Cracker Handbook 1.0 part 141 doc

Save lại bằng tên mới là unpacked.exe.. Để tiện code loader sau này đề nghị del file crackme.exe cũ và rename unpacked.exe thành crackme.exe... C3 RETN Điều chúng ta mong muốn là cho nó

process -> dump Save lại bằng tên mới là unpacked.exe Để tiện code loader sau này đề nghị del file crackme.exe cũ và rename unpacked.exe thành crackme.exe

2 Analyze

00401714 E8 DB110000 CALL unpacked.004028F4

00401719 75 07 JNZ SHORT unpacked.00401722

0040171B C605 00724000 >MOV BYTE PTR DS:[407200],1

00401722 > 31C0 XOR EAX,EAX

00401724 A0 00724000 MOV AL,BYTE PTR DS:[407200]

00401729 85C0 TEST EAX,EAX

0040172B 75 05 JNZ SHORT unpacked.00401732

0040172D E8 B2110000 CALL unpacked.004028E4

00401732 > 31C0 XOR EAX,EAX

00401734 A0 00724000 MOV AL,BYTE PTR DS:[407200]

00401739 83F8 01 CMP EAX,1

0040173C 31C0 XOR EAX,EAX

0040173E A0 00724000 MOV AL,BYTE PTR DS:[407200]

00401743 83F8 02 CMP EAX,2

00401746 68 00714000 PUSH unpacked.00407100

0040174B 68 87614000 PUSH unpacked.00406187 ; ASCII 1E,"LeVuHoang is a smartest boy :D"

00401750 E8 9F110000 CALL unpacked.004028F4

00401755 75 07 JNZ SHORT unpacked.0040175E

00401757 C605 00724000 >MOV BYTE PTR DS:[407200],2

0040175E > E8 81110000 CALL unpacked.004028E4

00401763 E8 7C110000 CALL unpacked.004028E4

00401768 68 00714000 PUSH unpacked.00407100 ; /Arg2 = 00407100

0040176D 68 A7614000 PUSH unpacked.004061A7 ; |Arg1 = 004061A7 ASCII 15,"LeVuHoang is a handsome boy :))"

00401772 E8 0D140000 CALL unpacked.00402B84 ; \unpacked.00402B84

00401777 85C0 TEST EAX,EAX

00401779 7E 57 JLE SHORT unpacked.004017D2

0040177B 31C0 XOR EAX,EAX

0040177D A0 00724000 MOV AL,BYTE PTR DS:[407200]

00401782 83F8 01 CMP EAX,1

00401785 75 4B JNZ SHORT unpacked.004017D2

00401787 8D3D 70744000 LEA EDI,DWORD PTR DS:[407470]

0040178D 897D FC MOV DWORD PTR SS:[EBP-4],EDI

00401790 68 BE614000 PUSH unpacked.004061BE ; ASCII 10,"Ops, good boy :p"

00401795 8B7D FC MOV EDI,DWORD PTR SS:[EBP-4]

00401798 57 PUSH EDI

00401799 31FF XOR EDI,EDI

0040179B 57 PUSH EDI

0040179C E8 A3100000 CALL unpacked.00402844

004017A1 8B7D FC MOV EDI,DWORD PTR SS:[EBP-4]

004017A4 57 PUSH EDI ; /Arg1

004017A5 E8 EA0F0000 CALL unpacked.00402794 ; \unpacked.00402794 004017AA 68 87174000 PUSH unpacked.00401787

004017AF E8 50100000 CALL unpacked.00402804

004017B4 8D3D C0764000 LEA EDI,DWORD PTR DS:[4076C0]

004017BA 897D FC MOV DWORD PTR SS:[EBP-4],EDI

004017BD 57 PUSH EDI

004017BE E8 51140000 CALL unpacked.00402C14

004017C3 68 B4174000 PUSH unpacked.004017B4

004017C8 68 31184000 PUSH unpacked.00401831

004017CD E9 32100000 JMP unpacked.00402804

004017D2 > 8D3D 70744000 LEA EDI,DWORD PTR DS:[407470]

004017D8 897D FC MOV DWORD PTR SS:[EBP-4],EDI

004017DB 68 D0614000 PUSH unpacked.004061D0 ; ASCII 0F,"Ops, bad boy :p"

004017E0 8B7D FC MOV EDI,DWORD PTR SS:[EBP-4]

004017E3 57 PUSH EDI

004017E4 31FF XOR EDI,EDI

004017E6 57 PUSH EDI

004017E7 E8 58100000 CALL unpacked.00402844

004017EC 8B7D FC MOV EDI,DWORD PTR SS:[EBP-4]

004017EF 57 PUSH EDI ; /Arg1

004017F0 E8 9F0F0000 CALL unpacked.00402794 ; \unpacked.00402794 004017F5 68 D2174000 PUSH unpacked.004017D2

004017FA E8 05100000 CALL unpacked.00402804

004017FF 8D3D 70744000 LEA EDI,DWORD PTR DS:[407470]

00401805 897D FC MOV DWORD PTR SS:[EBP-4],EDI

00401808 68 E1614000 PUSH unpacked.004061E1 ; ASCII 0C,"Try again " 0040180D 8B7D FC MOV EDI,DWORD PTR SS:[EBP-4]

00401810 57 PUSH EDI

00401811 31FF XOR EDI,EDI

00401813 57 PUSH EDI

00401814 E8 2B100000 CALL unpacked.00402844

00401819 8B7D FC MOV EDI,DWORD PTR SS:[EBP-4]

0040181C 57 PUSH EDI ; /Arg1

0040181D E8 720F0000 CALL unpacked.00402794 ; \unpacked.00402794

00401822 68 FF174000 PUSH unpacked.004017FF

00401827 E8 D80F0000 CALL unpacked.00402804

0040182C E8 D3030000 CALL unpacked.00401C04

00401831 E8 DE140000 CALL unpacked.00402D14

00401836 C9 LEAVE

00401837 C3 RETN

Điều chúng ta mong muốn là cho nó nhảy tới Good boy khi ta nhập sai Quá đơn giản chỉ cần patch hai chỗ

00401779 7E 57 JLE SHORT unpacked.004017D2

00401785 75 4B JNZ SHORT unpacked.004017D2

Đổi 7E57 thành 7F57 và 754B thành 744B tại hay địa chỉ 401779 và 401785

3 Tạo loader

Nếu bạn chỉ cần patch mem thôi thì tới đây chỉ cần dùng DZA Patcher nhập vào 2 RVA là 401779,401785 để nó tạo loader cho bạn Nhưng mục đích chúng ta là tự tạo loader

Okie, bây giờ mở Delphi ra! Chọn New -> New Console Application -> Lưu lại với tên hvaloader.dpr -> Nhập đọan code sau đây!

// -

program Loader_for_LVHcrackme;

uses

Windows, Messages;

var

si : Startupinfo;

pi : Process_Information;

NewData1 : array[0 1] of byte = ($7F,$57);

NewData2 : array[0 1] of byte = ($74,$4B);

NewDataSize1 : DWORD;

NewDataSize2 : DWORD;

Bytesread : DWORD;

OldData1 : array[0 1] of byte;

OldData2 : array[0 1] of byte;

begin

NewDataSize1 := sizeof(newdata1);

NewDataSize2 := sizeof(newdata2);

If CreateProcess(nil,'crackme.exe',nil,nil,FALSE,

Create_Suspended,nil,nil,si,pi) = true then

begin

ReadProcessMemory(pi.hprocess,Pointer($401779),@OldData1,4,bytesread);

ReadProcessMemory(pi.hprocess,Pointer($401785),@OldData2,4,bytesread);

if (olddata1[0] = $7E) and (OldData1[1] = $57)and(OldData2[0] = $75) and (OldData2[1] = $4B) then

begin

WriteProcessMemory(pi.hProcess, Pointer($401779), @NewData1,

NewDataSize1, bytesread);

WriteProcessMemory(pi.hProcess, Pointer($401785), @NewData2,

NewDataSize2, bytesread);

ResumeThread(pi.hThread);

CloseHandle(pi.hProcess);

CloseHandle(PI.hThread);