home *** CD-ROM | disk | FTP | other *** search
- Tutorial for Ultimate Crackme (n0p3x)
- by Sanhedrin
-
- Tools
- Softice
-
-
- Start the crackme and you will immediately be hit with the first nag screen. Then either
- the softice warning will halt the crackme, or another nag screen warning you about a wrong
- keyfile appears. After we get by these, there is the typical registration screen. So we have:
-
- A nag screen
- A softice check
- A keyfile check
- Registration check
-
- To complicate things further, the file is either packed or encrypted in some way, thus making
- disassembly, and hex checking virtually impossible.
-
-
- --USING THE NAG SCREEN--
-
-
- A quick check in softice proves to be a messagebox, so let's put a breakpoint on:
-
- bpx messageboxa
-
- Exit softice and start the crackme. After you break into softice press F11, then click on
- OK on the shareware message, and you will break back into softice. You should be at:
-
-
- 0040138D E856040000 CALL USER32!MessageBoxA
- 00401397 85C0 CALL 0040107C<---you will land here - call is softice loaded
- 00401399 741C JZ 004013B7<---jump if no softice
-
- //SNIP//
-
- 004013B7 E8F5FCFFFF CALL 004010B1<---call is SICE-NT loaded
- 004013BC 85C0 TEST EAX,EAX
- 004013BE 741C JZ 004013DC<---jump if no softice
-
- //SNIP//
-
- We'll stop here for a moment. Press F10 once and stop at 00401399. If you are working with
- softice 95/98, type:
-
- d 00401399
-
- then change it to:
-
- jnz 004013B7
-
- or press F10 and stop at 004013BE. Change 004013BE to jnz 004013DC if you are working with SICE-NT.
-
-
- --KEYFILE PROTECTION--
-
-
- Now that we have jumped the softice check, press F10 past the jumps, and stop at:
-
- 004013DC E81BFDFFFF CALL 004010FC<---call the keyfile check (stop here)
- 004013E1 85C0 TEST EAX,EAX
- 004013E3 7415 JNZ 004013FA<---jump if information in keyfile is not correct
-
- At 004013DC type
-
- d ebx and you will see:
-
- //./SICE.//./NTICE.Register.dat.Why didn't n0p3x use a more difficult keyfile method?
-
- All information that you will need is in this line. The keyfile is called:
-
- register.dat
-
- and the information in the keyfile is:
-
- Why didn't n0p3x use a more difficult keyfile method?
-
- Create the keyfile, then enter softice, (use the above method to bypass the softice checks) and you
- will bypass the last jump. This leaves us with the final Name/Company/Registration code to bypass.
-
-
- --ARE WE DONE YET--
-
- Enter any name company and serial number
-
- Sanhedrin
- DND
- 123443211
-
- and enter softice. Put a breakpoint on either
-
- bpx hmemcpy
- bpx getdlgitemtexta
-
- Exit softice and click on OK. Once you have broken into softice, disable the breakpoints. A
- few F12's and F10's later, you will end up at:
-
- //SNIP//
-
- 00401251 83F809 CMP EAX,09<---is the code length 9 characters long?
- 00401254 7D1F JGE 00401275<---jump if 9, or greater than 9
-
- //SNIP//
-
- Press F10 until you are at 004012BA
-
- 004012BA 50 PUSH EAX<---place real serial number in EAX.
-
- Type
-
- d eax
-
- and you will see that the real serial number is:
-
- 999108:-)
-
- So to crack this program, all we have to do is restart windows without softice, start the
- crackme with the keyfile, and enter the registration code.
-
-
- Greets to n0p3x
-
- Thanks to all of those coders that make these crackmes, to Pepper for sending me on the
- right path so long ago and of course to Eternal Bliss.
-
-
- Sanhedrin
- stachi@geocities.com
