include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
ShowMessage proto
ReplaceMent proto
.data
szMsg1 db "这是未执行SMC之前的代码!", 0
.code
start:
invoke MessageBox,0,addr szMsg1,0,0
invoke ExitProcess,0
end start
支持你这种说法,不过我地另外一个地方看到一破文,但是照猫画虎也不成功。
看下面:
s Tutorial: How to do Inline Patch in Aspack'ed applications!
Ok, as you know, I haven't written a tutor by myself for long time, so since
I'm on holiday now, I decided to write one. This time, we'll do an Inline
Patching in Aspack'ed application. Very easy, no fear! Ok, I've coded a small
crackme for the education, and it's packed with Aspack v2.12. So on this
crackme, we must remove the messagebox. Still as I said, the main goal is to
do Inline Patching on this Crackme, not to remove the messagebox only! ;)
Ok, let's go..
What we'll need:
OllyDbg - to find Program Entry Point (OEP) in the Crackme
HIEW v6.83 - to edit the Crackme
W32Dasm v8.93 - to disassemble the Crackme
LordPE Deluxe - to unpack the Crackme and edit PE headers
PEiD v0.80 - to identify the PE in Crackme
Pen and paper, and your brain!!
Step 1. Let's run PEiDentifier on this Crackme to confirm it's packed with
Aspack! Or you can use any similiar file scanner. (They can be
found at Protools sites!). While we're at it, run Crackme and see what
happens. Ok, the messagebox appears, so it has to be removed. I'm not
teaching you how to remove the box, just how to do Inline Patch.
Step 2. Ok, coz it's packed with Aspack, we all know that Aspack'ed
applications first goto its own decryption procedures, to check CRC
etc, then if it's OK then it goes to Main procedure of applications
or else gives you errors. So we gotta find the jump to OEP in Crackme
in decryption codes. When run, we all know Aspack'ed applications
contain the "known" instructions near the end of decryption part:
xxxxxxxx 61 popad
xxxxxxxx 7508 jne cccccccc
xxxxxxxx B801000000 mov eax,00000001
xxxxxxxx C20C00 retn 000C
cccccccc 68aaaaaaaa push aaaaaaaa <--- aaaaaaaa is our OEP value
xxxxxxxx C3 ret
We gotta find the OEP value in this unpacking code, remember we will NOT find
the OEP value in Aspack'ed files, only when you run 'em, you'll find it in
memory. Of course, it's hardcoded in Aspack'ed files, but hard to find it.
So the known bytes we always can find in Aspack'ed files looks like:
61
7508
B801000000
C20C00
6800000000 <--- always 00000000, so that's why we don't know the OEP yet!
C3
Step 3. Ok, now we can open HIEW on Crackme and search for bytes: 6800000000C3.
We found it at:
.0040D3AF: 61 popad
.0040D3B0: 7508 jne 00040D3BA
.0040D3B2: B801000000 mov eax,000000001
.0040D3B7: C20C00 retn 0000C
.0040D3BA: 6800000000 push 000000000
.0040D3BF: C3 retn
Ok cool, we know it's Aspack'ed and we have the address "40D3BA", so write
down this address on paper.
Step 4. Next thing we gotta do, is to load the debugger to find the real OEP.
Load OllyDbg, open Crackme.exe. (If you're unfamiliar with OllyDbg,
find some tutors on how to use it.) Anyway, back to OllyDbg, at CPU,
main thread window at first line, you'll see like this:
0040D000 90 NOP
0040D001 60 PUSHAD
0040D002 E8 03000000 CALL ASPCrack.0040D00A
0040D007 E9 EB045D45 JMP 459DD4F7
0040D00C 55 PUSH EBP
Step 5. Ok, now scroll down to 40D3BA where it looks like this:
0040D3BA 68 00000000 PUSH 0
Ok, on that line, press F2 to set breakpoint on this line. Then finally press
F9 to run Crackme in OllyDbg. Awesome, what do we find? Here's what I found:
0040D3BA 68 345A4000 PUSH ASPCrack.00405A34
See? 405A34 is our real OEP! Write down this OEP. We're done with OllyDbg for now.
Step 6. What now? We gotta unpack the Crackme, not to remove the messagebox
only, but to get/write down the Address that needs to be patched. Ok,
run Crackme again, don't close it yet! Now run LordPE, scroll down till
you see like this:
Path PID ImageBase ImageSize
c:\Crkme\ASPCrackme.exe 000007D8 00400000 00010000
^^^^^^^^^^^^^^^^^^^^^^^
This path might be different where you stored the Crackme!
Ok good, now RightClick on that line and select "dump full...", then save
the dumped to wherever you want. You'll see we got dumped.exe with 65,536
bytes in size. Now close Crackme, don't close LordPE yet!
Step 7. Now we need to rebuild the PE headers since the dumped.exe won't run
good. In LordPE, click "Rebuild PE" and select dumped.exe file. You'll
see Rebuild Status, and it has been finished rebuilding. Now try run
dumped.exe, good it runs fine now. Close it now. Again, don't close
LordPE yet.
Step 8. Now run W32Dasm and open dumped.exe. WTF? It's not disassembled...
Oh yes, PE sections in dumped.exe aren't fixed yet. Go back to LordPE,
click "PE Editor", select dumped.exe. Click "Sections". Ok, wtf are we
doing? On the first line you'll see like this:
Name VOffset VSize ROffset RSize Flags
CODE 00001000 00005000 00000400 00004A68 C0000040
You see "C0000040"? That flags means it's readable, writeable, and no
executable code. Normally I use HIEW to change the flags from:
11000000 00000000 00000000 01000000 | C0000040
to
11100000 00000000 00000000 00100000 | E0000020
But within LordPE, it's easier for you. Ok, back at LordPE. RightClick and
select "edit section header..." Change C0000040 to E0000020, or simply click
"..." button, you'll see checkboxes. Just check the following boxes:
1. Executable as code
2. Readable
3. Writeable
4. Contains executable code
Uncheck other boxes, you'll see flags changed at "Current Value". Ok, save and
close LordPE.
Step 9. Again run W32Dasm and open dumped.exe. Great, it's disassembled now.
Now our task is to remove the messagebox, as I said, I'm not
teaching you how to crack it, so we skip the "how/why" part. Now click
Str.Refs button, scroll down to: "C'mon...you gotta remove this" and
DoubleClick on it. Now we're at like this:
* Referenced by a CALL at Address:
|:004057F9 <--- we gotta goto this address...
|
* Possible StringData Ref from Code Obj ->"C'mon...you gotta remove this "
->"NAG!!"
|
:00405904 B818594000 mov eax, 00405918
:00405909 E8B2E1FFFF call 00403AC0
:0040590E C3 ret
Now press Shift-F12 and type 4057F9. And we land here:
:004057F9 E806010000 call 00405904
This is the address we gotta nop the call, the offset is 4BF9. Write down this
address: 4057F9 on paper.
Step 10. Now run HIEW and open dumped.exe, press F5, type 4BF9. Then press F3
to edit, type 9090909090, F9 to save. Close HIEW and run dumped.exe.
Great, the messagebox is gone. We got OEP address, we got the address
where we removed the messagebox, we used 5 bytes (90 90 90 90 90).
Now our next task is to do Inline Patch finally.
Step 11. Ok, go back to HIEW and open Crackme.exe. First we need space where
we can insert the patch instructions in Crackme. We look around and
found lots space at 40E100 (Offset: 4D00). Ok good, we have this
address too. Now you remember the address where it tells ASPack the
real OEP? It's at 40D3BA (Offset: 3FBA) right? Let's goto 40D3BA
(press F5 and type 3FBA), we are at:
.0040D3AF: 61 popad
.0040D3B0: 7508 jne 00040D3BA <--- we gotta change this to JUMP to
.0040D3B2: B801000000 mov eax,000000001 40E100, to do Inline Patch
.0040D3B7: C20C00 retn 0000C instructions, when done patching
.0040D3BA: 6800000000 push 000000000 then it goes back here at the
.0040D3BF: C3 retn 40D3B7 address.
Scroll up to 40D3B0, press F3, press TAB, then type: jmp 4D00, then nop 2
bytes (90 90), then F9 to save. We get like this:
.0040D3AF: 61 popad
.0040D3B0: E94B0D0000 jmp .00040E100
.0040D3B5: 90 nop
.0040D3B6: 90 nop
.0040D3B7: C20C00 retn 0000C
.0040D3BA: 6800000000 push 000000000
.0040D3BF: C3 retn
Step 12. Ok, good so far. Let's goto 40E100 (press F5, type 4D00), let's
insert Patch Instructions. Press F3, then TAB, then type the following:
mov d, [004057F9], 090909090
mov b, [004057FD], 090
push 00405A34
ret
After saved with F9, we get like this:
.0040E100: C705F957400090909090 mov d,[004057F9],090909090
.0040E10A: C605FD57400090 mov b,[004057FD],090
.0040E111: 68345A4000 push 000405A34
.0040E116: C3 retn
Ok, lemme explain what the fuck is what:
You remember we did 5 bytes to remove the messagebox? So we can only move a
maximum of 4 bytes at a time, so that's why we first move 4 bytes, then
finally the last 1 byte.
mov d, [location], 0xxxxxxxx : d = double word = 4 bytes
mov w, [location], 0xxxx : w = word = 2 bytes
mov b, [location], 0xx : b = byte = 1 byte
See? Good, also remember if you want to store 2 bytes into a certain
location example: EB 10, you type: mov w, [location], 010EB
Notice that the order of bytes is reversed, as the last byte will be stored
first. Let's say for example in 7 bytes: C6 05 95 76 40 00 01, we do then:
mov d, [location], 0769505C6 <--- It's better to insert 0 in front,
mov w, [location], 00040 otherwise it'll be refused.
mov b, [location], 001
Ok, we typed in Crackme above as we did:
mov d, [004057F9], 090909090 <--- first 4 bytes
mov b, [004057FD], 090 <--- last 1 byte
push 00405A34 <--- we push the real OEP (remember we found OEP?)
retn <--- we go back to 40D3B7.
Step 13. Now close HIEW and try run Crackme....see? It runs good, we did it!!
Note: I know there are few tutors on Inline Patch out there, but as you know
me, I try my best to teach in easy way to learners ;) Of course the credits
goto all the crackers that did in their tutorials. So I really hope this
tutorial helps a lot to you learners! Also watch out for next tutorial how to
do Inline Patch on ASProtect. You can sleep now, don't worry and fear! ;)
Enjoy it, tKC....................tkc@reaper.org
