Cracking 2

home *** CD-ROM | disk | FTP | other *** search

/ Cracking 2 / Cracking II..iso / Texty / crackme / crkme1bh.txt < prev next >

Wrap

Text File | 1999-11-14 | 3.3 KB | 129 lines

Cosh`s CrackMe #1 - solution by BugHUNTER/EVOLUTiON (bughunter@gmx.net) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You must be a REAL newbe cos you need to read a tutor bout one of the most simple cd check crackmes ever made... Tools needed: W32DASM, hex editor, 2 minutes free time Here we go: First of all run the proggy and keep the error message in mind ! open crackme1.exe in W32DASM search for "Try again" * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401352(C) | :00401392 FF45EC inc [ebp-14] :00401395 83C704 add edi, 00000004 :00401398 837DEC07 cmp dword ptr [ebp-14], 00000007 :0040139C 759F jne 0040133D :0040139E 53 push ebx * Possible StringData Ref from Data Obj ->"Try again" | :0040139F 684C304000 push 0040304C * Possible StringData Ref from Data Obj ->"You lost" | :004013A4 6840304000 push 00403040 use the jump reference to get to 00401352 to see what brought us up to the error msg * Reference To: KERNEL32.GetDriveTypeA, Ord:0104h | :00401349 FF1504204000 Call dword ptr [00402004] :0040134F 83F803 cmp eax, 00000003 :00401352 743E je 00401392 <-- here it :00401354 8D45E8 lea eax, dword ptr [ebp-18] goes ! * Possible StringData Ref from Data Obj ->"CD_CHECK.DAT" there is a cmp eax,003 after the GetDriveTypeA routine (3 is HD!) so it drops you out of the check routine if equal to 3 ==> NOP this jump patch at offset 1352h 743E to 9090 after running the proggy again you will see that the error is stil popping up so lets see what else took us there.. the error msg is right after the check routine :00401384 E811030000 Call 0040169A :00401389 385DF3 cmp byte ptr [ebp-0D], bl :0040138C 0F84F3000000 je 00401485 <-- use this for good ! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401352(C) | :00401392 FF45EC inc [ebp-14] :00401395 83C704 add edi, 00000004 :00401398 837DEC07 cmp dword ptr [ebp-14], 00000007 :0040139C 759F jne 0040133D :0040139E 53 push ebx * Possible StringData Ref from Data Obj ->"Try again" only the conditional jump at 0040138c takes us out of this mess if equal we should get here Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040138C(C) | :00401485 53 push ebx * Possible StringData Ref from Data Obj ->"You did it" | :00401486 6834304000 push 00403034 * Possible StringData Ref from Data Obj ->"Well done, Cracker" | :0040148B 6820304000 push 00403020 :00401490 E914FFFFFF jmp 004013A9 :00401495 6A00 push 00000000 :00401497 FF7120 push [ecx+20] ==> change 0F84F3000000 at offset 138Ch to 90E9F3000000 ... you did it !! -BugHUNTER/EVOLUTION