CrackMe® Practices for Newbies
CrackMe 2 by CyberBlade [ReFleXZ '99]

Joseph's Thread---Zap the Zapper
Monday, 12-Apr-99 02:42:27

    Greetings everybody,

    Zap the zapper

    This crackme is a little bit tricky. It is a VB5 compiled to P Code and intentionally aims at depriving any reverser from the use of the a powerful tool for dealing with VB programs, NuMega SmartChek. You run SmatChech and open the target and before you can say reverse, the SmartCheck screen vanishes and the target is exited. Is there any way to overcome this problem? I found tree ways to do it and here they are.

    Before I go into details about the various methods, I will say a word about how the zappers zap programs they don't want to be running. We have seen this done to FileMon in an earlier project. The program looks for an open window with the a certain heading and if found it closes it. This target looks for the SmartChech window which has the heading NuMega SmarCheck and once it find it closes it and exits. I also will tell you what function is called to do the zapping. It is MSVBV50!rtcAppActivate and it is jumped to from location 00401018.

    Modify SmartCheck
    It is possible to modify SmartCheck to make it immune against zapping by this crackme or any other program using the same approach. To do this is very simple once the heading is located in Smartchk.EXE. Through a process of elimination, I found it at location 5A0FA in a Hex Dump of the SmartChk.exe. You only need to change on character in the name to make it impervious to zapping by programs like crackme2. I changed the e to an a so the name became NuMaga instead of NuMega. You will find this e at address 5A100. I tried this and it worked.

    Permanently changing the program itself
    As mentioned earlier, the zapping function is MSVBVM50!rtcAppActivate and it is jumped to from address 401018 in the target program and the instruction there is 00401018 and the content of that location is ff256c104100. Looking at a Hex Dump of the target in any hex editor you will find these bytes starting at 418. Change the ff to c3 and the remaining 5 byte to 90. This will put a return instruction instead of the jump and the zapping routine will never be executed.

    A temporary change to the program
    Load the target into SoftIce and it will SoftIce will automatically stop at the entry point at 401050. Place a bpx at 401050 and x run and exit the target. Now run SamartChech and load the target in an run in from SamatrCheck. If you did everything correctly, SoftIce will stop at 401050. Now D 401018 and put the curser at the FF at address 401018 in the data window and change the FF to C3 and nop the remaining 5 bytes by putting 90 in each. Continue running the target by x and enter and Smartcheck will do its work now.
    Whatever you do with the information you get from SmartCheck is up to you. One final word though. SmartCheck will report a Vbasic runtime error, but that has no effect on how both the target and SmartCheck perform. I think that error is related to the fact that the target was frustrated in finishing the zapping process successfully than any other fact.

    Best regards,
    Joseph



    Joseph


Message thread:

Joseph's Thread---Zap the Zapper (Joseph) (12-Apr-99 02:42:27)

Back to main board