Well I had a quick look at this program since it's seems to be interesting. First of all we need to enter our fake registration code - just as normal. I've enterd 12345 as code. Now enter SoftICE and BPX on HMEMCPY. Leave SoftICE and press Check. SoftICE will pop up now. Press F12 until you're looking at the following code snippet:
:004015AC 8D4DEC LEA ECX,[EBP-14]
:004015AF 8D45E8 LEA EAX,[EBP-18]
:004015B2 51 PUSH ECX
:004015B3 8D55E4 LEA EDX,[EBP-1C]
:004015B6 50 PUSH EAX
:004015B7 52 PUSH EDX
:004015B8 E8FD020000 CALL 004018BA
:004015BD C645FC05 MOV BYTE PTR [EBP-04],05
:004015C1 8B00 MOV EAX,[EAX] ; move real code to EAX
:004015C3 8B0E MOV ECX,[ESI] ; move enterd code to ECX
:004015C5 50 PUSH EAX ; PUSH real code
:004015C6 51 PUSH ECX ; PUSH enterd code
:004015C7 FF15F8434000 CALL [004043F8] ; compare
:004015CD C645FC04 MOV BYTE PTR [EBP-04],04
:004015D1 83C408 ADD ESP,08
:004015D4 83F801 CMP EAX,01
:004015D7 1BC0 SBB EAX,EAX
:004015D9 40 INC EAX
:004015DA 8945D4 MOV [EBP-2C],EAX
:004015DD E890000000 CALL 00401672
:004015E2 837DD400 CMP DWORD PTR [EBP-2C],00 ; correct code enterd?
:004015E6 7414 JZ 004015FC |
So sniff out the code at 4015C5 by typing D EAX. Now your data window will display something like the following:
013F:00750E34 72726F43 2E746365 72452E2E 00726F72 Correct...Error.
So Correct...Error is the correct code. This form of protection can be seen in some sharewares. Very lame but effective enough to prevent non-crackers from registering it.
Eternal Bliss also asks to patch the CrackMe (if it's possible). And as you all have guessed it is possible to patch this program. Just run Hacker's View, change the mode to decode (F4) and replace
83 7D D4 00 74 14
by
83 7D D4 00 EB 14
Another target has been Reverse Engineerd. Any questions (no crack requests)?
|