Reverse Engineering and Memory Patching
Reverse Engineering and Memory Patching
FOREWORDS
Hello all mates,
My internet connection is lost for couple weeks, so I can’t surf the web, and play online games, chat
with my friends (also my lovely girlfriend, haha). In these boring days, I spent most of time to play with
.NET Reversing. Well, no big success it got so far, because my skill is poor. But I think that would be more
funny when writing a tutorial, then I created this tutorial. Maybe it’s not new, but hope that it will be
useful for some one . And also sorry about my bad English, too.
In this tutorial, I will show you the way to create a loader for .NET crackme (which is created by me).
About the “loader”, I’m sure that you guy know about it. In native application’s world, loader is very
popular. But in .NET, people know about it, but no one use it ( I think). With a native app (non .NET), we
have manys tool which can be used to create loader, e.g dUP, uPPP,… many and many. All of them are
very easy to use, so they’re suitable for all, from rookies to experts. In .NET, the structure of executable
file is different, and we also don’t have cool utility like dUP, so we have to make a loader by hand (I
mean programming). In .NET, coding a loader is not hard, because we have the power of .NET
Framework. Just need a bit of time and we will get the right result.
Things we need:
When I entered my name to the textbox and clicked the “Register me” button, the label at the bottom
shown up a badboy message. Because we’re discussing about making a loader, so this crackme is not
packed/obfuscated. We can easily browse the code. Load this crackme into IDA:
Wait a bit, when IDA fully loaded this file, look at the left side of IDA’s main window. You will see this
panel:
There is a method with name “RegbtnClick”. This method will be executed when we click “Register me”
button in the crackme. We will analyze code of this method to find out where can apply the patch.
You can see in the picture, the badboy string is here, and with Graph View mode in IDA, we can see the
code displayed very clearly. Navigate to the right, you will see something like this:
The goodboy message is here, and at the top, there is a condition routine, which take a value of a
variable named MyRegStatus (type Boolean), then if MyRegStatus is true (brtrue.s), the program will
show Goodboy message.
At the bottom of this picture, you can see that I’ve marked a number (0x00000B31) with red
rectangular. This is the offset address of the brtrue.s code. Now we can patch this crackme by go to this
address and modify bytecode. There are many hex editors out there, in this tutorial I will use XVI to do
patching. Open our crackme in XVI and go to the offset address we have (0x00000B31).
Choose from menu or simply press Ctrl+G. A new window appears, choose like this:
“Hexadecimal”, and then enter offset address ( don’t delete the “$” symbol), and press OK. We will land
here:
Exactly what we’re looking for, the bytecode of “brtrue.s” is 0x2D, and “brfalse.s” is 0x2C. so I will
change 0x2D to 0x2C:
OK, patching done! Now save to a new file and test our patching method is working or not.
Open SharpDevelop (or your IDE) and create a C# console project, like this:
File Program.cs
using System;
namespace loader_ex
{
class Program
try
patched.EntryPoint.Invoke(null, param);
//invoke the main() method of the assembly
Console.WriteLine("Process Ended...");
//print output to the screen
}
catch(Exception ex)
//exception handler
I commented on every important code. You can find source code in the archive of this tutorial.
After building success, you have to copy the crackme to the folder where you built the loader:
In my case, it’s /bin/Release folder under the project folder.
This method can be applied to patch multi-byte in a target. I’m not tested it with packed/obfuscated
target yet, but you can give it a try. Very simple and funny, isn’t it?
OK, it’s time to end this journal and say good bye to you…
LASTWORDS
I want to say “Thank you” to all of REPT members – they’re my brothers – for their hard works. I’m so
proud to be a part of REPT family. Good job, brother and keep rocking the world!
I also want to send greeting to all REPT friends, and all other cracking crews: Cin1, B@S, ARTeam, AT4RE,
REA, SnD,…. They’re working hard and I’m highly appreciated.
Also I wanna say “thanks and f*ck you” to all the guy who cut off my internet connection. If they didn’t
do that, then this tutorial will not be written. But, I’m so bored without Internet, lol.
Send to my lovely girl, Michelle: “I love you more than I can say. Stay strong and I will come back to you
soon. I promise”
Send to my favorite girl band. Today is Kwon Yuri’s birthday (she is one member of Girls’ Generation):
“Happy birthday, BlackPearl. Wish you and your sisters in Girls’ Generation all the best. Keep moving
toward and I will always looking for you steps”
And finally, thank you for reading my tutorial. See you next time in a new one
Dec 05 2013
Levis/Team REPT