home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Reverse Code Engineering RCE CD +sandman 2000
/
ReverseCodeEngineeringRceCdsandman2000.iso
/
RCE
/
E_bliss
/
tctutor_7.txt
< prev
next >
Wrap
Text File
|
2000-05-25
|
6KB
|
143 lines
Terminal Cilla's
Tutorial#7
[Target Infos:]
[Name :] CrackMe4
[Author:] duelist
[Type :] Name-Serial
[Where :] http://crackmes.cjb.net
[Needed Tools:]
WinDasm
SoftIce
[Our Aim:]
Find a valid serial
-----------------------------------------------------------------------------
Hi Reader.
I'm sorry for all grammatical and orthographic errors.
Today we deal with "CrackMe 4" by 'duelist'.
I assume that you already configured your SoftIce/WinDasm and
that you are basicly down with them - otherwise stop reading
and take a "SoftIce/WinDasm4Newbies - Tutorial".
Still here?
Ok, let's go!
TheEssay:
---------
Enter anything you want in the input-fields of the crackme.
Fire up SoftIce and put a breakpoint on 'hmemcpy'.
Back in the target we press the check-button and we'll
return to SI.
Trace a little bit until you come here:
:00401132 E841020000 Call 00401378
:00401137 A3AF214000 mov dword ptr [004021AF], eax (length of name)
:0040113C 83F800 cmp eax, 00000000 (anything entered?)
:0040113F 0F84D5000000 je 0040121A ->err_msg if nothing entered
:00401145 83F808 cmp eax, 00000008 (name<=8?)
:00401148 0F8FCC000000 jg 0040121A ->err_msg if length greater
:0040114E 8BF0 mov esi, eax (put length name into esi)
:00401150 6A00 push 00000000
:00401152 6A00 push 00000000
:00401154 6A0E push 0000000E
:00401156 6A04 push 00000004
:00401158 FF7508 push [ebp+08]
:0040115B E818020000 Call 00401378 (get length of fake serial)
:00401160 83F800 cmp eax, 00000000 (anything entered?)
:00401163 0F84B1000000 je 0040121A ->err_msg if nothing entered
:00401169 3BF0 cmp esi, eax -> (length name=length serial?)
:0040116B 0F85A9000000 jne 0040121A ->err_msg if length is differrent
:00401171 6860214000 push 00402160
:00401176 6A08 push 00000008
:00401178 6A0D push 0000000D
:0040117A 6A03 push 00000003
:0040117C FF7508 push [ebp+08]
-----------Some-lines-further------------------
:0040119C 41 inc ecx
:0040119D 0FBE8160214000 movsx eax, byte ptr [ecx+00402160]
:004011A4 83F800 cmp eax, 00000000
:004011A7 7432 je 004011DB ->good one
:004011A9 BEFFFFFFFF mov esi, FFFFFFFF
:004011AE 83F841 cmp eax, 00000041
:004011B1 7C67 jl 0040121A
:004011B3 83F87A cmp eax, 0000007A
:004011B6 7762 ja 0040121A
:004011B8 83F85A cmp eax, 0000005A
:004011BB 7C03 jl 004011C0
:004011BD 83E820 sub eax, 00000020
Looking at the code we know that we can only use letters
between 'A' and 'z' (65-122) in our name, otherwise
we'll get the err_msg.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004011A7(C)
|
:004011DB FF35AF214000 push dword ptr [004021AF]
:004011E1 6894214000 push 00402194
:004011E6 6879214000 push 00402179
:004011EB E854000000 call 00401244
:004011F0 83F801 cmp eax, 00000001
:004011F3 0F84DEFEFFFF je 004010D7 ->goog_msg if eax=1
:004011F9 EB1F jmp 0040121A ->err_msg if eax<>1
If eax<>1 then we will brought to our error-message.
This comparison is based on the result of the call
above.
The call gets 3 Parameters, checking them will
give you a valid serial but better check
what's inside the call:
--------------into-the-impotant-call------------------
* Referenced by a CALL at Address:
|:004011EB
|
:00401244 C8000000 enter 0000, 00
:00401248 B801000000 mov eax, 00000001
:0040124D 8B7D08 mov edi, dword ptr [ebp+08] ->Fake serial
:00401250 8B750C mov esi, dword ptr [ebp+0C] ->Yippie
:00401253 8B4D10 mov ecx, dword ptr [ebp+10]
:00401256 F3 repz
:00401257 A6 cmpsb
:00401258 67E305 jcxz 00401260 -> is cx<>0?
:0040125B B800000000 mov eax, 00000000 ->eax gets bad 0
:00401260 C9 leave
:00401261 C20C00 ret 000C
Let's check the esi and edi register...and?
Guess what, the beauty and the beast.
We don't need more to know.
Enter your name with the rules we find out, enter
the serial and get the ok-message.
In my case Name-Serial was: tC - RS
Well, our job is done!
Thx4Readin'
-----------------------------------------------------------------------------
-=I'm still a newbie - So I can only get better!=-
(c) Terminal Cilla (mai 1999)
Peace&Respects 2: duelist, Eternal_Bliss, The_Sandman, Torn@do,
FireWorX, Sanhedrin,PhoX and all crackme-coders
and tutorial-writers.
Special thx2 'duelist' for beeing a good friend and
'Eternal Bliss' for hosting my cMz.
________________________
| Be sure to visit: |
| http://crackmez.cjb.net|
| & |
| http://crackmes.cjb.net|
|________________________|