Cracking 2

home *** CD-ROM | disk | FTP | other *** search

/ Cracking 2 / Cracking II..iso / Texty / crackme / CrackMe-id14-lu48-en.txt < prev next >

Wrap

Text File | 1999-06-18 | 3.7 KB | 100 lines

------------------------------ CrackMe [id:14] coded by tC... Tutorial by Lucifer48, 17 june ------------------------------ Protection: Name/Serial (Single licence / Worldwide license) =============== 1. INTRODUCTION =============== A bpx hmemcpy allow us to enter into the code of the program (written in delphi). XXXX:0043F6B9 CALL 00421960 ;we exit from here XXXX:0043F6BE MOV EAX,[EBP-08] ;d EAX: my name XXXX:0043F6C1 CALL 00403A1C ;gives the length of the name (in eax) XXXX:0043F6C6 CMP EAX,03 XXXX:0043F6C9 JL 0043F841 ;the name must be greater than 3 chars we continue: XXXX:0043F6F5 MOV EAX,[EBP-08] ;d EAX: my dummy serial XXXX:0043F6F8 CALL 00403A1C ;gives the length of the name (in eax) XXXX:0043F6FD CMP ESI,EAX ;ESI=length of name / EAX=length of serial XXXX:0043F6FF JNZ 0043F841 ;must have same length for the name and for the serial ... delphi's code... not very interesting... we arrive here: XXXX:0043F7BE CALL [EDX+00000B8] ;<=> MOV AL,[EAX+000001F1] XXXX:0043F7C4 TEST AL,AL ;'Single licence' or 'Worldwide license' XXXX:0043F7C6 JZ 0043F7CF ;--\ XXXX:0043F7C8 CALL 0043F58C ; | ---\ XXXX:0043F7CD JMP 0043F7D4 ; | | XXXX:0043F7CF CALL 0043F5F0 ;<-/ | XXXX:0043F7D4 CMP DWORD PTR [0044192C],00 <-/ XXXX:0043F7DB JNZ 0043F80A We recognize here, the protection scheme, if we check Single licence' (AL=01), we go in the call 0043F58C, if we check 'Worldwide license' (AL=00), we go in the call 0043F5F0. In both cases, we must have [0044192C]=0. ================================= 2. SINGLE LICENCE (call 0043F58C) ================================= The most important thing, in this call is this main loop: XXXX:0043F5CC MOV EDX,0044182C ;see remark (below) XXXX:0043F5D1 MOV ESI,[EAX] ;*eax : a char of the serial XXXX:0043F5D3 SUB ESI,[EDX] ;*edx : a char of the name XXXX:0043F5D5 JZ 0043F5DD XXXX:0043F5D7 ADD [0044192C],ECX ;don't forget that we must have [0044192C]=0 at the end XXXX:0043F5DD INC ECX XXXX:0043F5DE ADD EDX,04 ;next char XXXX:0043F5E1 ADD EAX,04 ;next char XXXX:0043F5E4 DEC EBX ;count -1 XXXX:0043F5E5 JNZ 0043F5D1 ;LOOP Remark: this is what we see in 0044182C (it's my name!) -----CM_ID14!BSS+082C-----------------------------------------------PROT---(0)-- XXXX:0044182C 4C 00 00 00 75 00 00 00-63 00 00 00 69 00 00 00 L...u...c...i... XXXX:0044183C 66 00 00 00 65 00 00 00-72 00 00 00 34 00 00 00 f...e...r...4... XXXX:0044184C 38 00 00 00 8... -------------------------------------------------------------------------------- The serial has the same disposition, but it is reversed. Name/ Lucifer48 RegNo./ 84reficuL ==================================== 3. WORLDWIDE LICENCE (call 0043F5F0) ==================================== As above, still a loop, in this call. XXXX:0043F631 MOV EDX,0044182C XXXX:0043F636 MOV ESI,[EDX] ;my name XXXX:0043F638 ADD ESI,08 XXXX:0043F63B MOV EDI,[EAX] ;my dummy serial (in reverse order) XXXX:0043F63D SUB EDI,ESI XXXX:0043F63F JZ 0043F647 XXXX:0043F641 ADD [0044192C],ECX XXXX:0043F647 INC ECX XXXX:0043F648 ADD EDX,04 ;next char XXXX:0043F64B ADD EAX,04 ;next char XXXX:0043F64E DEC EBX ;count -1 XXXX:0043F64F JNZ 0043F636 ;LOOP It looks like the previous loop... No need to tell more, the code is trivial. Name/ Lucifer48 RegNo./ @<zmnqk}T Greetings Goes to: Torn@do, Volatility, tC, Eternal Bliss, ACiD BuRn, and good french crackers. Lucifer48