home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Reverse Code Engineering RCE CD +sandman 2000
/
ReverseCodeEngineeringRceCdsandman2000.iso
/
RCE
/
E_bliss
/
hfw2_tut.txt
< prev
next >
Wrap
Text File
|
2000-05-25
|
6KB
|
119 lines
Tutorial for Crackme vW2 [hf]
by Sanhedrin
Tools:
W32Dasm
This crackme requires two serials, and requires that we not use a debugger. Let's begin.
Disassemble the file, and look at the String Data References. The reference to 'Well done'
looks like a ggod place to start. Just above the reference you will notice that there is a
jz indicator. Another good indication that something was calculated. The best way of
cracking this program is to see exactly what appears just before a 'jump if' line.
Enough talking, here is the code:
* Possible StringData Ref from Code Obj ->"Delphi" <---hmmm, the first serial maybe
|
:00421DC1 BA201F4200 mov edx, 00421F20
:00421DC6 E8A916FEFF call 00403474<---call the compare code of our serial to the real one
:00421DCB 0F8522010000 jne 00421EF3<---jump if not equal
:00421DD1 8D55FC lea edx, dword ptr [ebp-04]
:00421DD4 8B83B4010000 mov eax, dword ptr [ebx+000001B4]
:00421DDA E879FAFEFF call 00411858
:00421DDF 8B45FC mov eax, dword ptr [ebp-04]
:00421DE2 E84117FEFF call 00403528
:00421DE7 E89437FEFF call 00405580
:00421DEC 83F809 cmp eax, 00000009<---compare second serial to 9 characters
:00421DEF 0F85FE000000 jne 00421EF3<---jump if not the same
:00421DF5 8D55FC lea edx, dword ptr [ebp-04]
:00421DF8 8B83B4010000 mov eax, dword ptr [ebx+000001B4]
:00421DFE E855FAFEFF call 00411858
:00421E03 8B45FC mov eax, dword ptr [ebp-04]
:00421E06 803848 cmp byte ptr [eax], 48<---compare 1st character to 048h
:00421E09 0F85E4000000 jne 00421EF3<---jump if not the same
:00421E0F 8D55FC lea edx, dword ptr [ebp-04]
:00421E12 8B83B4010000 mov eax, dword ptr [ebx+000001B4]
:00421E18 E83BFAFEFF call 00411858
:00421E1D 8B45FC mov eax, dword ptr [ebp-04]
:00421E20 80780165 cmp byte ptr [eax+01], 65<---compare 2nd character to 065h
:00421E24 0F85C9000000 jne 00421EF3<---jump if not the same
:00421E2A 8D55FC lea edx, dword ptr [ebp-04]
:00421E2D 8B83B4010000 mov eax, dword ptr [ebx+000001B4]
:00421E33 E820FAFEFF call 00411858
:00421E38 8B45FC mov eax, dword ptr [ebp-04]
:00421E3B 8078026C cmp byte ptr [eax+02], 6C<---compare 3rd character to 06Ch
:00421E3F 0F85AE000000 jne 00421EF3<---jump if not the same
:00421E45 8D55FC lea edx, dword ptr [ebp-04]
:00421E48 8B83B4010000 mov eax, dword ptr [ebx+000001B4]
:00421E4E E805FAFEFF call 00411858
:00421E53 8B45FC mov eax, dword ptr [ebp-04]
:00421E56 8078036C cmp byte ptr [eax+03], 6C<---compare 4th character to 06Ch
:00421E5A 0F8593000000 jne 00421EF3<---jump if not the same
:00421E60 8D55FC lea edx, dword ptr [ebp-04]
:00421E63 8B83B4010000 mov eax, dword ptr [ebx+000001B4]
:00421E69 E8EAF9FEFF call 00411858
:00421E6E 8B45FC mov eax, dword ptr [ebp-04]
:00421E71 80780466 cmp byte ptr [eax+04], 66<---compare 5th character with 066h
:00421E75 757C jne 00421EF3<---jump if not the same
:00421E77 8D55FC lea edx, dword ptr [ebp-04]
:00421E7A 8B83B4010000 mov eax, dword ptr [ebx+000001B4]
:00421E80 E8D3F9FEFF call 00411858
:00421E85 8B45FC mov eax, dword ptr [ebp-04]
:00421E88 8078056F cmp byte ptr [eax+05], 6F<---compare 6th character with 06Fh
:00421E8C 7565 jne 00421EF3<---jump if not the same
:00421E8E 8D55FC lea edx, dword ptr [ebp-04]
:00421E91 8B83B4010000 mov eax, dword ptr [ebx+000001B4]
:00421E97 E8BCF9FEFF call 00411858
:00421E9C 8B45FC mov eax, dword ptr [ebp-04]
:00421E9F 80780672 cmp byte ptr [eax+06], 72<---compare 7th character with 072h
:00421EA3 754E jne 00421EF3<---jump if not the same
:00421EA5 8D55FC lea edx, dword ptr [ebp-04]
:00421EA8 8B83B4010000 mov eax, dword ptr [ebx+000001B4]
:00421EAE E8A5F9FEFF call 00411858
:00421EB3 8B45FC mov eax, dword ptr [ebp-04]
:00421EB6 80780767 cmp byte ptr [eax+07], 67<---compare 8th character with 067h
:00421EBA 7537 jne 00421EF3<---jump if not the same
:00421EBC 8D55FC lea edx, dword ptr [ebp-04]
:00421EBF 8B83B4010000 mov eax, dword ptr [ebx+000001B4]
:00421EC5 E88EF9FEFF call 00411858
:00421ECA 8B45FC mov eax, dword ptr [ebp-04]
:00421ECD 80780865 cmp byte ptr [eax+08], 65<---compare 9th character with 065h
:00421ED1 7520 jne 00421EF3<---jump if not the same
* Possible StringData Ref from Code Obj ->"Well done"
|
:00421ED3 BA301F4200 mov edx, 00421F30
:00421ED8 8B83B0010000 mov eax, dword ptr [ebx+000001B0]
:00421EDE E8A5F9FEFF call 00411888
* Possible StringData Ref from Code Obj ->"Now write a tut"
|
:00421EE3 BA441F4200 mov edx, 00421F44
:00421EE8 8B83B4010000 mov eax, dword ptr [ebx+000001B4]
:00421EEE E895F9FEFF call 00411888
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00421DCB(C), :00421DEF(C), :00421E09(C), :00421E24(C), :00421E3F(C)<---all jne calls
|:00421E5A(C), :00421E75(C), :00421E8C(C), :00421EA3(C), :00421EBA(C)
|:00421ED1(C)
|
:00421EF3 33C0 xor eax, eax
:00421EF5 5A pop edx
:00421EF6 59 pop ecx
:00421EF7 59 pop ecx
:00421EF8 648910 mov dword ptr fs:[eax], edx
Put all of that together and you are left with:
Delphi
Hellforge
Thanks to all of those coders that make these crackmes, to Pepper for sending me on the
right path so long ago and of course to Eternal Bliss.
Sanhedrin
stachi@geocities.com