This crackme is for learning how to put hardware breakpoints on memory addresses and then patch it to register the program.

Link: https://crackinglessons.com/crackme-8/

Software

It was a simple software showing UN-REGISTERED.

00 - 0 program

Detect It Easy (die)

Using DIE software I found the entry point.

EntryPoint = ImageBase + AddressOfEntryPoint --> 0x00402254

00 - die

x32dbg

I first opened string reference searcher.

01 - string

Then searched for UN-REGISTERED string, and found an address.

02 - search

Then analyzing the logic I understood that it checks for some value then jumps.

First Way (JMP Patch)

The command JE jumps and does not execute below commands so we can not see REGISTERED status.

03 - logic

I simply updated it to JMP next address which is simply doing nothing so we become registered.

04 - updated to jmp next instruciton

05 - registered

Second Way (Memory Patching)

We can also set a breakpoint on memory access and update the memory which causes ZF to be 1 and eventually causes JE command to be executed.

Whenever there is a JMP command, we can be sure there must be a test or cmp command above it which sets ZF. So at first I found the CMP command.

06 - setting memory

Then followed the address on memory dump.

07 - dump

Then set an hardware breakpoint to analyze if this is the address that causes ZF to be 1.

08 - hardware breakpoint

After making sure address is right, I edited the binary to be 1 which causes ZF to be 0 so JE is never executed.

09 - edit binary

10 - edited

And that is it.

05 - registered

<
Previous Post
Target by TDC
>
Next Post
CrackMe9