home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Reverse Code Engineering RCE CD +sandman 2000
/
ReverseCodeEngineeringRceCdsandman2000.iso
/
RCE
/
E_bliss
/
zone-cm3.txt
< prev
next >
Wrap
Text File
|
2000-05-25
|
5KB
|
111 lines
zerOOne's Crackme #3 Tuturial
░
░ ░ ░ ▄▓
▄▄ ░░ ▄▄▄▄■ ░░▀ ■▄▄▄ ▄▄ ▐█▓▌
▄▀▀ ▀■ ▀ ░░ ▀ ■▀ ▀▀▄ ██▌
■ ▄▄▀▀ ▄▄██▀██▄▄ ▄▄▄███▄▄ ▀▄▄ ■ ▄▄▄███▄▄▐██ ▄▄████▄▄
▀▄▄ ▄▀▀ ▄███▀ ▀██▓▄ ▄████▀ ▀██▓▄ ▀▄ ▄▄▀ ▄████▀ ▀██▓██ ▄████▀ ▀██▓▄
▀▀ ▄ ▐███▌ ░ ▐██▓▌ ▐████▌ ░ ▐██▓▌ ▄ ▀▀ ▐████▌ ░ ▐████▌ ▐████▌ ▐██▓▌
■██▄▄▓▌ ████ ░▒░ ████ █████▄▄▄ ▀▀▀▀ ▐█▄▄█▓ █████ ░ █████ █████▄▄▀▀▀▀▀▀▀
▐████ ░░ ▓██▌ ░▒▓▒░ ▐███ ▄▄▄▄▄ ▀▀▀████▄ ████▌ ▓███▌ ▐████ ▓███▌ ░░░░░░
░ ███▌ ░ ▐▓███ ░▒▓▒░ ▓███▌▓███▌ ░░░ ▐████ ▐▓██ ▓███▌ ▄▀▀ ▐████ ▓███▌ ░░░░░░░
▓██▌ ▐▓███ ░▒░ ▓███▌▐▓███ ░ ▓███▌ ▐▓██ ▐▓███ ▓███▌ ▐▓███
▐▓███ ▐▓▓██▌ ░ ▐▓███▌ ▓▓██▌ ▐▓███ ▓███▌ ▓▓██▌ ░ ▐▓███ ▓▓██▌
▓▓▓██▌ ■▓▓▓▓██ ░ ▓█████■ ▀▓▓█▄ ▄▓██▀ ▐▓████ ▄ ▀▓██▄ ▄▓██▀ ▀▓██▄
▀▓███▄ ▀▀▀██▄ ▄▓█▀▀▀ ▀▀█▀▀ ▄▓▓▓▀▀ ▀▀█▀▀ ▀▀▀▀ js
▀▀▀▀▀▄▄ ░ iNSiDE ▄▄▀▀▀▀▀
░ ▀▄ ░ ░░ ▄▀
░░ ░ ░░
Tutor : duelist
Data Wrote : June 12, 1999
Who : Newbies
Target : zerOOne's Crackme #3
Size : 116kb
Tools Used : SoftIce
- INTRODUCTION: -
Ok people i'm back to the tuts scene and i hope both me and you will enjoy
my stay. First of all, notice the size of this app, 116kb, that's way too
much for a dos app! I loaded it using windows quikview and then i saw that
it had tons of imports. Since i had cracked zerOOne's Crackme #1, i knew
that this was a Win32 console mode program and that our result will be
indicated by a messagebox! (btw i would like to tell that this one uses the
same code that the #2 did)
- CRACKING STEPS: -
1) Switch into softice and put a bpx on 'MessageBoxA', so we can break when
the program tells us that our serial is incorrect.
2) Goto the application and enter any serial you want, hit enter!
3) Bingo, we'll break right in this snippet:
:004010E5 55 push ebp
:004010E6 8BEC mov ebp, esp
:004010E8 51 push ecx
:004010E9 C745FCF1FB0900 mov [ebp-04], 0009FBF1
:004010F0 E81AFFFFFF call 0040100F \
:004010F5 25FF000000 and eax, 000000FF | our success depends on the result of the
:00401072 85C0 test eax, eax | call to 40100F, since eax is checked on return.
:004010FC 7416 je 00401114 /
...
:00401122 FF15ACF24100 USER32!MessageBoxA
:00401128 E8ECFEFFFF call 00401019
:0040112D 33C0 xor eax, eax ; you break here, but since we want to start
tracing at the beggining of this call, set
a breakpoint on 4010E5 (!)
4) Repeat step 2, enter any serial you like and you'll break at the beggining, then trace into
the call to 40100F, you'll see:
:0040100F E93C000000 jmp 00401050 ; jumps to the beggining of the call
...
:00401050 55 push ebp
:00401051 8BEC mov ebp, esp
:00401053 83EC08 sub esp, 00000008
:00401056 6818C84100 push 0041C818 ; "Bitte Registration code eingeben: "
:0040105B B9E0D14100 mov ecx, 0041D1E0
:00401060 E80B060000 call 00401670
:00401065 8D45F8 lea eax, dword ptr [ebp-08]
:00401068 50 push eax
:00401069 B990D14100 mov ecx, 0041D190
:0040106E E89D010000 call 00401210 / gets our code, converts it to dec
:00401073 817DF86AD76300 cmp dword ptr [ebp-08], 0063D76A | and stores in ebp-8. Do a "? 63D76A"
\ and you'll get the right code!
:0040107A 750D jne 00401089
:0040107C C645FC01 mov [ebp-04], 01 / these are
:00401080 C6058CD1410001 mov byte ptr [0041D18C], 01 \ success
:00401087 EB0B jmp 00401094
:00401089 C645FC00 mov [ebp-04], 00
:0040108D C6058CD1410000 mov byte ptr [0041D18C], 00 / these are
:00401094 8A45FC mov al, byte ptr [ebp-04] \ failure
:00401097 8BE5 mov esp, ebp
:00401099 5D pop ebp
:0040109A C3 ret
- FINAL NOTES: -
Ok, from now on you can expect a lotta tuts from me (well at least that's what i hope)...
Thx 2: E_Bliss for kinda 'forcing' me to write tuturials
tC for being such a nice friend with some nice crackmes
MisterE for showing me the way to go ;)
R!SC for being a frenzy cracker and to have cracked my #3
All the other dudes i don't remember right now...