Hook DLL for Main.exe eX ++ no need unpack.

Hook DLL for Main.exe eX ++ no need unpack.

1 Comment
Hi,I see someone need any main.exe eX ++ cracked,they dont know how to unpack so I make a small guide easy for crack main.exe.

1.Load Main.exe eX ++ Olly DBG,OEP like this:

Code:
00CDDBE5 >  60              pushad
00CDDBE6    9C              pushfd
00CDDBE7    FC              cld
00CDDBE8    B8 01000000     mov     eax, 1
HWBP at OEP and press Shift + F9 ,you have:

1.1
Code:
00CDDBE5 >  E8 C9C09BFF     call    00699CB3
00CDDBEA  ^ E9 78FEFFFF     jmp     00CDDA67
so I make a hook at offset 00CDDBEA.

How to make it? Look at:

2.Restart Olly and load main.exe again:
Code:
00CDDBE5 >  60              pushad
00CDDBE6    9C              pushfd
00CDDBE7    FC              cld
00CDDBE8    B8 01000000     mov     eax, 1
00CDDBED    B9 FFFF0000     mov     ecx, 0FFFF
00CDDBF2  - E0 FE           loopdne short 00CDDBF2
00CDDBF4    48              dec     eax
00CDDBF5    83F8 00         cmp     eax, 0
00CDDBF8  ^ 75 F3           jnz     short 00CDDBED
00CDDBFA    68 D180DC0A     push    0ADC80D1                         ; ASCII "kernel32.dll"
00CDDBFF    FF15 64ACC609   call    dword ptr [<&KERNEL32.LoadLibrar>; kernel32.LoadLibraryA
00CDDC05    68 DE80DC0A     push    0ADC80DE                         ; ASCII "VirtualProtect"
00CDDC0A    50              push    eax
00CDDC0B    FF15 60ACC609   call    dword ptr [<&KERNEL32.GetProcAdd>; kernel32.GetProcAddress
00CDDC11    8BD8            mov     ebx, eax
00CDDC13    50              push    eax
00CDDC14    8BCC            mov     ecx, esp
00CDDC16    51              push    ecx
00CDDC17    6A 40           push    40
00CDDC19    68 5B000000     push    5B
00CDDC1E    68 E5DBCD00     push    <ModuleEntryPoint>
00CDDC23    FFD0            call    eax
00CDDC25    8BCC            mov     ecx, esp
00CDDC27    51              push    ecx
00CDDC28    6A 40           push    40
00CDDC2A    68 19000000     push    19
00CDDC2F    68 B880DC0A     push    0ADC80B8
00CDDC34    8BC3            mov     eax, ebx
00CDDC36    FFD0            call    eax
00CDDC38    83C4 04         add     esp, 4
00CDDC3B  - E9 78A40E0A     jmp     0ADC80B8

at 00CDDC3B follow it to 0ADC80B8

Code:
0ADC80B8    90              nop
0ADC80B9    BE ED80DC0A     mov     esi, 0ADC80ED
0ADC80BE    BF E5DBCD00     mov     edi, <ModuleEntryPoint>
0ADC80C3    B9 5B000000     mov     ecx, 5B
0ADC80C8    F3:A4           rep     movs byte ptr es:[edi], byte ptr>
0ADC80CA    9D              popfd
0ADC80CB    61              popad
0ADC80CC  - E9 145BF1F5     jmp     <ModuleEntryPoint>
Look at offset 0ADC80ED in HEX DUMP,size 0x5B

Code:
0ADC80ED  E8 C9 C0 9B FF E9 78 FE FF FF 8B FF 55 8B EC 53  èÉÀ›ÿéxþÿÿ‹ÿU‹ìS
look 1.1 on top and red text : E9 78 FE FF FF

It is jmp 00CDDA67 (ASM code)
so we change it to free offset and write hook code.
Example I do it on Main zteam EX802 1.4.42

At 0ADC80ED :
Original : E8 C9 C0 9B FF E9 78 FE FF FF 8B FF 55 8B EC 53
Hook: E8 C9 C0 9B FF E9 39 4F 4E 00 8B FF 55 8B EC 53

E9 39 4F 4E 00 is jmp 011C2B28 (ASM code)

so we write hook code at 011C2B28,like this:

Code:
011C2B28    68 582B1C01     push    011C2B58                         ; ASCII "zClient.dll"
011C2B2D    FF15 64ACC609   call    dword ptr [<&KERNEL32.LoadLibrar>; kernel32.LoadLibraryA
011C2B33  - E9 2FAFB1FF     jmp     00CDDA67                         ; Offset original JMP

Done,save it.From dll,we can patch any offset for crack Main.exe
Do it in other main.exe is same and surely work fine :) 
SHARE
    Blogger Comment
    Facebook Comment

1 comments:

Subscribe to: Post Comments ( Atom )