Subscribe to the feed.
I thought to myself, “its not really that hard or newsworthy, I’ve done it myself before.” Although it was for some obscure Korean MMO, it received a flurry of online response ranging from “I love you” to “I don’t trust this patch, and if I crash, everyone else should crash too”.
So here I will try to show you how to become a “leet hacker” that can patch unencrypted programs without the source code like the Skype guy, so commercial software companies can benefit from without paying you, and your screen name forever sung in ballads by traveling troubadours.
The problem resides at SkypeMate.dll+0×4525 where the program de-references a pointer returned by SkypeMate.dll+0×4450 (aka “GetAudioNameByID”) which is passed an invalid ID, -1…The function then returns a null pointer which crashes the program. By inserting a null reference check before the pointer is de-referenced, the program now runs great. – Nick Whaley
Armed with this knowledge, let’s make our own faulty program so we don’t get sued for hacking a commercial one!
#include <stdio.h> #include <stdlib.h> char* AudioList[] = {0 ,"Metallica", "Cher"}; char* GetAudioNameByID(int id) { return AudioList[id+1]; } int SomeFunction() { char* output = GetAudioNameByID(-1); /* here we dereference a null pointer */ char firstLetter = *output; printf("The first letter of %s is %c", output, firstLetter); return firstLetter; } int main() { SomeFunction(); return 0; }
This program will crash. Just trust me, or you can try it yourself. If you don’t have a C compiler, download it here.
Now to fix this, we will open it up with OllyDbg, which is a free Windows debugger (of course you can probably use another debugger).
Open the program with OllyDbg, and then click start to run the program.
It will eventually crash, and OllyDbg will show you the exact line where it happens and the error
“Access violation when reading [00000000]“. This means you tried to read the data at address 0, which is an illegal operation on almost every modern computer.
The important part here is to notice the command “MOVSX EAX, BYTE PTR DS:[EDX]“. This looks like a mess, but it is simply translated to “put the byte at the address EDX into EAX”.
Solution
So how can we solve this? The Skype guy said he simply just checked to see whenever this is 0. Let’s do that (obviously there are other ways to fix this).
The first thing to do is to find a code cave because we need some space for our checker. You can find these in copious amounts right after a function (RETN), they will usually be filled with “NOPs” and “DB 00″. The short answer as to why your compiler does this is because its faster if your code is nicely aligned.
Here we fill in the code. Click on the line you want to enter code at and press spacebar.
- 40138D: JMP SHORT 004013A6 – We jump to our code cave.
- 4013A6: PUSH ECX – We put this register onto the stack so we can use it for comparing stuff. Later we will pop the original value back in case it is important. We do this because the usual CMP instructions will mess up flags. If you are not afraid of this, go ahead and use CMP.
- 4013A7: MOV ECX, EDX – We copy the register that might be 0 into the register ECX.
- 4013A9: JECXZ SHORT 0040138F – If it is 0 (the value we put in ECX), we don’t dereference it, we jump straight back to the original path.
- 4013AB: MOVSX EAX, BYTE [EDX] – If it isn’t 0, we do whatever it is we do normally.
- 4013AE: JMP SHORT 0040138F – Then we jump back to our original function.
- 40138F: POP ECX – We put the old ECX back now that we are done using it.
Now push play to see if it works.
Hooray, it worked! Now before you close it, let’s save the “cracked” executable. Go back to the changes by pressing crtl+g and typing in 0×40138D. Now right click and click save all modifications.
A box should pop up, click on save all. Another box should pop up saying “File”. Right click in it and click “Save File”.
You are now a l33t h4xs0r3. See you on the front page of (insert your favorite social website here).
Related posts:
Comments should be working again. You may have to clear your cookies.
Write one that covers an application you don’t have access to the source code of with thousands of lines, threads and is event driven and written in Delphi, Python or Visual Basic and I’ll be more impressed.
This article is actually awful. You put effort into explaining the obvious stuff and hardly explain the assembly. You also use a font that makes 0 look like o.
eve this is an introductory article.
I have patched big name multithreaded programs, including ones protected with kernel level rootkits. But there would probably be only 100 people who would be able to enjoy it.
The way I patched the program doesn’t require knowledge of the source code, and is probably similar to the way the Skype guy did which was all over the internet.
I agree with you on the font. But I just used someone’s theme and I am in the process of tweaking it. Any suggestions for the font?
Great article, thanks for the tip.
Great post, ignore the poster, “Eve”, above me.
I would look forward to see more reverse engineering posts from you! Perhaps you can make a post to show how to reliably find certain memory offsets in a game.
No, Eve is right. The difficult part of this patching process is the assembler but that’s what was least explained here.
What questions do you have?
I will try to explain if I can, but its kind of hard to stuff an entire Assembly tutorial in one post.
Good article.
eve, Many people just want to know the ‘idea’ behind how it is done, as opposed the actual nitty gritty.
Eve is right here, the hard part isn’t explained. Which is understandable, because like has been said, it’s tough to put an assembly tutorial in one post. Of course that makes the title of the post, “Patching a Program Without Source Code: How to be like the Skype Hacker for Newbies”, inaccurate–as no newbie is going to be able to do this after they read your tutorial. A better title would have been, “Patching a Program Without Source Code” but I guess that wouldn’t have been sensational enough
You could probably copy and paste the code and just modify the jmp locations to get it to work in another situation.
Shut up, noob. You clearly don’t know what you’re talking about.
I liked the article. It shows the process and the tools involved in examining other’s complied code.
I didn’t expect an assembly tutorial at all. But I already know assembly so maybe this was just less of an issue for me.
Nice article, interesting read.
I don’t understand the complaints, this was interesting to me. If people want to learn more about asm or whatever there is tons of material available elsewhere.
Thanks
We already knew the Skype guy used Assembler to do his work. What we did not know is the kind of tools he used, and the kind of process he went through, and that is exactly what you have shown here. Great post, thanks for taking the trouble to write it.
I’ve been programming for several years. Love the post I learned a lot!
I don’t get the criticism, the article is clear and to the point. Just about anyone can replicate the example and it serves as a fine introduction to more difficult problems.
After a little more looking around, I’ve bookmarked your blog. Good stuff.
Thanks for the post; it’s informative.
Thanks for this article – that was insightful. For everyone commenting that the assembly is the hardest part – it’s really not that hard once you are able to look at a reference manual with a description of each command. Beyond that, he already posted a description of what each line is doing. Could the author post a link to the proper manual?
@all,
I am amused as to how all you missed the whole point that eve was trying to make. It’s just the pissed attitude of the post that probably rankled her (pardon my assumption about the gender). Sure this is no big deal for anyone with an iota of technical bent of mind but the author clearly is irked by the attention the so called ‘Skype Guy’ is getting for his post. Bejasus, grow up!
I admit I was surprised and baffled at the attention the “Skype Guy” received. But eve’s comments make no sense.
First of all, I examined the Skype dll, and found that there were no encryptions, and it was likely written in C. Therefore, her arguments about being threaded, event driven, and being Delphi or Python (which is trivially decompiled) is moot.
Second, the way I showed how to patch it required zero knowledge of the source code, even though I put the source code out there.
Thirdly, 20,000 people have already seen this post.
How did you examine the DLL? Seems like a critical step missing from your post. Is that how you were able to match function names to their addresses?
Aaron: you do not need to match function names to their addresses in order to do the patch as I detailed here.
The Skype DLL file is a shared library, which means you can find the addresses of all public functions with common programs.
Great post. I’m pretty rusty in assembly so I would have liked if you could have been a little more explicit about the JECXZ instruction (as this instruction is the key).
Something like:
JECXZ (jump if condition is zero) checks ECX (the “count register”) and will jump if ECX is zero. This is exactly what we want because we moved the (potentially null) pointer value into ECX on the previous line.
Please keep this blog going, I like what I see.
great article! and yes ignore the morons whinging about there being no explanation of “Assembler” (note: it’s called AssemBLY!).
post more articles on this theme!
I second the kudos and the requests to ignore people who are unable to see what the article illustrates. Entertaining one.
(and I’m also grateful for not being the only one annoyed by people who mistake the Assembly language with assembler tools
)
If you are in a not good position and have no money to move out from that, you would have to receive the home loans. Just because it should help you unquestionably. I take credit loan every single year and feel great just because of this.