Reverse Code Engineering RCE CD +sandman 2000

home *** CD-ROM | disk | FTP | other *** search

/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / E_bliss / ulticm_tut.txt < prev next >

Wrap

Text File | 2000-05-25 | 3KB | 129 lines

Tutorial for Ultimate Crackme (n0p3x) by Sanhedrin Tools Softice Start the crackme and you will immediately be hit with the first nag screen. Then either the softice warning will halt the crackme, or another nag screen warning you about a wrong keyfile appears. After we get by these, there is the typical registration screen. So we have: A nag screen A softice check A keyfile check Registration check To complicate things further, the file is either packed or encrypted in some way, thus making disassembly, and hex checking virtually impossible. --USING THE NAG SCREEN-- A quick check in softice proves to be a messagebox, so let's put a breakpoint on: bpx messageboxa Exit softice and start the crackme. After you break into softice press F11, then click on OK on the shareware message, and you will break back into softice. You should be at: 0040138D E856040000 CALL USER32!MessageBoxA 00401397 85C0 CALL 0040107C<---you will land here - call is softice loaded 00401399 741C JZ 004013B7<---jump if no softice //SNIP// 004013B7 E8F5FCFFFF CALL 004010B1<---call is SICE-NT loaded 004013BC 85C0 TEST EAX,EAX 004013BE 741C JZ 004013DC<---jump if no softice //SNIP// We'll stop here for a moment. Press F10 once and stop at 00401399. If you are working with softice 95/98, type: d 00401399 then change it to: jnz 004013B7 or press F10 and stop at 004013BE. Change 004013BE to jnz 004013DC if you are working with SICE-NT. --KEYFILE PROTECTION-- Now that we have jumped the softice check, press F10 past the jumps, and stop at: 004013DC E81BFDFFFF CALL 004010FC<---call the keyfile check (stop here) 004013E1 85C0 TEST EAX,EAX 004013E3 7415 JNZ 004013FA<---jump if information in keyfile is not correct At 004013DC type d ebx and you will see: //./SICE.//./NTICE.Register.dat.Why didn't n0p3x use a more difficult keyfile method? All information that you will need is in this line. The keyfile is called: register.dat and the information in the keyfile is: Why didn't n0p3x use a more difficult keyfile method? Create the keyfile, then enter softice, (use the above method to bypass the softice checks) and you will bypass the last jump. This leaves us with the final Name/Company/Registration code to bypass. --ARE WE DONE YET-- Enter any name company and serial number Sanhedrin DND 123443211 and enter softice. Put a breakpoint on either bpx hmemcpy bpx getdlgitemtexta Exit softice and click on OK. Once you have broken into softice, disable the breakpoints. A few F12's and F10's later, you will end up at: //SNIP// 00401251 83F809 CMP EAX,09<---is the code length 9 characters long? 00401254 7D1F JGE 00401275<---jump if 9, or greater than 9 //SNIP// Press F10 until you are at 004012BA 004012BA 50 PUSH EAX<---place real serial number in EAX. Type d eax and you will see that the real serial number is: 999108:-) So to crack this program, all we have to do is restart windows without softice, start the crackme with the keyfile, and enter the registration code. Greets to n0p3x Thanks to all of those coders that make these crackmes, to Pepper for sending me on the right path so long ago and of course to Eternal Bliss. Sanhedrin stachi@geocities.com