Reverse Code Engineering RCE CD +sandman 2000

home *** CD-ROM | disk | FTP | other *** search

/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / LiuTaoTao / creexe.txt < prev next >

Wrap

Text File | 2000-05-25 | 4KB | 140 lines

╒Γ╩╟╥╗╕÷─▄╒╥╡╜ZIP╬─╝■├▄┬δ╡─╚φ╝■ú¼├√╜╨ú║ This is a SoftWare which can find password of a ZIP file. Its name is: Fast ZIP Cracker 1.04 (C) 1995 Fernando Papa Budzyn. Montevideo, Uruguay. ╘┌╬─╝■FZC.EXE╓╨┐╔╥╘╖ó╧╓╧┬┴╨╫╓╤∙ú¼╧╘╚╗EEXE╩╟╥╗╕÷╝╙┐╟╚φ╝■íú Follow string can be find in file 'FZC.EXE'.Obviously 'EEXE' is the shell. EEXE 1.12 -- (C) 1995 Fernando Papa Budzyn. Montevideo, UY. ╙├TR╡≈╚δFZC║≤ú¼╡┌╚²┤╬GOKNL╩▒╖ó╧╓┴¼╨°╥╗┼┼CALL FARú¼║├╧≤╩╟╬─╝■┐¬╩╝íú ═╤┐╟╣²│╠╩╟ú║ Load FZC.exe in TR, after 3 times 'GOKNL', we can find serials 'CALL FAR'. And this is kernal. Follow is how to get the kernal: TR fzc.exe getknl 3 ;means get out of 3 shells q mkexe ;this will make file 'mem.exe' ╒Γ╤∙╬╥├╟╛═╡├╡╜┴╦═╤┐╟║≤╡─EXE╬─╝■MEM.EXEíú╡½╩╟╒Γ╕÷╬─╝■▓╗─▄╓▒╜╙╓┤╨╨ú¼╥≥╬¬╞Σ╓╨ ╗╣╙╨╝╙├▄╡─▓┐╖╓íú╙├TR╡≈╚δMEM.EXEú¼╙├╥╗┤╬╨╘╢╧╡πgoint 21 ah=3dú¼╡┌╚²┤╬╩▒D DX ┐╔╥╘╖ó╧╓╒Γ╩╟┤≥┐¬╫╘╔φ╜°╨╨╝∞▓Θíú╙├PRETú¼Tú¼P├ⁿ┴ε╖╡╗╪ú¼┐╔╥╘╖ó╧╓ú║ And then we get the kernal "mem.exe". But this file can not run directly. Lod 'MEM.exe' in TR, use one-time break-point "goint 21 ah=3d" 3 times. When 'D DX', we can find this is open itself to check. Use command "pret","T","P", and: OR AX,AX ;696E:01DB 09C0 JE 01E2 ;696E:01DD 7403 CALL 0000 ;696E:01DF E81EFE ╚▌╥╫╖ó╧╓╧┬├µ╥╗╢╬╢╝╩╟╝∞▓Θ╩╟╖±▒╗╜Γ├▄╣²╡─ú¼╢°CALL 0╩╟┤φ╬≤│÷┐┌ú¼╕─╡⌠╦ⁿú║ It's easy to find these codes are for check if been cracked, and 'Call 0' is error process. Patch it: 1bd: e9f200 jmp 2d0 which means: find: 09 c0 74 03 e8 change to: e9 f2 00 That is! ╥≥╬¬╒Γ╕÷│╠╨≥╩╟╙├PASCAL▒α╡─ú¼╦∙╥╘┐╔╥╘╙├TEU╓«└α═≥─▄═╤┐╟╚φ╝■═╤ú¼═╤╡├╙╓┐∞╙╓ ╕╔╛╗íú╡½╚τ╣√╦ⁿ▓╗╩╟╙├╕▀╝╢╙∩╤╘▒α╡──π╙╓╡▒╚τ║╬ú┐ ╒Γ└∩┴╨│÷╒Γ╕÷│╠╨≥╡─╜Γ╖¿╩╟╥≥╬¬╦ⁿ░∩╬╥╒╥╡╜┴╦TR╡─╥╗╕÷┤φ╬≤ú¼╩╣TR╙╔1.00╔²╬¬1.01íú ╒Γ╕÷╬╩╠Γ╩╟ú║─π╓¬╡└╫╓╜┌f1┤·▒φ╩▓├┤╗π▒α╓╕┴ε┬≡ú┐╦∙╙╨╡─╡≈╩╘│╠╨≥╢╝▓╗╚╧╩╢╦ⁿú¼╡½ ╒Γ└∩╬╥╥¬╕µ╦▀─πú¼╦ⁿ┤·▒φINT 1íú╒²╧≤CC┤·▒φINT 3╥╗╤∙ú¼F1┤·▒φINT 1íú╗≥╨φ─π▓╗ ╧α╨┼ú¼╟δ╙├╧┬├µ│╠╨≥╥╗╩╘ú║ Do you know what 'f1' means in assemble language? I can tell you it means 'int 1', just link 'cc' means 'int 3'. This is a test program: intnum = 1 model tiny .code org 100h begin: .386c push ds push 0 pop ds mov eax,[ds:intnum*4] mov [cs:saveint],eax mov ax,offset newint cli mov [ds:intnum*4],ax mov ax,cs mov [ds:intnum*4+2],ax sti pop ds call testmain push ds push 0 pop ds mov eax,[cs:saveint] mov [ds:intnum*4],eax pop ds MOV AX,4C00H INT 21H testmain: xor bx,bx db 0f1h ;!!! cmp bx,1234h jnz L2 mov dx,offset OK jmp L1 L2: mov dx,offset BADD L1: mov ah,9 int 21h ret newint: mov bx,1234h iret saveint dd 0 OK: db 'Test OK $' BADD: db 'Test Badd $' end begin ------------------------------------------- TR mem.exe ;load mem.exe in tr goint 21 ah=3d ;this is a one-time break-point ;means break if open file. goint 21 ah=3d ;another time goint 21 ah=3d ;third time d dx ;see what file it open, you can find ;it open itself this time pret ;go until return t ;one step, <F8> is also OK p ;one procedure step,<F10> is also OK and then we can find follow code: OR AX,AX ;696E:01DB 09C0 JE 01E2 ;696E:01DD 7403 CALL 0000 ;696E:01DF E81EFE It's easy to find these codes are for check if been cracked, and 'Call 0' is error process. Patch it: a ;assemble, still in TR jmp 2d0 ;e9f200 and then you can GO it. If you want to patch the MEM.exe permanently, you must find a HEX editor and edit MEM.EXE in HEX mode: search: 09 c0 74 03 e8 change to: e9 f2 00 All done! Track,Unpack and Crack, all done!