home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Reverse Code Engineering RCE CD +sandman 2000
/
ReverseCodeEngineeringRceCdsandman2000.iso
/
RCE
/
E_bliss
/
nitrus_crackme1.txt
< prev
next >
Wrap
Text File
|
2000-05-25
|
9KB
|
186 lines
CrackMe #1 By Nitrus
--------------------
Tools Used:
SoftIce
---
Protection:
Code
---
First, you need to have MSVBVM60.DLL loaded in your S-ICE exports.
Start the crackme, enter a code and set a breakpoint on __vbaLenBstr
and press enter, when softice pops up, and you have pressed F11
you should land here:
:0040220D FF1510104000 CALL [MSVBVM60!__vbaLenBstr] ; eax = length of entered code
:00402213 83F80A CMP EAX,0A ; check if it is 10 char long
:00402216 0F850E050000 JNZ 0040272A ; if it is, jump
:0040221C 8B13 MOV EDX,[EBX]
ok, if you didn't enter a 10 char long code, you won't get further, so
go out and enter a 10 char code, and try again, i entered 1234567890
well, go on until you reaches this part
:0040225E 6A04 PUSH 04
:00402260 51 PUSH ECX
:00402261 C745A401000000 MOV DWORD PTR [EBP-5C],00000001
:00402268 C7459C02000000 MOV DWORD PTR [EBP-64],00000002
:0040226F FF1548104000 CALL [MSVBVM60!rtcMidCharBstr] ; gets the 4th char
:00402275 8B35CC104000 MOV ESI,[MSVBVM60!__vbaStrMove]
:0040227B 8BD0 MOV EDX,EAX
:0040227D 8D4DE4 LEA ECX,[EBP-1C]
:00402280 FFD6 CALL ESI
:00402282 8B3D94104000 MOV EDI,[MSVBVM60!rtcBstrFromAnsi]; gets the asc value of the 4th char
:00402288 50 PUSH EAX
:00402289 6A2D PUSH 2D ; pushes 2Dh = -
:0040228B FFD7 CALL EDI
:0040228D 8BD0 MOV EDX,EAX
:0040228F 8D4DE0 LEA ECX,[EBP-20]
:00402292 FFD6 CALL ESI
:00402294 50 PUSH EAX
:00402295 FF155C104000 CALL [MSVBVM60!__vbaStrCmp] ; compares the entered char 4 with - and stores the value in eax, 0=true 1=false
Ok, so now we have found out that the fourth char should be a -
so now our serial is 123-567890
go on until you reaches this part
:00402310 6A09 PUSH 09
:00402312 50 PUSH EAX
:00402313 C745A401000000 MOV DWORD PTR [EBP-5C],00000001
:0040231A C7459C02000000 MOV DWORD PTR [EBP-64],00000002
:00402321 FF1548104000 CALL [MSVBVM60!rtcMidCharBstr] ; gets the 9th char
:00402327 8BD0 MOV EDX,EAX
:00402329 8D4DE4 LEA ECX,[EBP-1C]
:0040232C FFD6 CALL ESI
:0040232E 50 PUSH EAX
:0040232F 6A2D PUSH 2D ; pushes 2Dh = -
:00402331 FFD7 CALL EDI
:00402333 8BD0 MOV EDX,EAX
:00402335 8D4DE0 LEA ECX,[EBP-20]
:00402338 FFD6 CALL ESI
:0040233A 50 PUSH EAX
:0040233B FF155C104000 CALL [MSVBVM60!__vbaStrCmp] ; compares the entered char 9 with - and stores the value in eax, 0=true 1=false
Woot, another step further, the 9th char should also be a -
now our serial is 123-5678-0
go on until you reach this part
:004023B2 6A03 PUSH 03 ; the 3 first chars
:004023B4 52 PUSH EDX
:004023B5 FF15C4104000 CALL [MSVBVM60!rtcLeftCharBstr]; gets the 3 first chars
:004023BB 8BD0 MOV EDX,EAX
:004023BD 8D4DD4 LEA ECX,[EBP-2C]
:004023C0 FFD6 CALL ESI
:004023C2 50 PUSH EAX
:004023C3 6A30 PUSH 30 ; pushes 30h = 0
:004023C5 FFD7 CALL EDI
:004023C7 8BD0 MOV EDX,EAX
:004023C9 8D4DE4 LEA ECX,[EBP-1C]
:004023CC FFD6 CALL ESI
:004023CE 50 PUSH EAX
:004023CF 6A35 PUSH 35 ; pushes 35h = 5
:004023D1 FFD7 CALL EDI
:004023D3 8BD0 MOV EDX,EAX
:004023D5 8D4DE0 LEA ECX,[EBP-20]
:004023D8 FFD6 CALL ESI
:004023DA 50 PUSH EAX
:004023DB FF1524104000 CALL [MSVBVM60!__vbaStrCat]
:004023E1 8BD0 MOV EDX,EAX
:004023E3 8D4DDC LEA ECX,[EBP-24]
:004023E6 FFD6 CALL ESI
:004023E8 50 PUSH EAX
:004023E9 6A33 PUSH 33 ; pushes 33h = 3
:004023EB FFD7 CALL EDI
:004023ED 8BD0 MOV EDX,EAX
:004023EF 8D4DD8 LEA ECX,[EBP-28]
:004023F2 FFD6 CALL ESI
:004023F4 50 PUSH EAX
:004023F5 FF1524104000 CALL [MSVBVM60!__vbaStrCat]
:004023FB 8BD0 MOV EDX,EAX
:004023FD 8D4DD0 LEA ECX,[EBP-30]
:00402400 FFD6 CALL ESI
:00402402 50 PUSH EAX
:00402403 FF155C104000 CALL [MSVBVM60!__vbaStrCmp] ; compares our three first chars with 053
Great eh? :)
now our serial is 053-5678-0
go on until you reaches this part
:00402490 6A05 PUSH 05
:00402492 50 PUSH EAX
:00402493 FF1548104000 CALL [MSVBVM60!rtcMidCharBstr]; start on the 5th char
:00402499 8BD0 MOV EDX,EAX
:0040249B 8D4DCC LEA ECX,[EBP-34]
:0040249E FFD6 CALL ESI
:004024A0 50 PUSH EAX
:004024A1 6A33 PUSH 33 ; pushes 33h = 3
:004024A3 FFD7 CALL EDI
:004024A5 8BD0 MOV EDX,EAX
:004024A7 8D4DE4 LEA ECX,[EBP-1C]
:004024AA FFD6 CALL ESI
:004024AC 50 PUSH EAX
:004024AD 6A33 PUSH 33 ; pushes 33h = 3
:004024AF FFD7 CALL EDI
:004024B1 8BD0 MOV EDX,EAX
:004024B3 8D4DE0 LEA ECX,[EBP-20]
:004024B6 FFD6 CALL ESI
:004024B8 50 PUSH EAX
:004024B9 FF1524104000 CALL [MSVBVM60!__vbaStrCat]
:004024BF 8BD0 MOV EDX,EAX
:004024C1 8D4DDC LEA ECX,[EBP-24]
:004024C4 FFD6 CALL ESI
:004024C6 50 PUSH EAX
:004024C7 6A38 PUSH 38 ; pushes 38h = 8
:004024C9 FFD7 CALL EDI
:004024CB 8BD0 MOV EDX,EAX
:004024CD 8D4DD8 LEA ECX,[EBP-28]
:004024D0 FFD6 CALL ESI
:004024D2 50 PUSH EAX
:004024D3 FF1524104000 CALL [MSVBVM60!__vbaStrCat]
:004024D9 8BD0 MOV EDX,EAX
:004024DB 8D4DD4 LEA ECX,[EBP-2C]
:004024DE FFD6 CALL ESI
:004024E0 50 PUSH EAX
:004024E1 6A37 PUSH 37 ; pushes 37h = 7
:004024E3 FFD7 CALL EDI
:004024E5 8BD0 MOV EDX,EAX
:004024E7 8D4DD0 LEA ECX,[EBP-30]
:004024EA FFD6 CALL ESI
:004024EC 50 PUSH EAX
:004024ED FF1524104000 CALL [MSVBVM60!__vbaStrCat]
:004024F3 8BD0 MOV EDX,EAX
:004024F5 8D4DC8 LEA ECX,[EBP-38]
:004024F8 FFD6 CALL ESI
:004024FA 50 PUSH EAX
:004024FB FF155C104000 CALL [MSVBVM60!__vbaStrCmp] ; compares our 5th, 6th, 7th and 8th chars with 3387
So what have we found out now? YES! now the serial looks like this:
053-3387-0
go further until you reaches this part
:0040258A 6A01 PUSH 01
:0040258C 52 PUSH EDX
:0040258D FF15D0104000 CALL [MSVBVM60!rtcRightCharBstr] ; get the last char
:00402593 8BD0 MOV EDX,EAX
:00402595 8D4DE4 LEA ECX,[EBP-1C]
:00402598 FFD6 CALL ESI
:0040259A 50 PUSH EAX
:0040259B 6A37 PUSH 37 ; pushes 37h = 7
:0040259D FFD7 CALL EDI
:0040259F 8BD0 MOV EDX,EAX
:004025A1 8D4DE0 LEA ECX,[EBP-20]
:004025A4 FFD6 CALL ESI
:004025A6 50 PUSH EAX
:004025A7 FF155C104000 CALL [MSVBVM60!__vbaStrCmp] ; compares the last char with 7
so the real serial is
053-3387-7
enter that and the Caption of the window should become Cracked...
---
/Klefz - http://klefz.cjb.net
