home *** CD-ROM | disk | FTP | other *** search
/ Cracking 2 / Cracking II..iso / Texty / crackme / tctutor_7.txt < prev    next >
Encoding:
Text File  |  2000-01-24  |  5.4 KB  |  143 lines
  1.             Terminal Cilla's
  2.                   Tutorial#7
  3.  
  4. [Target Infos:]
  5. [Name  :] CrackMe4 
  6. [Author:] duelist
  7. [Type  :] Name-Serial
  8. [Where :] http://crackmes.cjb.net
  9.  
  10. [Needed Tools:]
  11. WinDasm
  12. SoftIce
  13.  
  14. [Our Aim:]
  15. Find a valid serial
  16.  
  17. -----------------------------------------------------------------------------
  18.             Hi Reader. 
  19. I'm sorry for all grammatical and orthographic errors.
  20. Today we deal with "CrackMe 4" by 'duelist'.
  21. I assume that you already configured your SoftIce/WinDasm and
  22. that you are basicly down with them - otherwise stop reading
  23. and take a "SoftIce/WinDasm4Newbies - Tutorial".
  24.               Still here?
  25.              Ok, let's go!
  26.  
  27. TheEssay:
  28. ---------
  29.  
  30.     Enter anything you want in the input-fields of the crackme.
  31.     Fire up SoftIce and put a breakpoint on 'hmemcpy'.
  32.     Back in the target we press the check-button and we'll
  33.     return to SI.
  34.     Trace a little bit until you come here:
  35.  
  36. :00401132 E841020000              Call 00401378
  37. :00401137 A3AF214000              mov dword ptr [004021AF], eax (length of name)
  38. :0040113C 83F800                  cmp eax, 00000000 (anything entered?)
  39. :0040113F 0F84D5000000            je 0040121A ->err_msg if nothing entered
  40. :00401145 83F808                  cmp eax, 00000008 (name<=8?)
  41. :00401148 0F8FCC000000            jg 0040121A ->err_msg if length greater
  42. :0040114E 8BF0                    mov esi, eax (put length name into esi)
  43. :00401150 6A00                    push 00000000
  44. :00401152 6A00                    push 00000000
  45. :00401154 6A0E                    push 0000000E
  46. :00401156 6A04                    push 00000004
  47. :00401158 FF7508                  push [ebp+08]
  48. :0040115B E818020000              Call 00401378 (get length of fake serial)
  49. :00401160 83F800                  cmp eax, 00000000 (anything entered?)
  50. :00401163 0F84B1000000            je 0040121A  ->err_msg if nothing entered
  51. :00401169 3BF0                    cmp esi, eax -> (length name=length serial?)
  52. :0040116B 0F85A9000000            jne 0040121A ->err_msg if length is differrent
  53. :00401171 6860214000              push 00402160
  54. :00401176 6A08                    push 00000008
  55. :00401178 6A0D                    push 0000000D
  56. :0040117A 6A03                    push 00000003
  57. :0040117C FF7508                  push [ebp+08]
  58.  
  59. -----------Some-lines-further------------------
  60.  
  61. :0040119C 41                      inc ecx
  62. :0040119D 0FBE8160214000          movsx eax, byte ptr [ecx+00402160]
  63. :004011A4 83F800                  cmp eax, 00000000
  64. :004011A7 7432                    je 004011DB ->good one
  65. :004011A9 BEFFFFFFFF              mov esi, FFFFFFFF
  66. :004011AE 83F841                  cmp eax, 00000041
  67. :004011B1 7C67                    jl 0040121A 
  68. :004011B3 83F87A                  cmp eax, 0000007A
  69. :004011B6 7762                    ja 0040121A
  70. :004011B8 83F85A                  cmp eax, 0000005A
  71. :004011BB 7C03                    jl 004011C0
  72. :004011BD 83E820                  sub eax, 00000020
  73.  
  74.     Looking at the code we know that we can only use letters
  75.     between 'A' and 'z' (65-122) in our name, otherwise 
  76.     we'll get the err_msg.
  77.  
  78. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  79. |:004011A7(C)
  80. |
  81. :004011DB FF35AF214000            push dword ptr [004021AF]
  82. :004011E1 6894214000              push 00402194
  83. :004011E6 6879214000              push 00402179 
  84. :004011EB E854000000              call 00401244
  85. :004011F0 83F801                  cmp eax, 00000001
  86. :004011F3 0F84DEFEFFFF            je 004010D7  ->goog_msg if eax=1
  87. :004011F9 EB1F                    jmp 0040121A ->err_msg if eax<>1
  88.  
  89.     If eax<>1 then we will brought to our error-message.
  90.     This comparison is based on the result of the call
  91.     above.
  92.     The call gets 3 Parameters, checking them will
  93.     give you a valid serial but better check
  94.     what's inside the call:
  95.  
  96. --------------into-the-impotant-call------------------
  97.  
  98. * Referenced by a CALL at Address:
  99. |:004011EB   
  100. |
  101. :00401244 C8000000                enter 0000, 00
  102. :00401248 B801000000              mov eax, 00000001
  103. :0040124D 8B7D08                  mov edi, dword ptr [ebp+08] ->Fake serial
  104. :00401250 8B750C                  mov esi, dword ptr [ebp+0C] ->Yippie
  105. :00401253 8B4D10                  mov ecx, dword ptr [ebp+10]
  106. :00401256 F3                      repz
  107. :00401257 A6                      cmpsb
  108. :00401258 67E305                  jcxz 00401260 -> is cx<>0?
  109. :0040125B B800000000              mov eax, 00000000 ->eax gets bad 0
  110. :00401260 C9                      leave
  111. :00401261 C20C00                  ret 000C
  112.  
  113.     Let's check the esi and edi register...and?
  114.     Guess what, the beauty and the beast.
  115.     We don't need more to know.
  116.     Enter your name with the rules we find out, enter
  117.     the serial and get the ok-message.
  118.  
  119.     In my case Name-Serial was: tC - RS
  120.  
  121.     Well, our job is done!
  122.  
  123.     Thx4Readin'
  124. -----------------------------------------------------------------------------
  125.  
  126.         -=I'm still a newbie - So I can only get better!=-
  127.  
  128. (c) Terminal Cilla (mai 1999)
  129.     
  130.  
  131. Peace&Respects 2: duelist, Eternal_Bliss, The_Sandman, Torn@do,
  132.           FireWorX, Sanhedrin,PhoX and all crackme-coders
  133.           and tutorial-writers.
  134.  
  135. Special thx2 'duelist' for beeing a good friend and
  136.          'Eternal Bliss' for hosting my cMz. 
  137.                       ________________________
  138.              |   Be sure to visit:    |
  139.              | http://crackmez.cjb.net|
  140.              |           &              |
  141.                  | http://crackmes.cjb.net|
  142.                      |________________________|
  143.