Tuesday, 21 April 2009

How to hack your own single-instance application, for dummies

This material is intended for educational purposes ONLY. I donnot assume any responsability for wanted or unwanted damages done by the reader with the gained knowledge from this article.

Today I'm going to show you how to solve the most basic programming problem[1]: hacking a single-instance application. But what is a single-instance application? Well, it's an application which you can only start once.

And since it would be illegal to hack Yahoo! Messenger (R), I'll create my own single-instance app which I'll hack afterwards :)

First, the code of the app:

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

int main(void) {
HANDLE hmutex = CreateMutex(NULL,FALSE,"some unique id");
if (hmutex && GetLastError () == ERROR_ALREADY_EXISTS) {
ReleaseMutex (hmutex);
printf("the program is already running");
printf("program's first instance");

According to the MSDN, CreateMutex returns NULL if the mutex already exists.

So basically, all we need to do is locate the call to CreateMutex and replace it with mov eax,0, since the return value of a function is always stored in EAX.

Follow these steps in ollydbg:

1. Load the executable
2. Select the binary code responsible for the call and fill it with NOPs (the no-operation operation available for any x86 CPU):

3. Double click the first NOP and replace it with the code that will make the following code think that CreateMutex was successfully called and returned 0 in EAX, then click assemble. The remaining NOPs are ok, they'll keep the eventual following pointers in place:

4. At this point, you could run your patched process. Please note, I said process. Exactly, the changes you've made are now in RAM, but you want the changes to be permanent in the program. So, right click and copy all modifications to executable, then choose "copy all" when prompted:

5. A new window will appear. This is the binary code of the patched executable. Simply save the binary to the permanent storage:

6. VoilĂ ! Now you may start as many instances of the patched executable as you like:

I hope you've enjoyed it


[1] According to myself, it's not the "Hello, World!" program any more :-))

No comments:

Post a Comment