home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Reverse Code Engineering RCE CD +sandman 2000
/
ReverseCodeEngineeringRceCdsandman2000.iso
/
RCE
/
E_bliss
/
cm5_tut.txt
< prev
next >
Wrap
Text File
|
2000-05-25
|
3KB
|
95 lines
Tutorial for Crackme Stx_cm2 (tC...)
by Sanhedrin
Tools
Wdasm
Softice
This crackme requires a name company and keycode. Enter your name, serial and code
Sanhedrin
DND
12344321
go into softice and enter the breakpoint
bpx hmemcpy
and press register. Once you have broken into softice, disable the breakpoints.
After a few F12's You should end up here:
:004416CF 8945F8 mov dword ptr [ebp-08], eax
:004416D2 33C0 xor eax, eax
:004416D4 8945F4 mov dword ptr [ebp-0C], eax
:004416D7 8D558C lea edx, dword ptr [ebp-74]
:004416DA 8B86C4020000 mov eax, dword ptr [esi+000002C4]
:004416E0 E87305FEFF call 00421C58
:004416E5 837D8C00 cmp dword ptr [ebp-74], 00000000<---you will land here.
:004416E9 750A jne 004416F5
:004416EB E878FDFFFF call 00441468
:004416F0 E96F030000 jmp 00441A64
Continue until
:0044195C E84322FCFF call 00403BA4
:00441961 8D558C lea edx, dword ptr [ebp-74]
:00441964 8B86CC020000 mov eax, dword ptr [esi+000002CC]
:0044196A E8E902FEFF call 00421C58
:0044196F 8B458C mov eax, dword ptr [ebp-74]
:00441972 E86D21FCFF call 00403AE4
:00441977 83F809 cmp eax, 00000009<---compare the number of our serial to 9
:0044197A 740A je 00441986<---jump if equal to 9
Enter a breakpoint for
bpx 00441977
and exit softice
So we know that our serial number must be nine characters. Re-enter the serial using
123443211
and press register. Once back in softice continue until
:00441A02 FF75D0 push [ebp-30]
:00441A05 B834384400 mov eax, 00443834
:00441A0A BA05000000 mov edx, 00000005
:00441A0F E89021FCFF call 00403BA4
:00441A14 E8DB0DFCFF call 004027F4
:00441A19 B8F8EE0900 mov eax, 0009EEF8
:00441A1E E8790FFCFF call 0040299C
:00441A23 8B45E4 mov eax, dword ptr [ebp-1C]
:00441A26 8B55D8 mov edx, dword ptr [ebp-28]
:00441A29 E8C621FCFF call 00403BF4<---stop here
:00441A2E 752F jne 00441A5Fjump if our serials are not the same
:00441A30 8B45E0 mov eax, dword ptr [ebp-20]
At 00441A29, press F8 to enter the call statement, and stop at
:00403BF4 53 push ebx
:00403BF5 56 push esi
:00403BF6 57 push edi
:00403BF7 89C6 mov esi, eax
:00403BF9 89D7 mov edi, edx
:00403BFB 39D0 cmp eax, edx<---stop here
At 00403BFB, type
D EAX<---the real number broken into its three sections
D EDX<---our number broken into the three sections
Thus the real keycode is:
99-295-89
Thanks to all of those coders that make these crackmes, and of course to Eternal Bliss.
Sanhedrin
stachi@geocities.com