Required Basics : Basics of Reverse Engineering
CrackMe Name : QHQCrker's QPatchmi No2
Source : http://crackmes.de/users/qhqcrker/qpatchmi_no2/
Lets get Started !
Pretty basic goals. Easy right ? :P
Load this in OllyDbg :
As soon as you open this file in Olly , you will see the IsDebuggerPresent called right below the code of the first Nag windows ( Titled "Hi" in first image )
And also, there is a call at 0040101C . It calls a procedure from 00401519. This procedure copies one byte. the source has the value 0x58 and it the first char from the string "XQHQ Patch me No1". the target is inside the code section: 004013E7 |. C707 00000058 MOV DWORD PTR DS:[EDI],58000000 so, the actual target is part of that opcode and it the highest byte of the immediate 0x58000000. this shall restore this instruction at runtime. we will have to patch that, too. so change the CALL at 40101C to JMP 00401034 to skip the NAG message or you can even NOP the nag message.
And for the IsDebuggerPresent function, there is a conditional jump under it, which is based on IsDebuggerPresent. So, just change that Jump from JE ( Jump if equal ) to JNE ( Jump if not equal ) . : Just follow this image :
Now, Scroll down a little bit and you will find the Strings "--> Patch this message to good message <--" and also, you will find "CONGRATULATIONS, YOU'RE A GOOD BOY" at 40310E .
Obviously, 2B is the size of that caption in ANSI and 56 is the double size for
unicode ( Shown in the image below ) . the string is written to EDI. so we need to change three things here:
- the pushed offset
we change that into "CONGRATULATION, YOU'RE GOOD BOY" which is at 40310E
- the pushed size
we change that into 0x20
- the double size added to EDI
we change that into 0x40
After changing :
The crackme's main dialog is created by the API function
DialogBoxIndirectParamA called at 004014A6. If you are unfamiliar with this
function (like I was), look up its description, e. g. on Microsoft's website.
Before this function can be called, a complex structure has to be set up that
describes the controls (e. g. buttons) that this dialog uses. Each control is
described by a DLGITEMTEMPLATE structure, and its first doubleword (style)
defines, among other things, whether the control in question is enabled or
disabled. Thus, the state of the Exit button is defined by its DLGITEMTEMPLATE.
Exit's DLGITEMTEMPLATE structure is set up starting at 004013E7, and its first
doubleword is 58000000. Now we have to determine what the first doubleword
should be if the Exit button is to be enabled. The button's style is a
combination of window style values that you can look up on Microsoft's website.
Several window style values are combined to one style value using inclusive OR.
The WS_DISABLED window style has the value of 08000000. Now we have to determine
what the button's style was before 08000000 was OR'ed into it. This is most
easily done with the exclusive OR operator (XOR).
The resulting value is 50000000 (hex). This is the value we have to patch in
instead of 58000000. But we won't do it right at 004013E7. Why not? Because the
crackme patches in 58000000 automatically right after program start. It's done
by function 00401519 called at 0040101C. This function loads a byte from
004030EE (58 by default) and writes it to 004013E7+5, independently of what was
there before. (By the way, the "debugger detected" execution line does the same
at 0040118E but this doesn't bother because we have already switched off the
debugger check.) The best way to patch the style of the Exit button is to change
the byte at 004030EE from 58 to 50. Done ! :
Now just Run it :
DONE ! All goals specified in NAG message are completed. Next, we will deal with another Hard to solve Crackme. If you have any doubts, just comment here. Thanks !
Greets : Crackmes.de
No comments:
Post a Comment