Reverse Code Engineering RCE CD +sandman 2000

home *** CD-ROM | disk | FTP | other *** search

/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / E_bliss / zone-cm4.txt < prev

Wrap

Text File | 2000-05-25 | 5KB | 112 lines

zerOOne's Crackme #4 Tuturial ░ ░ ░ ░ ▄▓ ▄▄ ░░ ▄▄▄▄■ ░░▀ ■▄▄▄ ▄▄ ▐█▓▌ ▄▀▀ ▀■ ▀ ░░ ▀ ■▀ ▀▀▄ ██▌ ■ ▄▄▀▀ ▄▄██▀██▄▄ ▄▄▄███▄▄ ▀▄▄ ■ ▄▄▄███▄▄▐██ ▄▄████▄▄ ▀▄▄ ▄▀▀ ▄███▀ ▀██▓▄ ▄████▀ ▀██▓▄ ▀▄ ▄▄▀ ▄████▀ ▀██▓██ ▄████▀ ▀██▓▄ ▀▀ ▄ ▐███▌ ░ ▐██▓▌ ▐████▌ ░ ▐██▓▌ ▄ ▀▀ ▐████▌ ░ ▐████▌ ▐████▌ ▐██▓▌ ■██▄▄▓▌ ████ ░▒░ ████ █████▄▄▄ ▀▀▀▀ ▐█▄▄█▓ █████ ░ █████ █████▄▄▀▀▀▀▀▀▀ ▐████ ░░ ▓██▌ ░▒▓▒░ ▐███ ▄▄▄▄▄ ▀▀▀████▄ ████▌ ▓███▌ ▐████ ▓███▌ ░░░░░░ ░ ███▌ ░ ▐▓███ ░▒▓▒░ ▓███▌▓███▌ ░░░ ▐████ ▐▓██ ▓███▌ ▄▀▀ ▐████ ▓███▌ ░░░░░░░ ▓██▌ ▐▓███ ░▒░ ▓███▌▐▓███ ░ ▓███▌ ▐▓██ ▐▓███ ▓███▌ ▐▓███ ▐▓███ ▐▓▓██▌ ░ ▐▓███▌ ▓▓██▌ ▐▓███ ▓███▌ ▓▓██▌ ░ ▐▓███ ▓▓██▌ ▓▓▓██▌ ■▓▓▓▓██ ░ ▓█████■ ▀▓▓█▄ ▄▓██▀ ▐▓████ ▄ ▀▓██▄ ▄▓██▀ ▀▓██▄ ▀▓███▄ ▀▀▀██▄ ▄▓█▀▀▀ ▀▀█▀▀ ▄▓▓▓▀▀ ▀▀█▀▀ ▀▀▀▀ js ▀▀▀▀▀▄▄ ░ iNSiDE ▄▄▀▀▀▀▀ ░ ▀▄ ░ ░░ ▄▀ ░░ ░ ░░ Tutor : duelist Data Wrote : June 12, 1999 Who : Newbies Target : zerOOne's Crackme #4 Size : 116kb Tools Used : SoftIce - INTRODUCTION: - Ok people i'm back to the tuts scene and i hope both me and you will enjoy my stay. First of all, notice the size of this app, 116kb, that's way too much for a dos app! I loaded it using windows quikview and then i saw that it had tons of imports. Since i had cracked zerOOne's Crackme #1, i knew that this was a Win32 console mode program and that our result will be indicated by a messagebox! - CRACKING STEPS: - 1) Switch into softice and put a bpx on 'MessageBoxA', so we can break when the program tells us that our serial is incorrect. 2) Goto the application and enter any serial you want, hit enter! 3) Bingo, we'll break right in this snippet: :004010EF 55 push ebp :004010F0 8BEC mov ebp, esp :004010F2 51 push ecx :004010F3 C745FCF1FB0900 mov [ebp-04], 0009FBF1 :004010FA E80BFFFFFF call 0040100A :004010F0 E81AFFFFFF call 0040100F \ :004010F5 25FF000000 and eax, 000000FF | our success depends on the result of the :00401072 85C0 test eax, eax | call to 40100F, since eax is checked on return. :004010FC 7416 je 00401123 / ... :00401122 FF15ACF24100 USER32!MessageBoxA :00401128 E8ECFEFFFF call 00401005 :0040112D 33C0 xor eax, eax ; you break here, but since we want to start tracing at the beggining of this call, set a breakpoint on 4010EF (!) 4) Repeat step 2, enter any serial you like and you'll break at the beggining, then trace into the call to 40100F, you'll see: :0040100F E93F000000 jmp 00401053 ; jump to real beggining ... :00401053 55 push ebp :00401054 8BEC mov ebp, esp :00401056 83EC0C sub esp, 0000000C :00401059 C745F400000000 mov [ebp-0C], 00000000 :00401060 EB09 jmp 0040106B :00401062 8B4DF4 mov ecx, dword ptr [ebp-0C] \ :00401065 83C101 add ecx, 00000001 | :00401068 894DF4 mov dword ptr [ebp-0C], ecx | this one is probably :0040106B 837DF464 cmp dword ptr [ebp-0C], 00000064 | a loop to get us bored (?) :0040106F 7D09 jge 0040107A | but it's not important so i :00401071 C745FC01000000 mov [ebp-04], 00000001 | didn't care about it.... :00401078 EBE8 jmp 00401062 / :0040107A 813DB8D1410041100400 cmp dword ptr [0041D1B8], 00041041 ; compares the dec value of our name ; with 41041h, do a "? 41041" to get ; the valid code (!) :00401084 750D jne 00401093 :0040107C C645FC01 mov [ebp-08], 01 / these are :00401080 C6058CD1410001 mov byte ptr [0041DB8C], 01 \ success :00401091 EB0B jmp 0040109E :00401093 C645F800 mov [ebp-08], 00 / these are :00401097 C605BCD1410000 mov byte ptr [0041D1BC], 00 \ failure :0040109E 8A45F8 mov al, byte ptr [ebp-08] :004010A1 8BE5 mov esp, ebp :004010A3 5D pop ebp :004010A4 C3 ret - FINAL NOTES: - Ok, from now on you can expect a lotta tuts from me (well at least that's what i hope)... Thx 2: E_Bliss for kinda 'forcing' me to write tuturials tC for being such a nice friend with some nice crackmes MisterE for showing me the way to go ;) R!SC for being a frenzy cracker and to have cracked my #3 All the other dudes i don't remember right now...