Reverse Code Engineering RCE CD +sandman 2000

home *** CD-ROM | disk | FTP | other *** search

/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / E_bliss / tc_cm2tut.txt < prev next >

Wrap

Text File | 2000-05-25 | 6KB | 123 lines

| Program: Crackme#2 by tC '99 | | Company: sUrReAlizM | | Protection: Keyfile and Serial/Name | | Cracker: FireWorx | ñ--------------------------------------ñ Hi there Again!!! This is FireWorx Typing a tutor for Crackme#2 (c)tC...'99 by sUrReAlizM!!! What u need: Softice and W32dasm... ............Okey, Lets get to work......................................... Fire up the program in w32dasm and check the sdr list (String data refs) after u checked the program first... Like protection and soo... This program uses a keyfile for protection and a serial/name protection! Nvm, back to the cracking part... Check for the error msg in w32dasm list :"Invalid Keyfile". When u found it doubleclick on it and then minimize the sdr window... Step upwards and there u see this mass of code: * Possible StringData Ref from Code Obj ->"Runtime Error: 12FF:024" | :00427DDE BAD07E4200 mov edx, 00427ED0 //Opens the file :00427DE3 E8A0B8FDFF call 00403688 //Check the file for keywords :00427DE8 750C jne 00427DF6 //Jump away if not valid keyword :00427DEA C705E8A6420002000000 mov dword ptr [0042A6E8], 00000002 :00427DF4 EB67 jmp 00427E5D * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00427DE8(C) | :00427DF6 C705E8A6420001000000 mov dword ptr [0042A6E8], 00000001 //Prepare for nag screen! :00427E00 6A00 push 00000000 * Possible StringData Ref from Code Obj ->"Error" | :00427E02 68E87E4200 push 00427EE8 //Write "Invalid Keyfile" in Messagebox... * Possible StringData Ref from Code Obj ->"Invalid Keyfile" Okey, As u can see my asm is not THAT good as it should be... Nvm anyway... Okey, one thing i got a bit cousy over was: "Runtime Error: 12FF:024" , how the fuck did this ended up here??? I thought it was a Bug in the program, but when i looked at the code i saw that this was the Keywords in the keyfile..! "Aha!"... I said... So i opened up notepad and pasted this line into it.... {This line should be in notepad: Runtime Error: 12FF:024} Okey...Now when u done this... Save the program as anything u want... but i saved it as Key.key Open the crackme and push "Select Keyfile", then choose yer key.key (or whatever) and press [OK] Now the two edits in the program gets enabled and u can type in any code and name u want... I just tryed with one and i got the err msg: "Wrong Entry! Try again!" So i checked W32dasm again to get some clues howto do it... Now check the err msg in SDR (String Data Refs) Almost et the end of the list..! Double click it and minimize the SDR window... And now u should see this: * Possible StringData Ref from Code Obj ->"No way" | :0042818A 683C824200 push 0042823C * Possible StringData Ref from Code Obj ->"Wrong entry! Try again." Damn This shit didn┤t help me much so i stepped up and there was the "GOOD GUY" msg... Aha... Now u should see this: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0042810C(C) | :0042811A 8D55F4 lea edx, dword ptr [ebp-0C] :0042811D 0FB7C6 movzx eax, si :00428120 E8E3E1FDFF call 00406308 :00428125 8D55F4 lea edx, dword ptr [ebp-0C] :00428128 B903000000 mov ecx, 00000003 :0042812D B804824200 mov eax, 00428204 :00428132 E8CDB6FDFF call 00403804 :00428137 8D55F4 lea edx, dword ptr [ebp-0C] :0042813A B905000000 mov ecx, 00000005 :0042813F B804824200 mov eax, 00428204 :00428144 E8BBB6FDFF call 00403804 :00428149 8D95D0FBFFFF lea edx, dword ptr [ebp+FFFFFBD0] :0042814F 8B87EC010000 mov eax, dword ptr [edi+000001EC] :00428155 E8E6D5FEFF call 00415740 :0042815A 8B85D0FBFFFF mov eax, dword ptr [ebp+FFFFFBD0] :00428160 8B55F4 mov edx, dword ptr [ebp-0C] :00428163 E820B5FDFF call 00403688 //Count the real serial :00428168 751E jne 00428188 //If dummy = real serial then "GOOD GUY" MSG!!! :0042816A 6A00 push 00000000 * Possible StringData Ref from Code Obj ->"Gratulations" | :0042816C 6808824200 push 00428208 * Possible StringData Ref from Code Obj ->"Well Done! Try the next CrackMe." Okey, well this part gave me much more... =) well... Now type any Name and serial in the fields (edits) and do not press enter yet! Now Press CTRL+D to get into softice and there u type this: "bpx hmemcpy" Now press F5 to get back to windows... Now Click the register button and boom yer into softice... Now type: "bd *" press ENTER(to disable yer breakpoint) and then "g 015F:00428160" and press ENTER!!! Now yer landed just before the call which counts a valid serial for u!!! Step into that call with F8 and then press F10 untill this line: "cmp eax,edx" Now type: "d eax" and there u see yer dummy code and to see your real registration code type: "d edx" and *BOOM* in the code window there is it!! Mine was. Name: FireWorx Code: 19-1-09 Sorry for the mess in the end but i hope you┤ll manage to understand the most parts of it!!! Thx to all i know and especially to E_Bliss for have a nice page and to Phox for being a "good friend" :P And to Wizzkid and many others... Bye all / FireWorx - Dark Cracking Force 2000 [dCF2000]