Analyzing and Modding the Shareware Zalgo Image Creator v2.0
Ok dudes & dudettes, I will now show you the process of turning this unregistered app into a registered app.
Go get Odbg110.zip at ollydbg.de and open up the ZalgoImageCreator.exe.
Ok. We will be placed at the entry point 0051C796.
Now what we know from running the app without the olly debugger is the string "Unregistered" at the main window caption.
So lets see if that string is referenced somehow: Right-click the CPU window, select "Search For" and "All referenced text strings".
A new window opens. Scroll to the top and select the first line. Rightclick and select "Search for text". Type "Unregistered" and doubleclick that first occurance:
00413465 |. 68 98105400 PUSH ZalgoIma.00541098 ; UNICODE "Zalgo-Image Creator v2.0 Unregistered" 0041346A |. FFD0 CALL EAX 0041346C |. 85C0 TEST EAX,EAX 0041346E |. 75 05 JNZ SHORT ZalgoIma.00413475 00413470 |. B8 98725300 MOV EAX,ZalgoIma.00537298 00413475 |> 8B0D 04D05500 MOV ECX,DWORD PTR DS:[55D004] 0041347B |. 51 PUSH ECX 0041347C |. 6A 00 PUSH 0 0041347E |. 50 PUSH EAX 0041347F |. 8D4C24 30 LEA ECX,DWORD PTR SS:[ESP+30] 00413483 |. E8 188B0800 CALL ZalgoIma.0049BFA0 00413488 |. 8B8C24 E8010000 MOV ECX,DWORD PTR SS:[ESP+1E8] 0041348F |. 8D5424 58 LEA EDX,DWORD PTR SS:[ESP+58] 00413493 |. 52 PUSH EDX ; /Arg7 00413494 |. 68 401E4120 PUSH 20411E40 ; |Arg6 = 20411E40 00413499 |. 68 1CEB5A00 PUSH ZalgoIma.005AEB1C ; |Arg5 = 005AEB1C 0041349E |. 68 24EB5A00 PUSH ZalgoIma.005AEB24 ; |Arg4 = 005AEB24 004134A3 |. 8D4424 34 LEA EAX,DWORD PTR SS:[ESP+34] ; | 004134A7 |. 50 PUSH EAX ; |Arg3 004134A8 |. 6A FF PUSH -1 ; |Arg2 = FFFFFFFF 004134AA |. 51 PUSH ECX ; |Arg1 004134AB |. 8BCE MOV ECX,ESI ; | 004134AD |. C68424 FC010000 11 MOV BYTE PTR SS:[ESP+1FC],11 ; | 004134B5 |. E8 86960200 CALL ZalgoIma.0043CB40 ; \ZalgoIma.0043CB40 004134BA |. 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24] 004134BE |. 8B48 F4 MOV ECX,DWORD PTR DS:[EAX-C] 004134C1 |. 83C0 F4 ADD EAX,-0C 004134C4 |. 83F9 FF CMP ECX,-1 ; Switch (cases 1..1) 004134C7 |. 74 0D JE SHORT ZalgoIma.004134D6
Sooo ... this is the place that's not supposed to be executed. Lets take a look around.
Ah, I can see something. Look above:
00413356 |. 68 F8105400 PUSH ZalgoIma.005410F8 ; UNICODE "Zalgo-Image Creator v2.0 Registered to: "
We could have just searched referenced text strings of "Registered" to shorten this process, anyway. Start analyzing around that place:
Few pages above he is talking about some license file and there is a small loop above our "[...] Registered to:". Now that's interesting.
004130B5 |. 68 58115400 PUSH ZalgoIma.00541158 ; UNICODE "ZalgoImageCreator.lic"
Basically all we need to do now is force all jumps to reach our good code. Below that attempt of opening the license file we can see a JumpIfEqual (JE):
004130DF |. E8 3C730900 CALL ZalgoIma.004AA420 004130E4 |. 83C4 10 ADD ESP,10 004130E7 |. 84C0 TEST AL,AL 004130E9 |. 0F84 D4040000 JE ZalgoIma.004135C3
This baby takes us to Unregistered. Lets get rid of it. Select the jump, press space and type the new command "nop".
Trace further ... let's see if there are some more of these bad guys. No, all other stuff proccess is not interesting, except this one:
0041333F |> 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18] 00413343 |. 8379 F8 04 CMP DWORD PTR DS:[ECX-8],4 00413347 |. 0F86 AD000000 JBE ZalgoIma.004133FA
Thats a compare of length by 4, and no, we do not want to jump past our good code by this JumpIfBelowOrEqual, so lets get rid of that one too. You know what to do , right? It's the same procedure as above.
So. Let's see if this works out. Open some hex editor, I'll just use XVI32 for now, and lets add those two changes to the exe.
e.g. Modification 1/2
004130E9 90 NOP 004130EA 90 NOP 004130EB 90 NOP 004130EC 90 NOP 004130ED 90 NOP 004130EE 90 NOP
Backup the ZalgoImageCreator.exe, in case you destory something.
Oky, we see the standard MZ PE Signature. Our exe addys started at 00401000 when loaded into memory.
Now goto the location of our Modifications e.g. 004130E9 minus 00401000 is 000120E9 and type in the 6 nop commands by writing 909090909090 to those places.
Now another way to do this is search for the original hex values (in this case Modification 2/2) in the exe:
00413347 0F86 AD000000 JBE ZalgoIma.004133FA
Search for hex values "0F 86 AD 00 00 00" and replace them by the nop commands.
Now lets analyze that stuff it's doing with the license file. We know that the content is somehow compared in length, remember?
Ah! I got it. Create that .lic file next to the exe and fill it with "00Z00Z00Z00Z00Z00Z"!
Now run the modified exe and voila,
You did it!
Remember, don't use these techniques in an evil way. Come back in a few weeks for malware analysis & disinfection fun.