CrackMe® Practices for Newbies
Project 9: CrackMe 2 by Cronos

Starter...
Wednesday, 31-Mar-99 09:23:56

    I patched the crackme on the 1st byte with CC. And set the breakpoint on Int 3, by typing "bpint 3".
    Upon breaking, I will be on the first line of the code. Change it back to the orginal byte which is "BD". This is done by typing "d xxxx:0100" to show the values in the data window. xxxx depends on your computer.

    You will see "CC" in the first byte. Click on that and type "BD", overwriting the CC. Then hit Enter. The code has been changed back to the orignial DB0080.


    Break due to BPINT 03

    :0100 BD0080 MOV BP,8000
    :0103 BEFB03 MOV SI,03FB
    :0106 EB08 JMP 0110

    **Start of the CrackMe. SI given the location fo 03FB.


    A "re-direction" table
    ===========================================

    :0110 8B1C MOV BX,[SI]
    :0112 83C602 ADD SI,02
    :0115 8BD3 MOV DX,BX
    :0117 83C202 ADD DX,02
    :011A FF27 JMP [BX]

    ===========================================
    Bit of explanation:
    :0110 BX is given the word(2 bytes) that is in SI
    :0112 SI is increased by 2 bytes for the next round
    :0115 to 0117 not very sure but I think it is a backup for somewhere
    :011A jump to the location pointed by BX

    There are some parts which didn't use this table and I think the DX value is used instead. Also, there are parts of the code where SI is given a new value.


    This bit of code is VERY IMPORTANT. 8)
    ===========================================

    :02C3 3BC3 cmp ax, bx
    :02C5 7405 je 02CC
    :02C7 6A00 push 0000
    :02C9 E944FE jmp 0110


    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:0001.02C5(C)
    |

    :02CC 6A01 push 0001
    :02CE E93FFE jmp 0110

    ===========================================

    It is used 2-3 times. One of the times is to compare if the code you
    entered is the same length as the Username.
    The next time is to compare the converted code with the another code
    that is converted from the Username.

    So, for now, I could only patch it to have "Access Granted" 8P
    Change 7405 at :02C5 to 7505 (jne 02CC) You will be granted access.
    Offset is 1C5.
    The MAJOR disadvantage (or advantage?) is that whatever you type will not be shown on the screen.
    PS. You can change it to EB05 (jmp 02CC) as well.

    Changing it to 7305 (jae 02CC) is better. You can see what you type and as long as the length of Username is longer than the length of Code by at least 1 byte.


    Think Code must be letters and not digits.

    Regards
    Fear of dos programs reduced by half... 8)

    Eternal Bliss

Back to main board