home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Reverse Code Engineering RCE CD +sandman 2000
/
ReverseCodeEngineeringRceCdsandman2000.iso
/
RCE
/
E_bliss
/
eb_tut16.txt
< prev
next >
Wrap
Text File
|
2000-05-25
|
7KB
|
215 lines
Tutorial Number 16
Written by Etenal Bliss
Email: Eternal_Bliss@hotmail.com
Website: http://crackmes.cjb.net
http://surf.to/crackmes
Date written: 28th Mar 1999
Program Details:
Name: CrackMe 1
Author: Nitrus
Tools Used:
SoftIce
Cracking Method:
Code sniffing
Viewing Method:
Use Notepad with Word Wrap switched on
Screen Area set to 800 X 600 pixels (Optional)
__________________________________________________________________________
About this protection system
No disabled function. A 10 char serial protection
__________________________________________________________________________
The Essay
In this essay, when I write type "d edx" or similar commands in Softice,
I mean it without the quotes.
__________________________________________________________________________
SoftIce
Since this is a VB crackme, we might as well try using the few common
breakpoints:
1) bpx msvbvm60!__vbavartsteq
2) bpx msvbvm60!__vbastrcomp
**I add in msvbvm60! because it is written in VB6.
Run the crackme, type in "12345678" and then set your breakpoints.
When you hit Enter, you will break in MSVBVM60!__vbaVarTstEq
Break due to BPX MSVBVM60!__vbaVarTstEq (ET=792.07 milliseconds)
MSVBVM60!__vbaVarTstEq
:004021F4 8D4D9C LEA ECX,[EBP-64]
Press F12 to get out of this function. This is because I didn't find
anything useful in it. You can trace it if you want. 8)
You will land below:
:004021F7 668BF8 MOV DI,AX
:004021FA FF150C104000 CALL [MSVBVM60!__vbaFreeVar]
:00402200 663BFE CMP DI,SI
:00402203 0F8472050000 JZ 0040277B (NO JUMP)
:00402209 8B4B34 MOV ECX,[EBX+34]
:0040220C 51 PUSH ECX
:0040220D FF1510104000 CALL [MSVBVM60!__vbaLenBstr]
:00402213 83F80A CMP EAX,0A
The function at :0040220D (MSVBVM60!__vbaLenBstr) is to get the length
of the serial we entered. Note the compare after it.
EAX is the length of the serial we entered. It is compared to 0A.
0A is the hex value for 10
So, our serial must be 10 characters.
F5 to return to the crackme.
Now, type in "1234567890" for our serial.
opps. forgot to tell you to disable your breakpoints first. 8)
Disable your breakpoints or you will keep breaking every time you type
something.
Now, reset your 2 breakpoints.
When you break at MSVBVM60!__vbaVarTstEq, press F5 to return to the crackme.
But since it is of the correct length, you will break into MSVBVM60!__vbaStrComp.
Break due to BPX MSVBVM60!__vbaStrComp (ET=2.78 seconds)
MSVBVM60!__vbaStrComp
:66060A85 0F8499F00200 JZ 6608FB24 (NO JUMP)
:66060A8B 6801000300 PUSH 00030001
:66060A90 FF742408 PUSH DWORD PTR [ESP+08]
:66060A94 FF742410 PUSH DWORD PTR [ESP+10]
:66060A98 FF742418 PUSH DWORD PTR [ESP+18]
:66060A9C FF1510001166 CALL [OLEAUT32!VarBstrCmp]
**Go into this call using F8
==========================================================================
OLEAUT32!VarBstrCmp
:653C0227 8BEC MOV EBP,ESP
:653C0229 51 PUSH ECX
:653C022A 53 PUSH EBX
:653C022B 56 PUSH ESI
:653C022C 8B7508 MOV ESI,[EBP+08]
: __________Snip___________
:
:653C025C 8B7D0C MOV EDI,[EBP+0C]
:653C025F 8B7508 MOV ESI,[EBP+08]
:653C0262 8B4D10 MOV ECX,[EBP+10] <--set bp here
When you go into :653C0227 (OLEAUT32!VarBstrCmp), just keep pressing F10
to trace along the code. Whenever any register changes, type "d register"
to see what is the new value.
**register in "d register" is eax, ebx, ecx, edx, edi, esi
so don't email me saying that you get an error from Softice when you type
"d register"
I am only showing the interesting codes.
After :653C025C, you will see edi having a new value. type "d edi"
You should see
:00510FE4 2D 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 -...............
After :653C025F, you will see esi having a new value. type "d esi"
You should see
:00510F9C 34 00 00 00 33 00 34 00-35 00 36 00 37 00 38 00 4...3.4.5.6.7.8.
Now, where would "-" or "4" come from? Let's presume that 4 is part of the
serial we typed (1234567890). So, "-" would be the correct serial in that
location!
So, part of the correct serial would be 123-567890
After tracing again and again, I find that I always come to this part of
the code. So, you can just type "bpx xxxx::653C0262" and disable the rest of
your bp. xxxx will depend on your computer when you are inside
OLEAUT32!VarBstrCmp
**bpx here will let edi and esi get the new values. So, when you break, you
just need to type "d edi" and "d esi" to see the values.
So, press F5. You will break again
Break due to BPX #0177:653C0262 (ET=78.66 microseconds)
0177:653C0262 8B4D10 MOV ECX,[EBP+10]
017F:00510FE4 2D 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 -...............
017F:00510F9C 39 00 00 00 33 00 34 00-35 00 36 00 37 00 38 00 9...3.4.5.6.7.8.
Part of the correct serial would be 123-5678-0
**If you don't know why, look at the explanation above.
Press F5 again. You will break
Break due to BPX #0177:653C0262 (ET=168.52 microseconds)
0177:653C0262 8B4D10 MOV ECX,[EBP+10]
017F:00510F88 30 00 35 00 33 00 00 00-80 0F 51 00 24 00 00 A0 0.5.3.....Q.$...
017F:00510F9C 31 00 32 00 33 00 00 00-35 00 36 00 37 00 38 00 1.2.3...5.6.7.8.
Part of the correct serial would be 053-5678-0
Press F5 again. You will break
Break due to BPX #0177:653C0262 (ET=208.70 microseconds)
0177:653C0262 8B4D10 MOV ECX,[EBP+10]
017F:004100C8 33 00 33 00 38 00 37 00-00 00 DB DB 15 02 00 A0 3.3.8.7.........
017F:00510FE4 35 00 36 00 00 00 00 00-00 00 00 00 00 00 00 00 5.6.............
Part of the correct serial would be 053-33xx-0
**xx can be of any values.
Press F5 again. You will break
Break due to BPX #0177:653C0262 (ET=199.57 microseconds)
0177:653C0262 8B4D10 MOV ECX,[EBP+10]
017F:004100A0 37 00 00 00 00 00 00 00-42 01 00 00 3D 02 00 A0 7.......B...=...
017F:00510FE4 30 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 0...............
Note, our last digit is "0" and is compared to "7"
So, the final correct code is 053-33xx-7
You can place any values in xx and you will get the title of the crackme
to change from "crackme..." to "cracked"
CrackMe Cracked!
__________________________________________________________________________
Final Notes
This tutorial is dedicated to all the newbies like me.
And because I'm a newbie myself, I may have explained certain things wrongly
So, if that is the case, please forgive me. Email me if there is anything
you are not clear about.
My thanks and gratitude goes to:-
The Sandman
All the writers of Cracks tutorials and CrackMes