to ignore this stop. Softice will break once more at this position: xxx:004016A3 F3A5 REPZ MOVSD From now on, press F12 until the nag-screen appears (takes 19 keypresses). Again, click OK or Exit and softice will break one last time at this position: 001B:0054803B 84C0 TEST AL,AL which is part of this routine: 1 001B:00548029 8BD8 MOV EBX,EAX 2 001B:0054802B 803D0C275F0000 CMP BYTE PTR [005F270C],00 3 001B:00548032 751E JNZ 00548052 (NO JUMP) 4 001B:00548034 8BC3 MOV EAX,EBX 5 001B:00548036 E87575F9FF CALL 004DF5B0 6 001B:0054803B 84C0 TEST AL,AL 7 001B:0054803D 7413 JZ 00548052 (JUMP) The CALL in line 5 is the window-popup. The TEST AL,AL in line 6 determines whether we've presses OK or Exit. It will take the jump in line 7 if we've pressed the OK-button. See line 3 ? This one also jumps to the place where we would go when pressing OK. But in our case the jump of line 3 did not seem to work. Let's display the byte at the position accessed by line 2 (005F270C) - it contains a 0. If it would have been a 1, the jump in line 3 would have worked, jumping over the nag-popup-call. Disable all breakpoints (BC *) and set a breakpoint on memory access at address 005F270c and let softice run, exit The Bat (ignore all breaks by softice) and start The Bat! once more. Softice will break 3 times because of the decompressor, ignore them (F5) and the fourth stop will be at a line similiar to our line 2 from above: 1 001B:005433A0 803D0C275F0000 CMP BYTE PTR [005F270C],00 2 001B:005433A7 741D JZ 005433C6 (JUMP) This is the first time The Bat! checks this byte and the 0 isn't what we like to see there - so let's change line 1 using the "a" command of softice to: MOV BYTE PTR [005F270C],01 Now the byte is a 1 and every other check coming later will find this 1 and work like if this has ever been so. If you execute the line and disable all breakpoints The Bat! will never show any nag-screen anymore. Cool eh? :) Where does the real program start? As I said above, we need to find the place where the decompression routine calls the real program, to patch our program. We know that the whole program is decompressed in memory and we even had some breakpoints breaking at memory access of the decompressor. This means, the code of our line 1 from above is being written into memory - so we try a breakpoint on memory access at this address: BPMB 005433A0 Be sure you have only this breakpoint active, exit The Bat! and re-run it. Softice will break at this line: 001B:006AD10B 83C704 ADD EDI,04 Notice that we are in a completely different part of the code, at address 6AD10B, remember also that our program above was running at address 5xxxxx. If you press F10 now for a while and have your display set to the address 5433A0, you can watch the decompressor generating the real program... instead, scroll the code-window down looking for an address in the 5xxxxx-range. You will find these two lines: 001B:006AD1C6 61 POPAD 001B:006AD1C7 E93867F3FF JMP 005E3904 Yes! This is the jump to the real program, after the decompressor has done its job. All we have to do now is: find a free part in thebat.exe, write the code that patches our program into that part, let the jump at line 6AD1C7 jump to this part and run the real program. Patching The Bat!... How do we find a free part in thebat.exe, which is part of the decompression routine and NOT part of the (compressed) data? Open thebat.exe in your favourite hex-editor and search for the code of the jump from above (E93867F3FF) - you'll find it at position 24007 (decimal). Hmm... doesn't look like there's free space, does it? Scroll to the beginning of the file... hmmm... some strange ascii-art, right? Hmmm.... jump to the beginning of thebat.exe - there it is: UPX 0.60 Copyright (C) 1996-1999 Laszlo Molnar & Markus Oberhumer Why not use the copyright of UPX as space for our patch-routine? Okay, let's do it. All we need now is the position of this copyright-text in memory. I'll use the 'L' of 'Laszlo' as my first byte of the patch-routine. Use softice to locate this copyright-text in memory and write down the address (which is 00400296 in the case of the 'L'). We need 2 lines of code to patch the code at address 005433A0 which looks like this: 1 001B:005433A0 803D0C275F0000 CMP BYTE PTR [005F270C],00 2 001B:005433A7 741D JZ 005433C6 but should look like this: 1 001B:005433A0 C6050C275F0001 MOV BYTE PTR [005F270C],01 2 001B:005433A7 741D JZ 005433C6 The 2 lines that do the patch plus the jump to the real program are these: 1 00400296 C705A0335400C6050C27 MOV DWORD PTR [005433A0],270C05C6 2 004002A0 C705A43354005F000174 MOV DWORD PTR [005433A4],7401005F 3 004002AA E955361E00 JMP 005E3904 Are we done? Not yet! We've got to redirect the jump from the decompressor so it runs through our 3 new lines. Simply change the jump at 006AD1C7 to this one: 006AD1C7 E9CA30D5FF JMP 00400296 Congratulations! You've just patched The Bat! - I hope this little tutorial helps to understand how to patch compressed programes. Even if they crash w32dasm. :) Have fun! varroa, 5/5/99 We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutor #28 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: LagPRO/CiA for Splash Logo. Killer_3K/Harlem for providing 2 tuts in this version. Cloud [StarGazer] for providing a tut in this version. R!SC for providing a tut in this version. The Saint Man for providing a tut in this version. Varroa for providing a tut in this version. tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Oh btw, please don't expect me to reply your mails, since I get 50+/- mails everyday.. be sure that I really appreciate your mails! :) Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 23 June 1999 Cracking Tutorial #27 is dedicated to Ms_Jessca... who else?