http://www.dayo.com - Webpage (12.7Mb).
Greetings fellow reverse engineers and welcome to a slightly different tutorial. I'm going to be using DAYO as a target to show how we can overcome a very easy protection with an in-memory patcher. The individual stages are shown below and I urge you to follow them and then experiment by making patchers for other programs, by all means send me them.
DAYO's protection is one of the "insert serial number" variety which we've seen all too often and its pretty easy to crack generically, the file dayo.dat can probably be distributed to any loser who cares to stumble upon it, the program could also be very easily patched. Logging in to DAYO you'll be confronted with the nag box, a serial number is required and you might just take time to note the presence of the clock and date. I didn't verify this theory, but I'd guess its a fairly safe assumption, the serial number is probably determined using at least the current date as the idea is that you unlock this application via telephone.
Finding your own good code is very easy, just a bpx Hmemcpy and 12 or so F12's will put you at this code.
:004CC7DF MOV EDX, [EBP-01F0] <-- Code entered.
:004CC7E5 MOV EAX, [EBP-14] <-- Good_code.
:004CC7E8 CALL 00403E80 <-- Compare.
:004CC7ED JNZ 004CC860 <-- Jump_bad_guy.
I won't explain this, needless to say NOP-ping or reversing the JNZ is good
enough to work permanently. As I remarked earlier, we could probably distribute
a cracked dayo.dat or a crack of the JNZ to lamers everywhere but lets use a
more elegant but somehow less intrusive approach, the in-memory patcher.
The idea is simple, we'll have our patcher firstly request an appropriate time
from the user to apply the patch (i.e. at the please insert serial dialog), then
we'll modify DAYO's current code with our own.
For this task I must credit and thank Stone (via Matt Pietrek's book) for the following template source code, I'm working currently on GUI-ifying a version of this because I am so taken with the subject matter. All you need to do is calibrate the following ASM source code to your own specific targets behaviour. So with DAYO I set the following parameters.
Nameofwin - "Registration Code Entry" <-- Name of the target window.
From_Here - "db 90h, 90h,0" <-- This is obviously 2 NOP's to patch away the JNZ.
HowManyToPatch - "db 2" <-- 2 bytes.
PatchThisOff - "dd 004CC7EDh" <-- Address of the evil JNZ.
I also inserted a debug int 3 into the code so that you can assemble and then watch how the program works inside SoftICE. The source code is compiled using TASM5, the makefile looks as follows.
C:\full_path_to_tasmdir\tasm32 /ml /m3 /z /q filename (asm extension not required).
C:\full_path_to_tasmdir\tlink32 -x /Tpe /ap /c filename,filename,, import32.lib
Thus we now have a working in-memory patcher (sadly only guaranteed to be compatible with Windows 95) but nevertheless very effective. The obvious advantage of this approach is that any changes we make are not permanent (only applied as and when we need them), in this example the benefits/differences are non-existent but with other more sensitive applications an in-memory approach (say a complex key generator) might be the way to go.