Code insertion
[Advanced lesson]

Subject: Cracking
Target: Code insertion
Author: BlackB
Date: 2000-04-03
Tools used: none
Difficulty (scale 1-5): 3

Before starting!
This essay is for knowledge purposes only!!
Software developers spend much time in making their programs. They live from the money we give them!
Please buy good software!!
I. What is it?
The title of this essay stands for itself: inserting code into a program. It consists of: finding a suitable place, inserting the code, calling the inserting code, returning to the orginal program.
II. What is it used for?
Most of the time it's used to add functionality to a program or to crack a packed program without unpacking it. You may wonder: "Why doing difficult code insertion when you can unpack the program and then crack it?". Well, because most packed .exe files become quite big and it would take too much time (on slow connections) to upload/download the whole program, in comparison to a < 5 KB crack.
III. How does it work?

Imagine we have this packed program called packed.exe. You have found out that at offset 415000 there's a registered-or-not-jump that has to be NOP-ed out. As the program is packed, it 's impossible to do that in a hex editor as you will just NOP out important, compressed data. Anyway, first of all we have to find empty space in the .exe file which we can use to add our own code. Just scroll around in a hex-editor and search for "00" or "90" as hex values. Please be warned that you don't use empty space that is used to write unpacked code to. You may have to give it a few tries before you 've found a suitable place to add your code. Okay, now before we let the program jump to our own inserted routine, the program gotta be fully unpacked. Therefore we have to find the end of the unpacking routine. (if you can't find this, or you don't know what i'm talking about, read Volatility's essay on manually unpacking!). When you've found the end of the unpacking routine, you have to insert a jump to your inserted code. At the end of your inserted code: jump back. You can also put a call at the end of the unpacking routine and put a 'ret' at the end of your inserted code. Hmmmm, I can imagine that if you're a beginner cracker this all can sound pretty confusing.
Try to follow this scheme:

[original code]
...end of unpacking routine...
push 401000
pop esi
ret

[modified code]
...end of unpacking routine...
jmp 42000 ;jump to an empty location you've found (note that 42000 is a bogus value!)
pop esi
ret
....
....
42000: push 401000 ;we used this instruction for our jump, so don't forget to insert it here!
push eax ;push ALL registers you will use in your inserted code!!
mov al, 90 ;put the hex value for NOP in al
mov byte ptr [00415000], al ;clear out the registered-or-not-jump
mov byte ptr [00415001], al ;same here, for the second byte of the jump
pop eax
jmp back ;with 'back'= the offset of the 'pop esi' instruction


That's it!

IV. In the end

Voilą, this was the easy part. More difficult is finding the protection of the program! Because (don't forget) you can't use a disassembler. That way you'll have to do everything with SoftICE. The best example I can give is my tutorial on ACDSee 3.0. Go and read it!

Greets

BlackB

Endnote:
Essay written by The Blackbird © 1999-2000
This essay can be freely distributed/ published/ printed etc... as long as no modifications are made.