Reverse Code Engineering RCE CD +sandman 2000

home *** CD-ROM | disk | FTP | other *** search

/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / Mendoza / lxthowto3.txt < prev next >

Wrap

Text File | 2000-05-25 | 9KB | 155 lines

the right way to go! ▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ █ ▄▄▄▄ █ █ ▄▄▄▄ ▀▀▀▀▀▀▀▀▀ ▄▄▄▄ ▄▄▄▄ ▀▀▀▀ ▄▄▄▄ ▀▀▀▀▀▀▀▀▀▀█ █ ████ █ █ ████▀████ ████ ████ ████ ████▀████ ████ ████ █ █ ████ ▀▀▀▀ ████ ████ ████▄████ ████ ████ ████ ████ ████ █ █ ████ ████ ▄▄▄▄▄████ ▄▄▄███▄▄▄ ████ ████ ▄▄▄▄ ████ ████ █ █ ████ ████ ████ ████ ████ ████ ████ ████ █ █ ████▀▀▀▀▀ █ █ ████▄████ ████▄████ ████ ████ ████ ████ █ █ ████ █▀▀▀▀▀ █ ▀▀▀▀ ▄▄▄▄▄▄▄▄▄▄ ▀▀▀ ▄▄▄▄▄ ▀▀▀ ▀▀▀ ▀▀▀▀ █ █ ▀▀▀▀ █ ▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀ GERMAN CRACKING FORCE / PC -───▄ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ Cracking - HowTo #3 made for you by JoGy [Laxity] I read the tutorial from Yaan!, another cracker from Laxity, and thought: I should show you the differences between cracking with a disassembler and a debugger. So I decided to write this tutorial about cracking Ghosttyper 1.0e with SoftIce. This tutorial won't show you how SoftIce works; but it will show you how to crack a shareware program using it. What you will need: * SOFTICE v. 3.0 or higher: SoftIce is a "must-have" in the scene. Try to get it at http://cracking.home.ml.org/ and don`t blame me, if you can`t find it or if it`s deadlinked ! * PIECE OF PAPER: You'll need it later to write down the right code 8) Oky, let's start. Open the ghosttyper.exe with the SymbolLoader from SoftIce and execute it by clicking on the LOAD button in SoftIce. You will be in SoftIce at the beginning of the program. So it's time to configure SoftIce a little bit: write 'data' [enter] and write 'r' [enter]. Now a part of the SoftIce window shows the CPU registers and another shows the offset-adresses and what's in them. Press [F5] to let the program run, again. The Ghosttyper window, where you should register, will be opened. Click on the 'register' button and enter your name and a dummy code (e.g. 98765432). BEFORE you click on the OK button go back in SoftIce by pressing [CRT] & [d] at the same time. Back in ICE you have to set a breakpoint. There are many breakpoints possible to set, but the one I prefer is for breaking on highmemcopy. This bp will be activated if the program calls the hmemcopy-procedure. (this program reads in three values, so it calls the hmemcopy procedure three times. Set the breakpoint by typing this in SoftIce: 'bpx (that means breakpoint) hmemcpy' [ENTER]. Now press [F5] again to switch back to Ghosttyper. Click the ok button. Immediately you will be back in ICE due to the breakpoint at hmemcpy. Press [F5] two times. Now press the [F12] button until you are out of the 16-bit adresses in the 32-bit adresses. You will stop at 0137:00436E92 POP ESI. We are not more in KERNEL but in the GHOSTTYPER CODE and that's what we want. The prog has read all neccessary information with hmemcpy. But where are the codes ? They have to be somewhere.. so let's search for the dummy code 98765432! Probably the code is on an adress beginning with 013F:????????. So let's move to those adresses by typing 'd 013F:00000000'. Now let's search: type 's (for search) 0 l ffffffff (type as much times the 'f' as the length of your code is. Each 'f' stands for one position in your dummy code) '98765432''! 's 0 l ffffffff '98765432' [ENTER] After that you will see 'pattern found at 013F:00ADB778' ! Now, try to think, (if it is possible)...our dummy code is on the address 013F:00ADB778.hmmm...... What we wanna find is the compare between our dummy code and the right code: so all we have to do is to set another breakpoint that will be activated if our dummy code is moved, read , deleted or overwritten. Therefore we use 'bpm (breakpoint on memory access) 013F:00ADB778'[ENTER]. After you defined this bpm press [F5] and you will be back immediately at the address 0137:00402AF1 INC ESI. So, this means that something happens to our dummy code here; look at the [esi] register by typing: 'd esi'[ENTER]. WOW! Our code is in the esi-register. The line above MOV BL, [ESI] has moved the first number of our code into the BL register. Trace further by pressing [F10] and let's try to understand what happens to our code: There are many compares but it's not THE cmp WE are looking for. At the address 0137:00402B1D ADD EAX,EBX the first numba will be moved into the EAX register. If you trace further you will notice that we are in a loop which moves one codenumba after another into the EAX register by using ADD EAX, EBX. Press [F10] until you reach 0137:0046301F MOV ESI, EAX. (before you should have left two calls by tracing through RET instructions.) Type '? eax' and you will see our dummy code in the eax register. Now it will be moved to the esi register. Trace one step further and type ' ? esi' and you will see our dummy code in the esi register. Trace two steps further and you are diggin gold: CMP ESI, EAX. Yeah. Thatsit. The call before has given eax the right code. Get its value by typing '? eax' and use your peace of paper to write your code it down ! If you wanna know how the code was calculated... have a look into the call before. But that's only neccessary if you want to code a keygenerator. (Maybe in the next tutorial ?) You made it. You ripped a code out of a shareware progarm using SoftIce ! Did you notice that it`s much cheaper to register a ProG this way ???? Common.... If you understand it and you have fun cracking other progs: JOIN US... JOIN LAXITY - GERMAN CRACKING FORCE!!! Mail us and become a trial memba ! Perhaps I will write some other tutorials (if you want to !), but don't terrorize me by sending too much mail. (a tuti like this needs its time to be done!) GOOD LUCK by TRYING to CRACK sharewareProGs! CU JoGy [Laxity] ████████████████████████████████████████████████████████████████████████████ ██│╔══════════════════════════─» Membaz: «─══════════════════════════╗│██ ██│║ Animalo │ founder, cracker │▄ laxity_hq@gmx.net ║│██ ██│║──────────────│──────────────────────────│──────────────────────────║│██ ██│║ SONIC 98 │ cracker, iNET admin │▄ laxity_s98@gmx.net ║│██ ██│║ pCsK8R │ cracker │▄ laxity_pc@gmx.net ║│██ ██│║ Yaan! │ cracker │▄ laxity_yaan@hotmail.com ║│██ ██│║ JoGy │ cracker │▄ jogy_laxity@hotmail.com ║│██ ██│║ The Brain │ cracker │▄ the.brain.@gmx.net ║│██ ██│║ xCrk │ cracker │▄ xcrk@bigfoot.com ║│██ ██│║ vTeC │ cracker │▄ @ ║│██ ██│║ Swoop │ cracker │▄ @ ║│██ ██│║ Smakkker │ cracker │▄ @ ║│██ ██│║ Twister │ cracker │▄ @ ║│██ ██│║ Tiger of THT │ gfxer │▄ @ ║│██ ██│║ Raptor #1 │ driver │▄ @ ║│██ ██│║════════════════════════════════════════════════════════════════════║│██ ██│║ Trial Membaz: ║│██ ██│║────────────────────────────────────────────────────────────────────║│██ ██│║ _awe_ │ gfxer, tester │▄ @ ║│██ ██│║════════════════════════════════════════════════════════════════════║│██ ██│║ Greetz ║│██ ██│║────────────────────────────────────────────────────────────────────║│██ ██│║ APP - GCG - GWA98 - NEXUS98 - UCF2000 - PC98 ║│██ ██│║════════════════════════════════════════════════════════════════════║│██ ██│║ Join Laxity ║│██ ██│║────────────────────────────────────────────────────────────────────║│██ ██│║ Are you a cracker?... Contact laxity and ask him if you can join! ║│██ ██│║ We need also slaves for our irc, spread, test and help section... ║│██ ██│║════════════════════════════════════════════════════════════════════║│██ ██│║ iNET ║│██ ██│║────────────────────────────────────────────────────────────────────║│██ ██│║ IRC EFNET: │ #laxity98 ║│██ ██│║ German Hq │ http://gcf.notrix.de ║│██ ██│╚════════════════════════════════════════════════════════════════════╝│██ ████████████████████████████████████████████████████████████████████████████