Re: Joseph's Threed Password at last Saturday, 01-May-1999 04:59:25 Greetings noos, Now the noose is really loose, and when I say CAPSULE1 the DREAD disappears. There might be other combinations but this one worked for me. You talked about a trap in the compare routine, but I found none in the one immediately following the keygen routine unless you are talking about a peculiarity SoftIce exhibits there when in the disassembly of the short negative jumps. It shows them all as positive jumps. For instance 0040202b EBD1 JMP 004020FE, if correctly disassembled it should be: JMP 00401FFE. However the program jumps to the correct address. There are 3 more similar jumps in the keygen routine. I am not sure if this is due to any tricks you played or it is just the way SoftIce behaves. The second compare routine is more likely to be the trap you are talking about. I found that the program performs more than 12 million loops, and anybody trying to follow those loops will sure to spend a lot of time doing so and finding nothing. Again, I am not sure if that was your intention or not. I could not find any use for the modification to location 0040611C which is done after the check for the presence of SoftIce. This location us set to 00000000 if Ice is present and 00000032 if not. Perhaps it is just a smoke screen. I must thank you for all the hints which perhaps saved me some time. My sincerest congratulation to you or to whoever wrote the keygen routine. It is beautiful. It has been the tradition for the author whose crackme we crack to release the source code to us. I hope you are planning to do the same. I would love to take a look at the source of DREADX. Best regards, Joseph Joseph |
Joseph's Threed Got it (Joseph) (27-Apr-1999 06:18:27) |