home *** CD-ROM | disk | FTP | other *** search
/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / E_bliss / tc_crackme1.txt < prev    next >
Text File  |  2000-05-25  |  3KB  |  66 lines
  1. CrackMe #1 By tC Surrealizm
  2. ---------------------------
  3. Tools Used:
  4. SoftIce
  5.  
  6. ---
  7. Protection:
  8. Keyfile Prot
  9.  
  10. ---
  11. Ok, start the crackme, choose Try it and set a breakpoint on ReadFile, choose a file
  12. and press Open, then step until you come here:
  13.  
  14. :00429DA3  E840A7FDFF          CALL    004044E8        ; reads the file
  15. :00429DA8  E86B88FDFF          CALL    00402618
  16. :00429DAD  33C0                XOR     EAX,EAX         ; eax = 0
  17. :00429DAF  8A45FF              MOV     AL,[EBP-01]     ; al = char from file
  18. :00429DB2  03D8                ADD     EBX,EAX         ; ebx = ebx + al
  19. :00429DB4  8D85B0FEFFFF        LEA     EAX,[EBP-0150]
  20. :00429DBA  E8D5A6FDFF          CALL    00404494
  21. :00429DBF  E85488FDFF          CALL    00402618
  22. :00429DC4  84C0                TEST    AL,AL
  23. :00429DC6  74D2                JZ      00429E9A        ; check if EOF, if not jump
  24. :00429DC8  8D85B0FEFFFF        LEA     EAX,[EBP-0150]
  25. :00429DCE  E885A6FDFF          CALL    00404458
  26. :00429DD3  E84088FDFF          CALL    00402618
  27. :00429DD8  81FBA9200000        CMP     EBX,000020A9    ; check if sum = 20A9h
  28. :00429DDE  750E                JNZ     00429DEE        ; jump if not
  29. :00429DE0  BA4C9E4200          MOV     EDX,00429E4C    ; edx = Status: Registered - Well Done
  30. :00429DE5  8BC6                MOV     EAX,ESI
  31. :00429DE7  E85CEEFEFF          CALL    00418C48
  32. :00429DEC  EB0C                JMP     00429DFA
  33. :00429DEE  BA2C9E4200          MOV     EDX,00429E2C    ; edx = Status: Unregistered
  34.  
  35. so all the file should contain is chars of a value of 20A9h , and with some small
  36. calculations that means 68 * z and 1 * A
  37.  
  38. so the file can look like this:
  39.  
  40. zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzA
  41.  
  42. and to get the titlebar to say 'Status: Registered - Well Done' when starting, you need
  43. to patch one byte.. disassemble the file in W32DASM, search for 'Status: Unregistered'
  44. and you will come here:
  45.  
  46. * Possible StringData Ref from Code Obj ->"Status: Unregistered"
  47.                                   |
  48. :00429D44 BA2C9E4200              mov edx, 00429E2C  <-- note that push adress
  49. :00429D49 8BC6                    mov eax, esi
  50.  
  51. now search for 'Status: Registered - Well Done' and you will land here:
  52.  
  53. * Possible StringData Ref from Code Obj ->"Status: Registered - Well done"
  54.                                   |
  55. :00429DE0 BA4C9E4200              mov edx, 00429E4C  <-- note that push adress
  56. :00429DE5 8BC6                    mov eax, esi
  57. :00429DE7 E85CEEFEFF              call 00418C48
  58. :00429DEC EB0C                    jmp 00429DFA
  59.  
  60. so all we have to do is to search for
  61.               BA2C9E4200
  62. and change to BA4C9E4200
  63.  
  64. Now it will be fully cracked..
  65. ---
  66. /Klefz - http://klefz.cjb.net