home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Reverse Code Engineering RCE CD +sandman 2000
/
ReverseCodeEngineeringRceCdsandman2000.iso
/
RCE
/
E_bliss
/
zone-cm1.txt
< prev
next >
Wrap
Text File
|
2000-05-25
|
6KB
|
122 lines
zerOOne's Crackme #1 Tuturial
░
░ ░ ░ ▄▓
▄▄ ░░ ▄▄▄▄■ ░░▀ ■▄▄▄ ▄▄ ▐█▓▌
▄▀▀ ▀■ ▀ ░░ ▀ ■▀ ▀▀▄ ██▌
■ ▄▄▀▀ ▄▄██▀██▄▄ ▄▄▄███▄▄ ▀▄▄ ■ ▄▄▄███▄▄▐██ ▄▄████▄▄
▀▄▄ ▄▀▀ ▄███▀ ▀██▓▄ ▄████▀ ▀██▓▄ ▀▄ ▄▄▀ ▄████▀ ▀██▓██ ▄████▀ ▀██▓▄
▀▀ ▄ ▐███▌ ░ ▐██▓▌ ▐████▌ ░ ▐██▓▌ ▄ ▀▀ ▐████▌ ░ ▐████▌ ▐████▌ ▐██▓▌
■██▄▄▓▌ ████ ░▒░ ████ █████▄▄▄ ▀▀▀▀ ▐█▄▄█▓ █████ ░ █████ █████▄▄▀▀▀▀▀▀▀
▐████ ░░ ▓██▌ ░▒▓▒░ ▐███ ▄▄▄▄▄ ▀▀▀████▄ ████▌ ▓███▌ ▐████ ▓███▌ ░░░░░░
░ ███▌ ░ ▐▓███ ░▒▓▒░ ▓███▌▓███▌ ░░░ ▐████ ▐▓██ ▓███▌ ▄▀▀ ▐████ ▓███▌ ░░░░░░░
▓██▌ ▐▓███ ░▒░ ▓███▌▐▓███ ░ ▓███▌ ▐▓██ ▐▓███ ▓███▌ ▐▓███
▐▓███ ▐▓▓██▌ ░ ▐▓███▌ ▓▓██▌ ▐▓███ ▓███▌ ▓▓██▌ ░ ▐▓███ ▓▓██▌
▓▓▓██▌ ■▓▓▓▓██ ░ ▓█████■ ▀▓▓█▄ ▄▓██▀ ▐▓████ ▄ ▀▓██▄ ▄▓██▀ ▀▓██▄
▀▓███▄ ▀▀▀██▄ ▄▓█▀▀▀ ▀▀█▀▀ ▄▓▓▓▀▀ ▀▀█▀▀ ▀▀▀▀ js
▀▀▀▀▀▄▄ ░ iNSiDE ▄▄▀▀▀▀▀
░ ▀▄ ░ ░░ ▄▀
░░ ░ ░░
Tutor : duelist
Data Wrote : June 12, 1999
Who : Newbies
Target : zerOOne's Crackme #1
Size : 116kb
Tools Used : SoftIce
- INTRODUCTION: -
Ok people i'm back to the tuts scene and i hope both me and you will enjoy
my stay. First of all, notice the size of this app, 116kb, that's way too
much for a dos app! I loaded it using windows quikview and then i saw that
it had tons of imports, and zer00ne's said in his intro file:
"Es sieht zwar aus wie ein Dos proggi ist aber ein Win32 proggi. Also
benutzt es auch MessageBoxen ;)"
Well i'm not german but i can understand that this is a Win32 console mode
program and that our result will be indicated by a messagebox!
- PROTECTION: -
This program accepts only one password, so as a tip, we can expect it is
hardcoded in the program (later we'll see that it is not that easy) and
it will inform us of the result by a messagebox!
- CRACKING STEPS: -
1) Switch into softice and put a bpx on 'MessageBoxA', so we can break when
the program tells us that our serial is incorrect.
2) Goto the application and enter any serial you want, hit enter!
3) Bingo, we'll break right in this snippet:
:00401010 55 push ebp
:00401011 8BEC mov ebp, esp
:00401013 83EC08 sub esp, 00000008
:00401016 C745FCF1FB0900 mov [ebp-04], 0009FBF1
:0040101D 68509D4100 push 00419D50 ; "Bitte Registration code eingeben: "
:00401022 B9A8D14100 mov ecx, 0041D1A8
:00401027 E8C4040000 call 004014F0
:0040102C 8D45F8 lea eax, dword ptr [ebp-08]
:0040102F 50 push eax
:00401030 B958D14100 mov ecx, 0041D158
:00401035 E856000000 call 00401090
:0040103A 8B4DF8 mov ecx, dword ptr [ebp-08]
:0040103D 3B4DFC cmp ecx, dword ptr [ebp-04]
:00401040 7516 jne 00401058
:00401042 6A00 push 00000000
:00401044 68749D4100 push 00419D74 ; "Danke"
:00401049 687C9D4100 push 00419D7C ; "Sie haben mich gecrackt :)"
:0040104E 6A00 push 00000000
:00401050 FF15ACF24100 Call USER32!MessageBoxA
:00401056 EB14 jmp 0040106C
:00401058 6A01 push 00000001 ; "Error"
:0040105A 68989D4100 push 00419D98
:0040105F 68A09D4100 push 00419DA0 ; "Nein, versuchen Sie es nochmal :("
:00401064 6A00 push 00000000
:00401066 FF15ACF24100 Call USER32!MessageBoxA
:0040106C 33C0 xor eax, eax <- you break here, but since we want to start
tracing at the beggining of this call, set
a breakpoint on 401010
4) Repeat step 2, enter any serial you like and you'll break at the beggining of the call
this time:
:00401010 55 push ebp
:00401011 8BEC mov ebp, esp
:00401013 83EC08 sub esp, 00000008
:00401016 C745FCF1FB0900 mov [ebp-04], 0009FBF1
:0040101D 68509D4100 push 00419D50 ; "Bitte Registration code eingeben: "
:00401022 B9A8D14100 mov ecx, 0041D1A8
:00401027 E8C4040000 call 004014F0
:0040102C 8D45F8 lea eax, dword ptr [ebp-08]
:0040102F 50 push eax
:00401030 B958D14100 mov ecx, 0041D158
:00401035 E856000000 call 00401090 <- asks us for the reg code AND converts
:0040103A 8B4DF8 mov ecx, dword ptr [ebp-08] it from string to dec, stores in ecx
:0040103D 3B4DFC cmp ecx, dword ptr [ebp-04] ; compares our code with some dec at location
ebp-4 (!), so do a "d ebp-4" and you'll get
"F1 FB 09 00", just reverse it and use a
"? 09FBF1" and you'll get the correct code!
- FINAL NOTES: -
Ok, from now on you can expect a lotta tuts from me (well at least that's what i hope)...
Thx 2: E_Bliss for kinda 'forcing' me to write tuturials
tC for being such a nice friend with some nice crackmes
MisterE for showing me the way to go ;)
R!SC for being a frenzy cracker and to have cracked my #3
All the other dudes i don't remember right now...