Beruflich Dokumente
Kultur Dokumente
=============
====================================== patching Shrinker
======================================
==================================================================================
=============
Knowledge is Power!
====================================== introduction!
======================================
==================================================================================
=============
I am going to try to teach you how to patch a file packed with Shrinker 3.x. How
many times
have you come across a program that you NEEDED to patch, only to find out it has
been packed
with 'Shrinker'? Its not nice asking people to 'Unpack the target with DeShrink,
and then run
our patch...'. Why bother when we can use Shrinkers own unpacking code, use the
jump to the
start of the original code to jump to our patch, patch the code in memory, then
return
execution to the original program.
tHE IDEA OF THIS TUTORIAL IS NOT TO TEACH CRACKING, BUT PATCHING A PACKED FILE
Xceed Absolute Packager 1.1 (Target Program, Packed with Shrinker 3.4?)
(Free trial version)
Get it at: http://www.xceedsoft.com/absolute
Right then, i assume knowledge of softice, with this comes knowledge of asm, and
knowledge of
cracking
Absolute Packager has a NAG Screen every time it is loaded, stating 'X Days left
for evaluation
, I understand that I may use the program for evaluation purposes only', with
Agree/Help/Quit
buttons. Every package you create has a Nag aswell, stating it was 'Created with
the Free Trial
Version, and all packages created with the Free Trial Version will display this
Nag', and
theres several text reminders that its a 'Free Trial Version'. The 30 day trial
doesn't work,
i.e. it still works after the trial has ended, but were gonna kill this Nag & the
Nag in the
packages we create anyway.
Before we do begin, get your pen & paper ready and lets write down some variables.
We need two
file offsets, one for the DEP (Depacker Exit Point) & the other for our iMP
(Inline Memory
Patch) do it like this (this is VERY important if you want to follow along)
We want to find the exit point of the unpacker code, which will give us the
original entry
point of the program, before it was compressed with Shrinker. Loading absolute.exe
into
softice's symbol loader, doesn't work, instead of it soft ice breaking on the
first
instruction, the damn thing just runs.
Heh, get ProcDump loaded, select the PE-Editor Function, load absolute.exe. We can
see that the
Entry Point is '0015654B', select sections, and lOOk for the nearest Virtual
Offset to the
Entry Point, you will find it to be the '.load' section, starting at RVA
'00155000', '.load' +
154B = Entry Point! The file Offset of this section is '00002800', add 154B =
3D4B, the file
offset of the Program Entry Point. (did you follow that??)
Hex Edit absolute.exe, goto offset 3D4B, and change the '83' to a 'CC' (int 03).
Enter softice, type in 'bpint 03', hit F5
Run Absolute.exe
Softice will break here
type in 'e eip 83' to replace the 'int 03' with the proper instruction code
Start tracing the code with F10, trying to remember what calls do what :) (you'll
see)
When you execute this call, the programs runs...
so run the program again, replace the 'CC' with '83', start tracing again, F10
until you get to
the call where the program ran, then step into it with F8.
Carry on tracing with F10.
After tracing for a while, the program runs again, after trying to step over a
call [ebp-24]:-
So there you go, a lesson in tracing through decompressor code, to find the
Depacker Exit Point
'DEP', and the Program Entry Point 'PEP'. With these addresses, were set to patch
this mother!
Hex Edit Absolute.exe again, goto offset 3D4B, and change the 'CC' back to the
original '83',
search for the 'push [ebp+08],call [ebp-24]', 'FF7508FF55DC', it turns up at
Offset 3E5E (write
this down, OFFSET#1) change the first 'FF' to a 'CC'. We need to change this code
to jump to
our own code, instead of running the program, a jump takes up 5 bytes, so we have
to overwrite
both these instructions, don't worry though, because after patching the memory
with our inline
code, we can execute the two instructions we replaced.
Whilst you have absolute.exe loaded in your hex editor, just look through the
file, for some
space around the unpacker code, to place our own patch code. There are plenty of
places.. I
choose offset 26C0 (write this down, OFFSET#2), just after the imports. Enter
'some text' here
that we can search for in softice, after it has unpacked the program. Save the
file, and run it
again..
0055665E CC int 03
K, now search for the text you entered into the exe, type in s 0 l ffffffff 'some
text', you
should get 'Pattern found at 01xx:005548C0' and the text displayed in the data
window, type in
'a eip', to assemble instructions at the current Eip. type in 'jmp 5548C0', then
hit escape.
Copy the instruction codes down for the jump you just wrote 'E95DE2FFFF' HIT F5,
shrinker traps
an exception, well, we haven't wrote the rest of our code yet, have we? we still
have to crack
the program, then we can finish off our patch..
======================================data we have so
far======================================
==================================================================================
=============
My way might be wrong, but it worked, so i'll tell you anyway...Basically, i keep
tracing
through the code with F10, until the Nag's popped up, remember the caller, run the
prog again,
then kill that call, test it to see if it still runs? If it doesn't, trace into
it, and try
again, i find the right place eventually..
its here:-
0046C3FB E8B09BFFFF call 00465FB0 (call Nag)
well, this calls the Nag, then after clicking agree, returns you to softice, so
put a
breakpoint on the call, and run the program again..
Softice breaks on the call, type in 'e eip b8' which will change it to a 'mov
eax,xxxxxxxx',
hit F5 to run the program, GodDamn!, it works! heh, too easy.
Our patch only has to change the byte at RVA 46C3FB to a 'b8', so lets do it..
Run the proggie again, this time, putting in the jmp at the DEP, and stepping into
it with F8.
when softice breaks, type in 'a eip', to assemble code at the current Eip.
type in 'jmp 5548C0', then hit escape.
Hit F8, were at location 5548C0 now?
type in 'a eip'
type in 'mov byte ptr [46C3FB], B8' (our iMP, Inline Memory Patch)
then replace the Packer Exit Point.
type in 'push dword ptr [ebp+08]'
type in 'call [ebp-24]', then hit escape..
dump the memory, by typing in 'pagein 5548C0 10 c:\imp.dat'
or write down all the instruction codes you just created..
'C605FBC34600B8FF7508FF55DC'
Hexedit absolute.exe again, then either copy & paste imp.dat into absolute.exe at
OFFSET#2
26C0, or write in all the codes by hand.
goto OFFSET#1 3E5E, and write in the jump instruction codes, save it and run!
Cool, it works... now for killing the Nag in the Packages we create with it..
oki, now for a bit of ZEN cracking, as this is tutorial is really to teach
patching packed
files, and not cracking as such...
well, upon disassembly of this dll, you can soon find this part of code...
:1000B1AF A1B08E0210 mov eax, dword ptr [10028EB0] <-- some version
flag
:1000B1B4 85C0 test eax, eax <-- check for zero
:1000B1B6 741C je 1000B1D4 <-- JumpifEqual to
'no NAG'
:1000B1B8 83F802 cmp eax, 00000002 <-- check for two
:1000B1BB 7417 je 1000B1D4 <-- JumpifEqual to
'no NAG'
:1000B1BD 83F803 cmp eax, 00000003 <-- check if three
:1000B1C0 7417 je 1000B1D9 <-- JumpifEqual to
NAG #2
* Possible StringData Ref from Data Obj ->"This self-extracting zip file "
->"was created with the free trial "
->"version of the Xceed Zip Self-
Extractor. "
->" It will only unzip itself on "
->"the same machine that it was created "
->"on. Registering your Xceed Zip "
->"Self-Extractor will remove this "
->"limitation."
|
:1000B1C2 BE10480110 mov esi, 10014810 <-- NAG #1 (not
ours)
:1000B1C7 8BFB mov edi, ebx
:1000B1C9 B93D000000 mov ecx, 0000003D
:1000B1CE F3 repz
:1000B1CF A5 movsd
:1000B1D0 66A5 movsw
:1000B1D2 EB13 jmp 1000B1E7
* Possible StringData Ref from Data Obj ->"This self-extracting zip file "
->"was created with the free trial "
->"version of the Xceed Absolute "
->"Packager - the software that makes "
->"it easy to create powerful, fully "
->"customizable self-extracting zip "
->"files."
|
:1000B1D9 BE08490110 mov esi, 10014908 <-- NAG #2 (the
one we got :)
to this
:1000B1B4 33C0 xor eax, eax <-- zero eax (to force the
jump)
:1000B1B6 741C je 1000B1D4 <-- JumpifEqual to 'no NAG'
comments, suggestions, questions welcome, write in the subject 'i love you :)'
risc_1@hotmail.com
risc@notme.com
risc_1@hotmail.com
;---------------------start of risc_abs.asm---------------------
; to build risc_abs.com
;
; tasm risc_abs
; tlink /t risc_abs
.MODEL TINY
.CODE
.286
ORG 100h
;_______________________________________________________________
filename db "absolute.exe",0
filename2 db "xcdzip32.dll",0
PATCH1 db 0E9h,05Dh,0E2h,0FFh,0FFh ; jmp 5548c0
; 13 bytes of code to apply to the file + another 5 for the jump to our code...
; then 1 more for the dll.
;_______________________________________________________________
main:
mov ah, 9 ; print title
lea dx, intro ; dx with offset of text
int 21h
mov bx, ax
mov ax, 4202h ; seek eof
xor cx, cx
xor dx, dx
int 21h
; int 03 : aw! our friend (cc)
cmp ax, 04643h
jne badsize
cmp dx, 0ah
jne badsize
sizepassed:
jmp fileerror
stillOk:
badsize:
mov ah, 9 ; print to screen
lea dx, error2 ; message
int 21h
mov ax, 4C01h ; Exit with error
int 21h
end start
;-----------------------end of risc_abs.asm---------------------
Some packers restrict patching memory directly somehow, probably by making the
process read
only (i'm not really very clued up on Win95 memory handling), so you can trace
through the
(un)packer code to find the exit point, but if you try patching the memory like i
showed you
here, you can get a fatal exception (one of those horrible blue screens, or a
regular GPF).
these packers need handling in a different way, you have to import some of your
own functions,
then open the process with read&write access, then use writeprocessmemory to apply
your patch.
its not as hard as it sounds.. lOOk oUT for my next tutorial on packed files,
"Patching
Neolite", as this is one of those packers that annoys me, and has a hidden catch
for the
cracker, but, said somewhere before "We always get what we want!"
Get my fULL cRACK for Xceed Absolute Packager, use astalavista to search for it..
http://astalavista.box.sk
p.s.
take a look at the procdump script if you want to learn about shrinker 3.2 or 3.3
exit points,
i think there right(you really should trace through them yourself though, its good
experience
for you..)
==================================================================================
=============
====================================== (c) R!SC 1999
======================================
==================================================================================
=============