Reverse Code Engineering RCE CD +sandman 2000

home *** CD-ROM | disk | FTP | other *** search

/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / Mendoza / flux4.txt < prev next >

Wrap

Text File | 2000-05-25 | 3.4 KB | 95 lines

Flu[X]/PC98 Cracking tutor #4 - Using W32Dasm to its potential Tools -Unreal Player MAX (i used v1.27) -W32Dasm -Byte patch maker -Hackers view 5.65+ -Brain (Stop by your local hardware store and pick one up) OK, not many people have actually used W32 Dasm's debugger.. Well, why not? Heres a good example of how to use the debugger.. This program is protected by two checks (yep count em') Once when the program loads and once when you try to play a file. The first one is easy... and unless you use W32's debugger.. the second could be hard... OK, lets run the program once.. now exit... move the date ahead 2 months or so.. restart.. hey look its expired.. ok.. remember the messages it gives us... Disassemble the file in w32dasm... wait..wait..wait.. ok once its done decompiling do a text search for.. "This version is expired" or whatever it's message was.. you should scroll up a bit until we come to this interesting code.. mov eax,esi call 0047ca6c mov eax, dword ptr [00489600] cmp dword ptr [eax], 0000001E <-- 1E = 30 decimal | compare counter to 30 days jg 004810d6 <-- if weve been using for 30+ days jump to expire mov eax, dword ptr [00489600] <-- move counter in again cmp dword ptr [eax], FFFFFFD <-- compare for clock rollback jge 0048112b <-- if no roll back detected.. make the jump so how would we fix this? like so mov eax,esi call 0047ca6c mov eax, dword ptr [00489600] cmp dword ptr [eax], 0000001E <-- 1E = 30 decimal | compare counter to 30 days nop <-- use 2 nops to remove jump and fill bytes nop mov eax, dword ptr [00489600] <-- move counter in again cmp dword ptr [eax], FFFFFFD <-- compare for clock rollback jmp 0048112b <-- always jump to good code ok.. we simply remove the one jump.. because it goes to "bad" stuff and we never want it to goto there. Then we make it so under ALL conditions it jumps to the good code :) Ok, load up Hackers View and make the changes to the file. Ok run our target... looks good dont it? ok play a mp3 file or wav file or whatever.. what?.. it just closed on us hrmmm.. we must have missed something.. oh wait.. remember.. i said there were 2 checks.. ok load un w32dasm again and de-compile it (again) ok hit the 'debug' menu item and select 'load process' hit 'load' button when a new window pops up... wait for it to load the file into mem.. hit the Run button on the one side window.. Ok, unreal player MAX starts.. ok try to play a file again it will exit. now hit the close button.. re-enlarge W32 ok,, it conveniently dropped us off where the program quit.. hey look there is a function called Exit Process.. i wonder what that does? maybe closes a program!! ok.. so we want to skip that beast. scroll up a bit... hey look at this.. dont it look somewhat familiar with a few small changes ??? . . . mov eax, dword ptr [00489600] cmp dword ptr [eax], 0000001E <-- 1E = 30 decimal | compare counter to 30 days jg 004810d6 <-- if weve been using for 30+ days jump to expire mov eax, dword ptr [00489600] <-- move counter in again cmp dword ptr [eax], FFFFFFD <-- compare for clock rollback jge 0048112b <-- if no roll back detected.. make the jump . . . call Exit Process make the same changes as above.. try to play a file now. wow it works!! congrats.. you just cracked Unreal Player MAX! now use your patch maker and make a patch file. BAM.. your all set!