This is the tutorial which helped me learn reverse engineering. Thank you Merlin
Note: The wwdisp.exe is packed with UPX packer. U can download UPX packer by doing a google search cause i can' post the URL here since it will violate forum rules.Then use "upx -d wwdisp.exe" command from dos prompt to instantly unpack it without doing manual unpacking as explained below. But still i recommend you to get the idea of manual unapcking. Also there is no need to use Hiew to do the binary editing as it can be done in Olly. It's explained in Perfect Keyloger tutorial. But since Hiew is a powerful and favourite hexeditor u better kno how to use it. Enjoy!
============================================================================
TITLE:
Patching Windows Washer v5.0
============================================================================
BEST VIEWED:
Notepad with word wrap enabled, and in restored window mode
============================================================================
TOOLS USED:
OllyDbg v1.09d(step 4)
Hiew v6.85
PEiD v0.91
Resource Tuner v1.93
Ollydump_v2.21b
LPE-DLX
imprec_v1.6_final
Brain (Preferably version human or above)
============================================================================
TARGET:
wwDisp.exe
============================================================================
LOCATION OF TOOLS AND PROGRAM:
-http://www.grinders.withernsea.com/tools/odbg109d.rar
-http://www.grinders.withernsea.com/tools/hiew685.rar
-http://www.grinders.withernsea.com/tools/ResTuner_v1.93.rar
-http://www.grinders.withernsea.com/tools/PEiD_v0.91.rar
-http://www.grinders.withernsea.com/tools/Windows_Washer_v5.0.rar
-http://www.grinders.withernsea.com/tools/Ollydump_v2.21b.rar
-http://www.grinders.withernsea.com/tools/LPE-DLX.rar
-http://www.grinders.withernsea.com/tools/imprec_v1.6_final.rar
============================================================================
v1.0 Written 4th of January 2004
============================================================================
AUTHOR AND OTHER ALIASES:
Merlin
============================================================================
LESSON 1: uNPACKING WEBWASHER MANUALLY AND PATTCHING IT.
Unpack the Ollydbg plugin called Ollydump and put it in your Ollydbg plugin folder.
Load wwDisp.exe into Olly, we get an informative message telling us that our program maybe compressed etc. Click ok and you will land here:
004A4230 > $ 60 PUSHAD
Right click and choose 'Appearance->Highlighting->Jumps'n'calls' to make things a tad clearer for us. Now press 'Alt+M' (Memory Map), and maximize the window (my preference). We are looking for a PE Header, which will be in the 'Contains' column. Under the first PE Header:
Memory map, item 15
Address=00400000
Size=00001000 (4096.)
Owner=wwDisp 00400000 (itself)
Section=
Contains=PE header
Type=Imag 01001002
Access=R
Initial access=RWE
You will see what is the packer of this program (UPX), you should see this if you are looking in the right place:
Memory map, item 16
Address=00401000
Size=0006E000 (450560.)
Owner=wwDisp 00400000
Section=UPX0
Type=Imag 01001002
Access=R
Initial access=RWE
now we are looking for UPX1 (the end of the protection basically), and it is directly underneath UPX0 and it looks like this:
Memory map, item 17
Address=0046F000
Size=00036000 (221184.)
Owner=wwDisp 00400000
Section=UPX1
Contains=code
Type=Imag 01001002
Access=R
Initial access=RWE
So now we have the starting address of the UPX protection as well as the ending address, the starting address is 00401000 and the ending address is 0046F000. So what now? Well we need to find a jump that is between 00401000 and 0046F000, so close the memory window. Now keep scrolling down until you find it, you should land here:
004A439C .-E9 D3EEFBFF JMP wwDisp.00463274
Set a breakpoint on it (F2) and hit F9 and you will land there, now press F8 and you will find yourself at the OEP (Outside Entry Point), OEP's are recognizable by:
PUSH EBP
MOV EBP,ESP
Now what we do when we land here is to dump this process. So click the plugins menu and select 'OllyDump->Dumpdebuggedprocess'. Now take special notice of the 'Entry Point:' part of OllyDump, it should be A4230, and we want to change this to what is in the Modify box which is 63274. Uncheck the box that says 'Rebuild Import' we will do the rebuilding of the import with a IMPREC (Import Reconstructor). Now click dump and save the file as wwDisp_manually_unpacked.exe
Now what we will do is rebuild the import table, to do this we load up Imprec, then select wwDisp.exe from the drop down menu of active processes. Then in the OEP box change 000A4230 to 00063274 and then click the 'IAT AutoSearch' button, and then click the 'Get Imports' button, followed by the 'Fix Dump' button, and choose our dumped executable, which (if you followed the tutorial to a tee) is wwDisp_manually_unpacked.exe, if successful you will have an unpacked version of wwDisp.exe and it will be named wwDisp_manually_unpacked.exe_
and if so, well done.
Now to round things off we need to fix the base of our new unpacked executable, and to do this we will use a program called LordPE, so launch LordPE and click the 'Rebuild PE' button, and choose wwDisp_manually_unpacked.exe_ and voila! 8-D
Ok, let's get straight down to business; open up wwdisp.exe (RENAME wwDisp_manually_unpacked.exe TO wwdisp.exe and copy it into Webwasher folder and select overwrite) and you'll see that we can only use this program for 30 days. Close down Web Washer, put your clock forward one year, re-launch the program, and a dialog window will pop-up telling us that our trial has expired, click close. Before we open wwdisp.exe in our debugger (Olly), let's just think for a second, what are our main ways of attack on this program? Well it's a time-trial, so the program must be getting some form of date/time and comparing it against something; the main ways a program does this, is via these commands:
{GetTimeZoneInformation
GetSystemTime
GetFileTime
GetLocalTime}
However, I know in advance, that this is a much more complicated route then the one we are going to take. So what other methods do we have, well, we'll know if we put our clock back to what it was, so move your clock back 1 year, and relaunch wwdisp.exe, it now informs us that our program protection system has been tampered with, or something along those lines; but how did the program know this? Simple really, it compares a file (usually created when the program was last used) and compares the date of that file, with the current date. This is executed through the command, 'FileTimeToLocalFileTime'.
Right, time to debug, launch OllyDbg, before we do anything else, to make things easier on ourselves, right click in Olly, and select 'Appearance->Highlighting->Jumps'n'calls'. Now open up wwdisp.exe in Olly, and you will recieve a message telling you that the program is packed etc. Choose no when asked if you want to debug (leaving Olly open but wwdisp closed in Olly). Open up PEiD (this program is great, it identifies what protection the program is using), once in PEiD, open wwdisp.exe from PEiD, it tells us that UPX was used to pack the program. What now? Well the trial version of Resource Tuner actually comes with a UPX unpacker dll. So load up Resource Tuner, and from within Resource Tuner open wwdisp.exe, once it has opened, it will be unpacked, so save the file as "wwdisp_unpacked.exe". Go back to Olly, and open the newly unpacked executable (wwdisp_unpacked). Right click and choose 'Search for->Name (label) in current module', once there (my preference) right click and select 'Sort by->Name'; scroll down to 'FileTimeToLocalFileTime', select it, then right click and choose 'Set breakpoint on every reference'. Now go back to the main Olly window, and press F9 (to begin the debug process). You should find yourself here:
00408C4B |. E8 A0DFFFFF CALL <JMP.&KERNEL32.FileTimeToLocalFileT>; \FileTimeToLocalFileTime
Now, this method may not work all the time for every single time trial program similar to Web Washer, but it's always worth a try, what we will do is keep pressing F8 (to step through the code) until we summon the error message. The line you land on eventually should be this one:
0046333F FF92 D8000000 CALL DWORD PTR DS:[EDX+D8] ; wwDisp_u.0044333C
Go back to Olly, and let's have a look at the code were we are. Now let's get our bearings, we are currently at the address '0046333F', let's have a look at some near by condition jumps, the first one we see, is for some odd reason, not highlighted (remember we choose to highlight jumps'n'calls, the nearest conditional jump to were we landed is:
00463315 75 5A JNZ SHORT wwDisp_u.00463371
Take a closer look, we see that it is a JNZ, which means 'Jump if Not Equal To', we also see that it jumps to the address '00463371' in 'wwDisp', and on a closer examination, we realise that where it is jumping to '00463371' is actually past were we landed '0046333F', hopefully, if we changed this jump so that it always jumps (EB is a straight jump), then hopefully this will allow us to use Windows Washer as long as we would like.
Right, click the close button on the Windows Washer dialog that appeared. Write down or remember (this is good practice) the address we want to change. Press 'Ctrl+F2' to restart the program in Olly. Press 'Ctrl+G' (Goto command) and type 00463315, and we should land at the conditional jump we want to change. Now right click this line and choose 'Binary->Edit', now we want to change the 75 (JNZ) to EB (Straight Jump), so change 75 5A to EB 5A, and hit 'OK'. Now keep pressing F9 until Windows Washer loads, congratulations, it's now cracked.
Olly only makes changes to the program temporarily. Close down Olly. Before we make the changes permanent backup wwdisp.exe, one you have done that launch Hiew (Our Hex Editor), and work your way to wwdisp.exe, ahhh! Look at all that gobbledygook! Press 'F4' (Mode) and choose decode, ahh much better. Press 'F5' (Goto) and type .00463315 you need the "." before the address, because that is the syntax (in Hiew) to search for an address. Now press F3 (Edit) and type EB then press 'F9' and 'F10' to update and close.
LESSON 2: INLINE PATCHING PACKED EXE:
Firstly to understand this tutorial you need to have read the other two Windows Washer tutorials of mine (Unpacking and Patching) which are located in the 'LOCATION OF TOOLS AND PROGRAM' section.
Secondly what is inline patching? Basically inline patching is the patching of the packed executable. What is this useful for? Well let's say you patched the unpacked version, that's all very well, but if you wanted to release your crack it's going to be a lot bigger, then if we patched the packed version (inline patching) then you could create a small patch (say a couple of KB's) to crack the packed version.
Right then let's get down to business. Open up wwDisp.exe in Olly and you'll land at (if it's packed (make sure it is)):
004A4230 > $ 60 PUSHAD
Now to actually do inline patching (without damaging the program) we have to look for free space, to do this, go to the JMP that is under POPAD, which is:
004A439C -E9 D3EEFBFF JMP wwDisp.00463274
Now directly underneath that is some free space (bunch of zeros) unfortunately there is some code underneath that, that is just 3 lines down, but underneath that, that is our free space we will tamper with:
004A43B0 0000 ADD BYTE PTR DS:[EAX],AL
Now we are going to want to edit this line so it makes (the conditional jump we changed in the patching tutorial):
00463315 75 5A JNZ SHORT wwDisp_u.00463371
become
EB 5A, and to do this we simple left click 004A43B0 then right click and select 'Assemble' now this brings up a dialog box that has the assembly code at that address we just right clicked. Delete it, and type without quotation marks "MOV BYTE PTR DS:[463315],0EB" and click the 'Assemble' button. All that did was move (MOV) the byte (BYTE) EB (0EB, you put a 0 infront because it is a letter now a number you are moving) into the address 00463315 ([463315]). Now the dialog box is still up but for the address just below, delete what is in the dialog box and type without the quotation marks, "JMP 463274" and click the 'Assemble' button and then the 'Cancel' button, now if you are wondering why you changed that line to JMP 463274, we changed it to that because that is where 004A439C jumps to, and now we are going to change where that jumps to, to our newly edited code. So select and right click the address 004A439C, bring up the assemble dialog window replace what's there with "JMP 4A43B0" which will jump to the start of our code change, then it will patch the program, and then jump to the real program code.
Now to make this changes final we right click and choose 'Copy to executable->All moditifications->Copy all', and then right click in the new window that popped up and select 'Save file' and save it as whatever you like. Well done!! 8-)
Remember if you use the program buy it!
============================================================================
SHOUTZ AND GREETZ:
To Kyrstie, we've been nearly going out for a year now! 8-)
============================================================================
Bookmarks