Cracking 2

home *** CD-ROM | disk | FTP | other *** search

/ Cracking 2 / Cracking II..iso / Texty / crackme / zone-cm2.txt < prev next >

Wrap

Text File | 2000-01-24 | 5.1 KB | 120 lines

zerOOne's Crackme #2 Tuturial ░ ░ ░ ░ ▄▓ ▄▄ ░░ ▄▄▄▄■ ░░▀ ■▄▄▄ ▄▄ ▐█▓▌ ▄▀▀ ▀■ ▀ ░░ ▀ ■▀ ▀▀▄ ██▌ ■ ▄▄▀▀ ▄▄██▀██▄▄ ▄▄▄███▄▄ ▀▄▄ ■ ▄▄▄███▄▄▐██ ▄▄████▄▄ ▀▄▄ ▄▀▀ ▄███▀ ▀██▓▄ ▄████▀ ▀██▓▄ ▀▄ ▄▄▀ ▄████▀ ▀██▓██ ▄████▀ ▀██▓▄ ▀▀ ▄ ▐███▌ ░ ▐██▓▌ ▐████▌ ░ ▐██▓▌ ▄ ▀▀ ▐████▌ ░ ▐████▌ ▐████▌ ▐██▓▌ ■██▄▄▓▌ ████ ░▒░ ████ █████▄▄▄ ▀▀▀▀ ▐█▄▄█▓ █████ ░ █████ █████▄▄▀▀▀▀▀▀▀ ▐████ ░░ ▓██▌ ░▒▓▒░ ▐███ ▄▄▄▄▄ ▀▀▀████▄ ████▌ ▓███▌ ▐████ ▓███▌ ░░░░░░ ░ ███▌ ░ ▐▓███ ░▒▓▒░ ▓███▌▓███▌ ░░░ ▐████ ▐▓██ ▓███▌ ▄▀▀ ▐████ ▓███▌ ░░░░░░░ ▓██▌ ▐▓███ ░▒░ ▓███▌▐▓███ ░ ▓███▌ ▐▓██ ▐▓███ ▓███▌ ▐▓███ ▐▓███ ▐▓▓██▌ ░ ▐▓███▌ ▓▓██▌ ▐▓███ ▓███▌ ▓▓██▌ ░ ▐▓███ ▓▓██▌ ▓▓▓██▌ ■▓▓▓▓██ ░ ▓█████■ ▀▓▓█▄ ▄▓██▀ ▐▓████ ▄ ▀▓██▄ ▄▓██▀ ▀▓██▄ ▀▓███▄ ▀▀▀██▄ ▄▓█▀▀▀ ▀▀█▀▀ ▄▓▓▓▀▀ ▀▀█▀▀ ▀▀▀▀ js ▀▀▀▀▀▄▄ ░ iNSiDE ▄▄▀▀▀▀▀ ░ ▀▄ ░ ░░ ▄▀ ░░ ░ ░░ Tutor : duelist Data Wrote : June 12, 1999 Who : Newbies Target : zerOOne's Crackme #2 Size : 116kb Tools Used : SoftIce - INTRODUCTION: - Ok people i'm back to the tuts scene and i hope both me and you will enjoy my stay. First of all, notice the size of this app, 116kb, that's way too much for a dos app! I loaded it using windows quikview and then i saw that it had tons of imports. Since i had cracked zerOOne's Crackme #1, i knew that this was a Win32 console mode program and that our result will be indicated by a messagebox! - CRACKING STEPS: - 1) Switch into softice and put a bpx on 'MessageBoxA', so we can break when the program tells us that our serial is incorrect. 2) Goto the application and enter any serial you want, hit enter! 3) Bingo, we'll break right in this snippet: :0040105D 55 push ebp :0040105E 8BEC mov ebp, esp :00401060 51 push ecx :00401061 C745FCF1FB0900 mov [ebp-04], 0009FBF1 :00401068 E893FFFFFF call 00401000 \ :0040106D 25FF000000 and eax, 000000FF | our success depends on the result of the :00401072 85C0 test eax, eax | call to 401000, since eax is checked on return. :00401074 7416 je 0040108C / ... :0040109A FF15ACF24100 Call USER32!MessageBoxA :004010A0 33C0 xor eax, eax ; you break here, but since we want to start tracing at the beggining of this call, set a breakpoint on 40105D (!) 4) Repeat step 2, enter any serial you like and you'll break at the beggining: :0040105D 55 push ebp :0040105E 8BEC mov ebp, esp :00401060 51 push ecx :00401061 C745FCF1FB0900 mov [ebp-04], 0009FBF1 :00401068 E893FFFFFF call 00401000 ; trace (F8) into this call. :0040106D 25FF000000 and eax, 000000FF :00401072 85C0 test eax, eax :00401074 7416 je 0040108C ; if eax is 0, bad code entered. 5) When we land at 401000, we'll see this snippet: :00401000 E91B000000 jmp 00401020 ; jumps to the beggining of the call ... :00401020 55 push ebp :00401021 8BEC mov ebp, esp :00401023 83EC08 sub esp, 00000008 :00401026 68509D4100 push 00419D50 ; "Bitte Registration code eingeben: " :0040102B B9A8D14100 mov ecx, 0041D1A8 :00401030 E8FB040000 call 00401530 :00401035 8D45F8 lea eax, dword ptr [ebp-08] :00401038 50 push eax :00401039 B958D14100 mov ecx, 0041D158 :0040103E E88D000000 call 004010D0 ; asks for reg code, converts it to dec :00401043 817DF86AD76300 cmp dword ptr [ebp-08], 0063D76A ; value and stores in ebp-8, compares it ; with 63D76Ah, so "? 63D76A" will reveal ; the correct code... (!) :0040104A 7506 jne 00401052 :0040104C C645FC01 mov [ebp-04], 01 ; code correct :00401050 EB04 jmp 00401056 :00401052 C645FC00 mov [ebp-04], 00 ; code incorrect :00401056 8A45FC mov al, byte ptr [ebp-04] :00401059 8BE5 mov esp, ebp :0040105B 5D pop ebp :0040105C C3 ret - FINAL NOTES: - Ok, from now on you can expect a lotta tuts from me (well at least that's what i hope)... Thx 2: E_Bliss for kinda 'forcing' me to write tuturials tC for being such a nice friend with some nice crackmes MisterE for showing me the way to go ;) R!SC for being a frenzy cracker and to have cracked my #3 All the other dudes i don't remember right now...