Reverse Code Engineering RCE CD +sandman 2000

home *** CD-ROM | disk | FTP | other *** search

/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / E_bliss / crackmetc9.txt < prev next >

Wrap

Text File | 2000-05-25 | 4KB | 101 lines

*[What] : CrackMe 9 *[ID] : 6 *[Type] : Name-Company-Serial *[Coder] : tC... *[Downloaded from]: http://crackmes.cjb.net *[Official site] : http://crackmez.cjb.net By Sanhedrin Tools WDASM Softice --Decompile-- Once you decompile this crackme, you notice two references: * Possible StringData Ref from Code Obj ->"-159357-" and * Possible StringData Ref from Code Obj ->"-ID-" Probably part of our registration code. Let's keep those at the back of our minds for now. Enter you name, company, serial number Sanhedrin Dalfor 12344321 then start up softice BPX HMEMCPY Press register, validate in the crackme and once you have broken into softice disable the breakpoint. Press F12 several times until you get to: :00442BC0 E87B06FEFF call 00423240 :00442BC5 8B45F4 mov eax, dword ptr [ebp-0C]<----you will land here :00442BC8 E8670EFCFF call 00403A34 :00442BCD 83F805 cmp eax, 00000005<----compare user name to 5 characters :00442BD0 0F8C85020000 jl 00442E5B<----jump if less than 5 :00442BD6 8D55F4 lea edx, dword ptr [ebp-0C] :00442BD9 8B87E0020000 mov eax, dword ptr [edi+000002E0] :00442BDF E85C06FEFF call 00423240 :00442BE4 8B45F4 mov eax, dword ptr [ebp-0C] :00442BE7 E8480EFCFF call 00403A34 :00442BEC 83F805 cmp eax, 00000005<----compare company name to 5 characters :00442BEF 0F8C66020000 jl 00442E5B<-----jump if less than 5 Notice that your user name and company must be at least 5 characters. --Death by converted code-- To make a long story short, this crackme converts your user name and company many times. This is why it is important to disable all breakpoints prior to continuing. Press F10, and watch the code convert before your eyes, until you end up at: :00442DC4 0502010000 add eax, 00000102 :00442DC9 8D55E8 lea edx, dword ptr [ebp-18] :00442DCC E86748FCFF call 00407638 :00442DD1 FF75E8 push [ebp-18] :00442DD4 B844594400 mov eax, 00445944 :00442DD9 BA05000000 mov edx, 00000005 :00442DDE E8110DFCFF call 00403AF4 :00442DE3 E880FDFFFF call 00442B68<----STOP here :00442DE8 833D3858440001 cmp dword ptr [00445838], 00000001 :00442DEF 7543 jne 00442E34 At 00442DE3, press F8 to see where this call came from and you will end up at: * Referenced by a CALL at Address: |:00442DE3 | :00442B68 A144594400 mov eax, dword ptr [00445944]<----move the real code to eax :00442B6D 8B1534584400 mov edx, dword ptr [00445834]<----move the entered code to edx :00442B73 E8CC0FFCFF call 00403B44<----STOP here :00442B78 7406 je 00442B80<----jump if they are the same :00442B7A E8A9FFFFFF call 00442B28 :00442B7F C3 ret At 00442B73 press D EDX <----entered code (12344321) D EAX <----real code (5850-159357-76050-ID-312) --Conclusion-- I have seen this type of protection many times in actual programs. The progammer codes the protection in such a way that he/she hopes to frustrate the cracker. Just keep following the code and eventually you should end up at the final compare sequence. Thanks to all of those coders that make these crackmes, and of course to Eternal Bliss. Sanhedrin stachi@geocities.com