home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Reverse Code Engineering RCE CD +sandman 2000
/
ReverseCodeEngineeringRceCdsandman2000.iso
/
RCE
/
E_bliss
/
cm6_tut.txt
< prev
next >
Wrap
Text File
|
2000-05-25
|
4KB
|
102 lines
Tutorial for Crackme Stx_cm3 (tC...)
by Sanhedrin
Tools
Wdasm
Softice
HIEW
--INTRODUCTION--
This crackme requires that you kill the nag screen without changing more than 2 bytes. So let's
start the program. The first thing that happens is an annoying nag screen asking for $500.
Sounds about right. In the program itself there doesn't appear to be anything disabled,
but when we exit the program, the nag screen appears again.
--TRACING THE CODE--
Disassemble this crackme, then startup softice with the breakpoint:
bpx messageboxa
Start the program and immediately we are back into softice. Press F11 to see the nag, then
press OK on the nag to break back into softice. You should be here:
* Reference To: user32.MessageBoxA, Ord:0000h
|
:0043EFDE E87572FCFF Call 00406258
:0043EFE3 33D2 xor edx, edx<---you will land here
:0043EFE5 8B83C8020000 mov eax, dword ptr [ebx+000002C8]
:0043EFEB E8A82EFEFF call 00421E98
:0043EFF0 5B pop ebx
:0043EFF1 C3 ret
Press F10 to see where this was called from, and stop at 0043973F.
:00439721 8D4000 lea eax, dword ptr [eax+00]
:00439724 53 push ebx
:00439725 6683B86602000000 cmp word ptr [eax+00000266], 0000
:0043972D 7410 je 0043973F
:0043972F 8BD8 mov ebx, eax
:00439731 8BD0 mov edx, eax
:00439733 8B8368020000 mov eax, dword ptr [ebx+00000268]
:00439739 FF9364020000 call dword ptr [ebx+00000264]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043972D(C)
|
:0043973F 5B pop ebx<---you will land here
:00439740 C3 ret
Notice the jump reference at 0043972D. Write this down and we will search for it in Wdasm.
Let's continue gathering data for our crack first. Press F5 to exit softice, then cloes the
crackme )make sure that you have not disabled the breakpoint first). Once again you will
break into softice, press F11 to see the nag screen, and click on OK to break back into
softice. You should be at the same spot as the first nag: 0043EFE3 (see above). Press
F10 and stop right after the return call:
:0043709B 8945FC mov dword ptr [ebp-04], eax
:0043709E 8B45FC mov eax, dword ptr [ebp-04]
:004370A1 6683B8B602000000 cmp word ptr [eax+000002B6], 0000
:004370A9 7441 je 004370EC
:004370AB 33C0 xor eax, eax
:004370AD 55 push ebp
:004370AE 68D5704300 push 004370D5
:004370B3 64FF30 push dword ptr fs:[eax]
:004370B6 648920 mov dword ptr fs:[eax], esp
:004370B9 8B5DFC mov ebx, dword ptr [ebp-04]
:004370BC 8B55FC mov edx, dword ptr [ebp-04]
:004370BF 8B83B8020000 mov eax, dword ptr [ebx+000002B8]
:004370C5 FF93B4020000 call dword ptr [ebx+000002B4]
:004370CB 33C0 xor eax, eax<---you will land here
:004370CD 5A pop edx
:004370CE 59 pop ecx
:004370CF 59 pop ecx
Once again, notice the jump reference at 004370A9. Write this down, disable the breakpoints in
softice, and go into you disassembler. Search for the first location:
0043972D
and write down the offset. Do the same for the second location:
004370A9
Go into Hacker's View and change both je to jne (74 to 75) and the nag screens are gone.
I have a patcher (C++), and will email the source code to anyone wishing to learn more
about patching.
Greets to tC...
Thanks to all of those coders that make these crackmes, to Pepper for sending me on the
right path so long ago and of course to Eternal Bliss.
Sanhedrin
stachi@geocities.com