home *** CD-ROM | disk | FTP | other *** search
- Terminal Cilla's
- Tutorial#5
-
- [Target Infos:]
- [Name :] CrackMe 5
- [Author:] FireWorX
- [Type :] RegCode
- [Where :] http://crackmes.cjb.net
-
- [Needed Tools:]
- SoftIce
-
- [Our Aim:]
- Find the RegCode
-
- -----------------------------------------------------------------------------
- Hi Reader.
- I'm sorry for all grammatical and orthographic errors.
- Today we deal with "CrackMe 5" by 'FireWorX'.
- I assume that you already configured your SoftIce and
- that you are basicly down with SI - otherwise stop reading
- and take a "SoftIce4Newbies - Tutorial".
- Still here?
- Ok, let's go!
- Step1:
- ------
- What's the first thing we realized at this crackme?
- Of course, we don't have a "ok-or check-button".
- So what does that mean?
- The program will check every single input.
- Ok let's enter a value:
- I used:
-
- Test-990088
-
- Hmm, nothing happen!
-
- Step2:
- ------
- Let's hunt our wanted regcode with SoftIce.
- Set a breakpoint on 'hmemcpy' and press
- <F5> to return to the program.
- But what's going on now, we don't return!
- Pressin' <F5> again and again and we are still
- in SoftIce.
- Ok, let's think a bit.
- The fact that we are still break on 'hmemcpy'
- could be that there's a permanent memory-access.
- And what did we also saw while pressin' <F5>?
- Yes, we were always at the same position.
- Seein' all this we must be in a big loop!
- Since we don't have an endless-loop;) there
- must be an end-condition.
- Our loop could be like this:
-
- ********************************
- repeat
- If 'input<>Serial' then
- 'condition'=false else
- 'condition'=true;
- until 'condition'=true;
- ********************************
-
- So, let's go on with SoftIce:
-
- 1 * F11
- 11 * F12
- -----------------------------------------------------------------------
- Step3: (writing down our serial;)
- ------
- :00441A0E 8B45FC mov eax, dword ptr [ebp-04]->we are here;
- :00441A11 50 push eax ->our code in eax;
- :00441A12 8D55F8 lea edx, dword ptr [ebp-08]
- :00441A15 8B83C8020000 mov eax, dword ptr [ebx+000002C8]
- :00441A1B E8A417FEFF call 004231C4
- :00441A20 8B55F8 mov edx, dword ptr [ebp-08]->!;
- :00441A23 58 pop eax
- :00441A24 E83321FCFF call 00403B5C->compare routine;
- :00441A29 7549 jne 00441A74 ->if 'our code<>real code'
- then goto loop;
-
- Controlling the eax-register will show us our serial.
- Tracin' further will bring us to :00441A20 were 'edx'
- get the value 'RegCode' - isn't it the label above the input-box?
- At :00441A29 is a conditional-jump. Here is a decision wether you
- have won or lost. Before that jump there's a call -
- let's examine him.
-
- Pressin' <F8> while we are on the call will bring us here:
-
- ------------------------------------------------------
- :00403B5C 53 push ebx
- :00403B5D 56 push esi
- :00403B5E 57 push edi
- :00403B5F 89C6 mov esi, eax
- :00403B61 89D7 mov edi, edx
- :00403B63 39D0 cmp eax, edx ->!
-
- Something is compared at :00403B63 - let's see what.
- In 'eax' is our dummy code stored and what do we got
- in 'edx'? Hmm, once again it's 'Regcode'.
- Hey, maybe FireWorX tryed to trick us with
- that CrackMe.
- In order to prove our assumption, we enter
- 'Regcode' and *boom* a "cracked"-msg appears.
-
-
- Well, our job is done!
-
- Thx4Readin'
- -----------------------------------------------------------------------------
-
- -=I'm still a newbie - So I can only get better!=-
-
- (c) Terminal Cilla (april 1999)
-
-
- Peace&Respects 2: FireWorX, Eternal_Bliss, The_Sandman, Torn@do,
- duelist, Sanhedrin and all crackme-coders
- and tutorial-writers.
- ________________________
- | Be sure to visit: |
- | http://crackmez.cjb.net|
- | & |
- | http://crackmes.cjb.net|
- |________________________|
-
