home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Reverse Code Engineering RCE CD +sandman 2000
/
ReverseCodeEngineeringRceCdsandman2000.iso
/
RCE
/
LiuTaoTao
/
creexe.txt
< prev
next >
Wrap
Text File
|
2000-05-25
|
4KB
|
140 lines
╒Γ╩╟╥╗╕÷─▄╒╥╡╜ZIP╬─╝■├▄┬δ╡─╚φ╝■ú¼├√╜╨ú║
This is a SoftWare which can find password of a ZIP file. Its name is:
Fast ZIP Cracker 1.04 (C) 1995 Fernando Papa Budzyn. Montevideo, Uruguay.
╘┌╬─╝■FZC.EXE╓╨┐╔╥╘╖ó╧╓╧┬┴╨╫╓╤∙ú¼╧╘╚╗EEXE╩╟╥╗╕÷╝╙┐╟╚φ╝■íú
Follow string can be find in file 'FZC.EXE'.Obviously 'EEXE' is the shell.
EEXE 1.12 -- (C) 1995 Fernando Papa Budzyn. Montevideo, UY.
╙├TR╡≈╚δFZC║≤ú¼╡┌╚²┤╬GOKNL╩▒╖ó╧╓┴¼╨°╥╗┼┼CALL FARú¼║├╧≤╩╟╬─╝■┐¬╩╝íú
═╤┐╟╣²│╠╩╟ú║
Load FZC.exe in TR, after 3 times 'GOKNL', we can find serials 'CALL FAR'.
And this is kernal. Follow is how to get the kernal:
TR fzc.exe
getknl 3 ;means get out of 3 shells
q
mkexe ;this will make file 'mem.exe'
╒Γ╤∙╬╥├╟╛═╡├╡╜┴╦═╤┐╟║≤╡─EXE╬─╝■MEM.EXEíú╡½╩╟╒Γ╕÷╬─╝■▓╗─▄╓▒╜╙╓┤╨╨ú¼╥≥╬¬╞Σ╓╨
╗╣╙╨╝╙├▄╡─▓┐╖╓íú╙├TR╡≈╚δMEM.EXEú¼╙├╥╗┤╬╨╘╢╧╡πgoint 21 ah=3dú¼╡┌╚²┤╬╩▒D DX
┐╔╥╘╖ó╧╓╒Γ╩╟┤≥┐¬╫╘╔φ╜°╨╨╝∞▓Θíú╙├PRETú¼Tú¼P├ⁿ┴ε╖╡╗╪ú¼┐╔╥╘╖ó╧╓ú║
And then we get the kernal "mem.exe". But this file can not run directly.
Lod 'MEM.exe' in TR, use one-time break-point "goint 21 ah=3d" 3 times.
When 'D DX', we can find this is open itself to check. Use command
"pret","T","P", and:
OR AX,AX ;696E:01DB 09C0
JE 01E2 ;696E:01DD 7403
CALL 0000 ;696E:01DF E81EFE
╚▌╥╫╖ó╧╓╧┬├µ╥╗╢╬╢╝╩╟╝∞▓Θ╩╟╖±▒╗╜Γ├▄╣²╡─ú¼╢°CALL 0╩╟┤φ╬≤│÷┐┌ú¼╕─╡⌠╦ⁿú║
It's easy to find these codes are for check if been cracked, and 'Call 0'
is error process. Patch it:
1bd: e9f200 jmp 2d0
which means:
find: 09 c0 74 03 e8
change to: e9 f2 00
That is!
╥≥╬¬╒Γ╕÷│╠╨≥╩╟╙├PASCAL▒α╡─ú¼╦∙╥╘┐╔╥╘╙├TEU╓«└α═≥─▄═╤┐╟╚φ╝■═╤ú¼═╤╡├╙╓┐∞╙╓
╕╔╛╗íú╡½╚τ╣√╦ⁿ▓╗╩╟╙├╕▀╝╢╙∩╤╘▒α╡──π╙╓╡▒╚τ║╬ú┐
╒Γ└∩┴╨│÷╒Γ╕÷│╠╨≥╡─╜Γ╖¿╩╟╥≥╬¬╦ⁿ░∩╬╥╒╥╡╜┴╦TR╡─╥╗╕÷┤φ╬≤ú¼╩╣TR╙╔1.00╔²╬¬1.01íú
╒Γ╕÷╬╩╠Γ╩╟ú║─π╓¬╡└╫╓╜┌f1┤·▒φ╩▓├┤╗π▒α╓╕┴ε┬≡ú┐╦∙╙╨╡─╡≈╩╘│╠╨≥╢╝▓╗╚╧╩╢╦ⁿú¼╡½
╒Γ└∩╬╥╥¬╕µ╦▀─πú¼╦ⁿ┤·▒φINT 1íú╒²╧≤CC┤·▒φINT 3╥╗╤∙ú¼F1┤·▒φINT 1íú╗≥╨φ─π▓╗
╧α╨┼ú¼╟δ╙├╧┬├µ│╠╨≥╥╗╩╘ú║
Do you know what 'f1' means in assemble language? I can tell you it means
'int 1', just link 'cc' means 'int 3'. This is a test program:
intnum = 1
model tiny
.code
org 100h
begin:
.386c
push ds
push 0
pop ds
mov eax,[ds:intnum*4]
mov [cs:saveint],eax
mov ax,offset newint
cli
mov [ds:intnum*4],ax
mov ax,cs
mov [ds:intnum*4+2],ax
sti
pop ds
call testmain
push ds
push 0
pop ds
mov eax,[cs:saveint]
mov [ds:intnum*4],eax
pop ds
MOV AX,4C00H
INT 21H
testmain:
xor bx,bx
db 0f1h ;!!!
cmp bx,1234h
jnz L2
mov dx,offset OK
jmp L1
L2: mov dx,offset BADD
L1: mov ah,9
int 21h
ret
newint:
mov bx,1234h
iret
saveint dd 0
OK: db 'Test OK $'
BADD: db 'Test Badd $'
end begin
-------------------------------------------
TR mem.exe ;load mem.exe in tr
goint 21 ah=3d ;this is a one-time break-point
;means break if open file.
goint 21 ah=3d ;another time
goint 21 ah=3d ;third time
d dx ;see what file it open, you can find
;it open itself this time
pret ;go until return
t ;one step, <F8> is also OK
p ;one procedure step,<F10> is also OK
and then we can find follow code:
OR AX,AX ;696E:01DB 09C0
JE 01E2 ;696E:01DD 7403
CALL 0000 ;696E:01DF E81EFE
It's easy to find these codes are for check if been cracked, and 'Call 0'
is error process. Patch it:
a ;assemble, still in TR
jmp 2d0 ;e9f200
and then you can GO it.
If you want to patch the MEM.exe permanently, you must find a HEX editor
and edit MEM.EXE in HEX mode:
search: 09 c0 74 03 e8
change to: e9 f2 00
All done! Track,Unpack and Crack, all done!