Again, cool challenge!
I try to write an easy to follow solution, so that everyone, even beginners, can benefit from these .
What's the first step? Yep, run the program! You'll see it's not that easy this time... Our debugger just tells us that the process has terminated:
Is this termination program-related? Test it out, just run the exe as you would normally do outside of your debugger; you'll see it works like a charm... Also you'll see this annoying nag in front of you which just makes you keen on cracking it...
So, what could that be? Probably the program doesn't like to be run in a debugger! There has to be a check somewhere in the code which checks whether it runs in a debugger. The approach to find it is pretty straightforward: Begin at the program's entry point and go through the code step-by-step (F8); when the program terminates the last call was probably a bad one . When you find a terminating call, rerun the program and dig in the call, continuing our previous strategy.
You'll get here:
If you run this little loop the program terminates; dig into them, you'll see the highlighted call is responsible for exiting. Interestingly, it is harmless the first time we call it, but the second time it kills us; sweet...
Open it - hold in mind that the second run is required to get to the right part of the code! - and have a look at it:
You see the call to "IsDebuggerPresent"? As the name suggests this call checks whether the program is run in a debugger or not. If EAX is 1 it terminates -> call to "ExitProcess".
So we have multiple ways to fix this:
- change the call to MOV EAX, 0 (or XOR EAX, EAX; uses less space )
- change JE to JMP
- NOP out the PUSH 0 and the call to ExitProcess
Feel free to take the way you prefer... I recommend patching the jump, because it takes only one byte. Anyway, now you can start the real reversing!
I won't cover the process of cracking the program; same as last time .
Instead of stepping through the binary we could have searched for a call to IsDebuggerPresent; it's the easiest way of identifying a debugger, so it was guessable that it's used here. But there are many other ways which don't rely on this call (Probably @dtm - sorry, edgyS0ft - is already on it...), so you shouldn't rely on it, too!