process > dump. Save lại bằng tên mới là unpacked.exe. Để tiện code loader sau này đề nghị del file crackme.exe cũ và rename unpacked.exe thành crackme.exe. 2. Analyze 00401714 . E8 DB110000 CALL unpacked.004028F4 00401719 . 75 07 JNZ SHORT unpacked.00401722 0040171B . C605 00724000 >MOV BYTE PTR DS:[407200],1 00401722 > 31C0 XOR EAX,EAX 00401724 . A0 00724000 MOV AL,BYTE PTR DS:[407200] 00401729 . 85C0 TEST EAX,EAX 0040172B . 75 05 JNZ SHORT unpacked.00401732 0040172D . E8 B2110000 CALL unpacked.004028E4 00401732 > 31C0 XOR EAX,EAX 00401734 . A0 00724000 MOV AL,BYTE PTR DS:[407200] 00401739 . 83F8 01 CMP EAX,1 0040173C . 31C0 XOR EAX,EAX 0040173E . A0 00724000 MOV AL,BYTE PTR DS:[407200] 00401743 . 83F8 02 CMP EAX,2 00401746 . 68 00714000 PUSH unpacked.00407100 0040174B . 68 87614000 PUSH unpacked.00406187 ; ASCII 1E,"LeVuHoang is a smartest boy :D" 00401750 . E8 9F110000 CALL unpacked.004028F4 00401755 . 75 07 JNZ SHORT unpacked.0040175E 00401757 . C605 00724000 >MOV BYTE PTR DS:[407200],2 0040175E > E8 81110000 CALL unpacked.004028E4 00401763 . E8 7C110000 CALL unpacked.004028E4 00401768 . 68 00714000 PUSH unpacked.00407100 ; /Arg2 = 00407100 0040176D . 68 A7614000 PUSH unpacked.004061A7 ; |Arg1 = 004061A7 ASCII 15,"LeVuHoang is a handsome boy :))" 00401772 . E8 0D140000 CALL unpacked.00402B84 ; \unpacked.00402B84 00401777 . 85C0 TEST EAX,EAX 00401779 . 7E 57 JLE SHORT unpacked.004017D2 0040177B . 31C0 XOR EAX,EAX 0040177D . A0 00724000 MOV AL,BYTE PTR DS:[407200] 00401782 . 83F8 01 CMP EAX,1 00401785 . 75 4B JNZ SHORT unpacked.004017D2 00401787 . 8D3D 70744000 LEA EDI,DWORD PTR DS:[407470] 0040178D . 897D FC MOV DWORD PTR SS:[EBP-4],EDI 00401790 . 68 BE614000 PUSH unpacked.004061BE ; ASCII 10,"Ops, good boy :p" 00401795 . 8B7D FC MOV EDI,DWORD PTR SS:[EBP-4] 00401798 . 57 PUSH EDI 00401799 . 31FF XOR EDI,EDI 0040179B . 57 PUSH EDI 0040179C . E8 A3100000 CALL unpacked.00402844 004017A1 . 8B7D FC MOV EDI,DWORD PTR SS:[EBP-4] 004017A4 . 57 PUSH EDI ; /Arg1 004017A5 . E8 EA0F0000 CALL unpacked.00402794 ; \unpacked.00402794 004017AA . 68 87174000 PUSH unpacked.00401787 004017AF . E8 50100000 CALL unpacked.00402804 004017B4 . 8D3D C0764000 LEA EDI,DWORD PTR DS:[4076C0] 004017BA . 897D FC MOV DWORD PTR SS:[EBP-4],EDI 004017BD . 57 PUSH EDI 004017BE . E8 51140000 CALL unpacked.00402C14 004017C3 . 68 B4174000 PUSH unpacked.004017B4 004017C8 . 68 31184000 PUSH unpacked.00401831 004017CD . E9 32100000 JMP unpacked.00402804 004017D2 > 8D3D 70744000 LEA EDI,DWORD PTR DS:[407470] 004017D8 . 897D FC MOV DWORD PTR SS:[EBP-4],EDI 004017DB . 68 D0614000 PUSH unpacked.004061D0 ; ASCII 0F,"Ops, bad boy :p" 004017E0 . 8B7D FC MOV EDI,DWORD PTR SS:[EBP-4] 004017E3 . 57 PUSH EDI 004017E4 . 31FF XOR EDI,EDI 004017E6 . 57 PUSH EDI 004017E7 . E8 58100000 CALL unpacked.00402844 004017EC . 8B7D FC MOV EDI,DWORD PTR SS:[EBP-4] 004017EF . 57 PUSH EDI ; /Arg1 004017F0 . E8 9F0F0000 CALL unpacked.00402794 ; \unpacked.00402794 004017F5 . 68 D2174000 PUSH unpacked.004017D2 004017FA . E8 05100000 CALL unpacked.00402804 004017FF . 8D3D 70744000 LEA EDI,DWORD PTR DS:[407470] 00401805 . 897D FC MOV DWORD PTR SS:[EBP-4],EDI 00401808 . 68 E1614000 PUSH unpacked.004061E1 ; ASCII 0C,"Try again " 0040180D . 8B7D FC MOV EDI,DWORD PTR SS:[EBP-4] 00401810 . 57 PUSH EDI 00401811 . 31FF XOR EDI,EDI 00401813 . 57 PUSH EDI 00401814 . E8 2B100000 CALL unpacked.00402844 00401819 . 8B7D FC MOV EDI,DWORD PTR SS:[EBP-4] 0040181C . 57 PUSH EDI ; /Arg1 0040181D . E8 720F0000 CALL unpacked.00402794 ; \unpacked.00402794 00401822 . 68 FF174000 PUSH unpacked.004017FF 00401827 . E8 D80F0000 CALL unpacked.00402804 0040182C . E8 D3030000 CALL unpacked.00401C04 00401831 . E8 DE140000 CALL unpacked.00402D14 00401836 . C9 LEAVE 00401837 . C3 RETN Điều chúng ta mong muốn là cho nó nhảy tới Good boy khi ta nhập sai. Quá đơn giản chỉ cần patch hai chỗ 00401779 . 7E 57 JLE SHORT unpacked.004017D2 00401785 . 75 4B JNZ SHORT unpacked.004017D2 Đổi 7E57 thành 7F57 và 754B thành 744B tại hay địa chỉ 401779 và 401785. 3. Tạo loader Nếu bạn chỉ cần patch mem thôi thì tới đây chỉ cần dùng DZA Patcher nhập vào 2 RVA là 401779,401785 để nó tạo loader cho bạn. Nhưng mục đích chúng ta là tự tạo loader. Okie, bây giờ mở Delphi ra! Chọn New > New Console Application > Lưu lại với tên hvaloader.dpr > Nhập đọan code sau đây! // program Loader_for_LVHcrackme; uses Windows, Messages; var si : Startupinfo; pi : Process_Information; NewData1 : array[0 1] of byte = ($7F,$57); NewData2 : array[0 1] of byte = ($74,$4B); NewDataSize1 : DWORD; NewDataSize2 : DWORD; Bytesread : DWORD; OldData1 : array[0 1] of byte; OldData2 : array[0 1] of byte; begin NewDataSize1 := sizeof(newdata1); NewDataSize2 := sizeof(newdata2); If CreateProcess(nil,'crackme.exe',nil,nil,FALSE, Create_Suspended,nil,nil,si,pi) = true then begin ReadProcessMemory(pi.hprocess,Pointer($401779),@OldData1,4,bytesread); ReadProcessMemory(pi.hprocess,Pointer($401785),@OldData2,4,bytesread); if (olddata1[0] = $7E) and (OldData1[1] = $57)and(OldData2[0] = $75) and (OldData2[1] = $4B) then begin WriteProcessMemory(pi.hProcess, Pointer($401779), @NewData1, NewDataSize1, bytesread); WriteProcessMemory(pi.hProcess, Pointer($401785), @NewData2, NewDataSize2, bytesread); ResumeThread(pi.hThread); CloseHandle(pi.hProcess); CloseHandle(PI.hThread); . SS:[EBP-4],EDI 00 4 01 7 BD . 57 PUSH EDI 00 4 01 7 BE . E8 511 400 00 CALL unpacked .00 402 C14 00 4 01 7 C3 . 68 B 417 400 0 PUSH unpacked .00 4 01 7 B4 00 4 01 7 C8 . 68 311 8 400 0 PUSH unpacked .00 4 01 8 31 00 4 01 7 CD . E9 3 2 10 000 0 JMP. 00 4 01 7 14 . E8 DB 1 10 000 CALL unpacked .00 402 8F4 00 4 01 7 19 . 75 07 JNZ SHORT unpacked .00 4 01 7 22 00 4 01 7 1B . C 605 00 72 400 0 >MOV BYTE PTR DS:[ 407 200 ] ,1 00 4 01 7 22 > 31C0 XOR EAX,EAX 00 4 01 7 24. 00 4 01 7 EF . 57 PUSH EDI ; /Arg1 00 4 01 7 F0 . E8 9F0F 000 0 CALL unpacked .00 402 794 ; unpacked .00 402 794 00 4 01 7 F5 . 68 D 217 400 0 PUSH unpacked .00 4 01 7 D2 00 4 01 7 FA . E8 0 5 10 000 0 CALL unpacked .00 402 804