CrackMe® Practices for Newbies
CrackMe 2 by CyberBlade [ReFleXZ '99]

Task 1 - final solution
Sunday, 11-Apr-99 11:22:31

    This is how the anti-SmartCheck code can be bypassed:

    In Boundschecker,the following API codes can be seen:

    FindWindow //pointer to 'NUMEGA SMARTCHECK' as parameter

    followed by:

    GetDeskTopWindow
    GetWindow
    GetWindowTextA
    GetWindow
    GetWindowTextA
    GetWindow
    GetWindowTextA
    ...
    GetWindow //returns HWND=0

    So What the program does:
    It searches for the Smartcheck window.If it doesn't find it,it checks all the windows captions weather they are 'NUMEGA SMARTCHECK' or not.

    How to bypass it:

    first 'bpx FindWindowA'

    when SICE breaks:

    dd esp (whant to see the parameters)
    for me,the params were:
    01F3:0044F3E0 BFF93D01 00000000 0064F3F8
    And they mean:
    stack return_addres NULL pointer2string

    so: db 64F3F8 and edit the string(don't type g yet)

    Now,for the 'GetWindow,GetWindowTextA' check

    bpx GetWindow
    g

    when SICE breakes again,the code should look like this:

    mov cl,9F
    jmp xxxxx
    //some lines of code
    xxxx:
    push ebp
    mov ebp,esp
    push ecx
    sub esp,3c
    push word ptr [...]
    push word ptr [...]
    call [...]
    leave //<= trace up to here
    ret

    when you are at the instruction 'leave' with the instruction pointer,press Alt+R and make ax=0.(Last call for GetWindow in boundschecker returned HWND=0 );

    bc *
    g

    Andy








    Andy


Message thread:

Andy's Thread (Task 1) (Andy) (11-Apr-99 06:56:10)

Back to main board