5. Code substitution II
--------------------------------------------------------------------------------
This is new feature but also easy to fix using OllyScript. Check this in our CRACKME3.EXE:
0040100C . 50 PUSH EAX
0040100D . 53 PUSH EBX
0040100E . FF15 0000D800 CALL DWORD PTR DS:[D80000]
00401014 . 5B POP EBX
00401015 . 58 POP EAX
Code from 40100C to 401015 is injected instead original line below (I sow it in original exe before packing):
0040100C C705 F9204000 00000000 MOV DWORD PTR DS:[4020F9],0
But this line is executed within that D8???? block. Check comments below. First we enter in call, then;
00D80004 PUSH EBP
00D80005 PUSH EAX
00D80006 PUSH EBX
00D80007 PUSHFD
00D80008 CALL 00D8000D
00D8000D POP EBP
00D8000E SUB EBP,41B79A <----------------------- Calculating reference value.
00D80014 LEA EAX,DWORD PTR SS:[EBP+41B7CD] <- That value+constant gives pointer to correct value in internal tab.
00D8001A MOV EBX,DWORD PTR DS:[EAX] <-------- That encrypted value is taken.
00D8001C MOV EAX,DWORD PTR DS:[EAX+4] <------ It takes second value.
00D8001F XOR EBX,EAX <-------------------------- Decrypts first one with it, and that is 4020F9.
00D80021 ADD EAX,EBX <-------------------------- And EAX is 0.
00D80023 MOV DWORD PTR DS:[EBX],EAX <-------- So we have MOV DWORD[4020F9],0 here! Rest is not important for us.
00D80025 AND EAX,FFFF0000
00D8002A LEA EBX,DWORD PTR SS:[EBP+41B7C9]
00D80030 MOV EBX,DWORD PTR DS:[EBX]
00D80032 SHR EAX,18
00D80035 CMP EBX,EAX
00D80037 POPFD
00D80038 POP EBX
00D80039 POP EAX
00D8003A POP EBP
00D8003B RETN
Knowing this, I made new script "Krypton 0.5 - code pattern II" that will just emulate this and fix our substituded opcodes. You need to edit this script too.