Analyzing and Modding the Shareware Zalgo Image Creator v2.0

Ok dudes & dudettes, I will now show you the process of turning this unregistered app into a registered app.
Go get Odbg110.zip at ollydbg.de and open up the ZalgoImageCreator.exe.
Ok. We will be placed at the entry point 0051C796.
Now what we know from running the app without the olly debugger is the string "Unregistered" at the main window caption.
So lets see if that string is referenced somehow: Right-click the CPU window, select "Search For" and "All referenced text strings".
A new window opens. Scroll to the top and select the first line. Rightclick and select "Search for text". Type "Unregistered" and doubleclick that first occurance:

 
00413465  |. 68 98105400           PUSH ZalgoIma.00541098                   ;  UNICODE "Zalgo-Image Creator v2.0 Unregistered"
0041346A  |. FFD0                  CALL EAX
0041346C  |. 85C0                  TEST EAX,EAX
0041346E  |. 75 05                 JNZ SHORT ZalgoIma.00413475
00413470  |. B8 98725300           MOV EAX,ZalgoIma.00537298
00413475  |> 8B0D 04D05500         MOV ECX,DWORD PTR DS:[55D004]
0041347B  |. 51                    PUSH ECX
0041347C  |. 6A 00                 PUSH 0
0041347E  |. 50                    PUSH EAX
0041347F  |. 8D4C24 30             LEA ECX,DWORD PTR SS:[ESP+30]
00413483  |. E8 188B0800           CALL ZalgoIma.0049BFA0
00413488  |. 8B8C24 E8010000       MOV ECX,DWORD PTR SS:[ESP+1E8]
0041348F  |. 8D5424 58             LEA EDX,DWORD PTR SS:[ESP+58]
00413493  |. 52                    PUSH EDX                                 ; /Arg7
00413494  |. 68 401E4120           PUSH 20411E40                            ; |Arg6 = 20411E40
00413499  |. 68 1CEB5A00           PUSH ZalgoIma.005AEB1C                   ; |Arg5 = 005AEB1C
0041349E  |. 68 24EB5A00           PUSH ZalgoIma.005AEB24                   ; |Arg4 = 005AEB24
004134A3  |. 8D4424 34             LEA EAX,DWORD PTR SS:[ESP+34]            ; |
004134A7  |. 50                    PUSH EAX                                 ; |Arg3
004134A8  |. 6A FF                 PUSH -1                                  ; |Arg2 = FFFFFFFF
004134AA  |. 51                    PUSH ECX                                 ; |Arg1
004134AB  |. 8BCE                  MOV ECX,ESI                              ; |
004134AD  |. C68424 FC010000 11    MOV BYTE PTR SS:[ESP+1FC],11             ; |
004134B5  |. E8 86960200           CALL ZalgoIma.0043CB40                   ; \ZalgoIma.0043CB40
004134BA  |. 8B4424 24             MOV EAX,DWORD PTR SS:[ESP+24]
004134BE  |. 8B48 F4               MOV ECX,DWORD PTR DS:[EAX-C]
004134C1  |. 83C0 F4               ADD EAX,-0C
004134C4  |. 83F9 FF               CMP ECX,-1                               ;  Switch (cases 1..1)
004134C7  |. 74 0D                 JE SHORT ZalgoIma.004134D6

Sooo ... this is the place that's not supposed to be executed. Lets take a look around.
Ah, I can see something. Look above:

00413356  |. 68 F8105400           PUSH ZalgoIma.005410F8                   ;  UNICODE "Zalgo-Image Creator v2.0 Registered to: "

We could have just searched referenced text strings of "Registered" to shorten this process, anyway. Start analyzing around that place:

Few pages above he is talking about some license file and there is a small loop above our "[...] Registered to:". Now that's interesting.

004130B5  |. 68 58115400           PUSH ZalgoIma.00541158         ;  UNICODE "ZalgoImageCreator.lic"

Basically all we need to do now is force all jumps to reach our good code. Below that attempt of opening the license file we can see a JumpIfEqual (JE):

004130DF  |. E8 3C730900    CALL ZalgoIma.004AA420
004130E4  |. 83C4 10        ADD ESP,10
004130E7  |. 84C0           TEST AL,AL
004130E9  |. 0F84 D4040000  JE ZalgoIma.004135C3

This baby takes us to Unregistered. Lets get rid of it. Select the jump, press space and type the new command "nop".
Trace further ... let's see if there are some more of these bad guys. No, all other stuff proccess is not interesting, except this one:

0041333F  |> 8B4C24 18      MOV ECX,DWORD PTR SS:[ESP+18]
00413343  |. 8379 F8 04     CMP DWORD PTR DS:[ECX-8],4
00413347  |. 0F86 AD000000  JBE ZalgoIma.004133FA

Thats a compare of length by 4, and no, we do not want to jump past our good code by this JumpIfBelowOrEqual, so lets get rid of that one too. You know what to do , right? It's the same procedure as above.

So. Let's see if this works out. Open some hex editor, I'll just use XVI32 for now, and lets add those two changes to the exe.

e.g. Modification 1/2

004130E9     90             NOP
004130EA     90             NOP
004130EB     90             NOP
004130EC     90             NOP
004130ED     90             NOP
004130EE     90             NOP

Backup the ZalgoImageCreator.exe, in case you destory something.
Oky, we see the standard MZ PE Signature. Our exe addys started at 00401000 when loaded into memory.
Now goto the location of our Modifications e.g. 004130E9 minus 00401000 is 000120E9 and type in the 6 nop commands by writing 909090909090 to those places.

Now another way to do this is search for the original hex values (in this case Modification 2/2) in the exe:

00413347     0F86 AD000000       JBE ZalgoIma.004133FA

Search for hex values "0F 86 AD 00 00 00" and replace them by the nop commands.

Now lets analyze that stuff it's doing with the license file. We know that the content is somehow compared in length, remember?

Ah! I got it. Create that .lic file next to the exe and fill it with "00Z00Z00Z00Z00Z00Z"!
Now run the modified exe and voila,

You did it!

Remember, don't use these techniques in an evil way. Come back in a few weeks for malware analysis & disinfection fun.