//Distributer:
http://cod3r.cjb.net
//Program Name: Crackme 2a1
//Programmer: n0p3x
//Tutor:
SANSARiUM
//E-mail: SANSARiUM@hOtMail.cOM
//Date: ???????????
//Version: 2a.1
//TOOLS
- HVIEW , W32Dasm
- SoftICE is NOT a necessary
//FOREWORD
- One good crackme that uses another way of displaying nags than the usual messagebox
plus anti-debugging tricks.
//PERSONAL GREETS
- Qpix : For being there
- XBeDDen : You rock man !
- n0p3x : For the great crackmez
-
E_Bliss : For the best crackmez site ..
- Sandman : The best tuts page ever !
//OTHER GREETS
- #cracking4newbies on efnet : For being a cool place to learn.
-------------------------------------------------------------
Welcome to the first SANSARiUM Tutorial !
Hope
this one will prove to be useful ..
Now , let's star the show friends!
Run the crackme, examine it a bit, the window contains 2 buttons, one will give
u a small message box (Don't be lame ... blah blah blah) , the other will take
you to the next screen ...
Think a bit, how are we gonna get rid of this nag ?
The first thing you should do, like always, is to run W32Dasm and take a good
look at the code ..
Examine the String Data References, you'll see the [Don't
be lame ...] message, double click on it, and you're transfered to where
the message box is called .... good starting point ...
Take alook at the code .... you'll see the following :
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:0040105F(C)
|
:0040109E 6840100000 push 00001040
* Possible StringData Ref from Data Obj ->"NO!"
|
:004010A3 6808204000 push 00402008
* Possible StringData Ref from Data Obj ->"Don't be lame, crack the program."
|
:004010A8 680C204000 push 0040200C
:004010AD FF3500204000 push dword ptr [00402000]
* Reference To: USER32.MessageBoxA, Ord:0000h
|
:004010B3 E89B000000 Call 00401153
:004010B8 C9 leave
:004010B9 C21000 ret 0010
The first line in this code snippet is the most important, it tells you that
this messagebox routine was called from [0040105F]
(the small C means it is a CONDITIONAL jump) ...
so let's go there !
AAAAH, here is what the code should look like when you pay [0040105F]
a visit ...
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:00401032(C)
|
:0040105B 837D1001 cmp dword ptr [ebp+10], 00000001
:0040105F 743D je 0040109E
:00401061 837D1002 cmp dword ptr [ebp+10], 00000002
:00401065 7404 je 0040106B
:00401067 C9 leave
:00401068 C21000 ret 0010
Hmmm ... this suggests that the program tests the button you press, if it's
the first one [00000001], then it jumps and gives
u the messagebox .... but what if it's not ?
Then it checks again, if it's the SECOND button you've clicked [00000002]
.... then it will close this nag, and transfers you to the next one .....
So far so good !
What we need to do now, is to make the program jump to the next screen whatever
button we are gonna press, this would prevent errors from coming up, we can
do it by changing the jump at 0040105F so it jumps
to the next screen also, we can do this by changing the
[je 0040109E] to [je 0040106B] or as you'll
see it in HVIEW, after pressing F3 to start editing ...
0000065B: 837D1001 cmp d,[ebp][00010],001 ;"�"
0000065F: 743D je 00000069E
00000661: 837D1002 cmp d,[ebp][00010],002 ;"�"
00000665: 7404 je 00000066B
So we'll change the [je 00000069E] to [je
00000066B], to do this, point at the line with the jump, then press F2
and change the code ...
OK, you've done the FIRST part of cracking ....
Remember how we've back-traced the call to its origin just a small lines before
? We're gonna do it again ...
Take a look at the code, and you'll find that this call is called from [00401032],
let's go to that address ...
* Reference To: USER32.DialogBoxParamA, Ord:0000h
|
:0040101D E82B010000 Call 0040114D
:00401022 E911010000 jmp 00401138
:00401027 C8000000 enter 0000, 00
:0040102B 817D0C11010000 cmp dword ptr [ebp+0C], 00000111
:00401032 7427 je 0040105B
:00401034 817D0C10010000 cmp dword ptr [ebp+0C], 00000110
:0040103B 7410 je 0040104D
:0040103D 837D0C10 cmp dword ptr [ebp+0C], 00000010
:00401041 0F84F1000000 je 00401138
:00401047 33C0 xor eax, eax
:00401049 C9 leave
:0040104A C21000 ret 0010
hmmm ... look at [00401032], another conditional
jump [one that checks a condition then jumps ;-)], you don't need to know what
it compares, since we only need to make the prog always jump to the button checking
routine, the [Don't be lame ..] code, so we can
simply change the JE at 00401032 to JNE !! it'll
work !
Run the modified crackme now, aaaaaaah ..... a warning messagebox !!! So this
crackme does CRC checking (check if you've modified the program and stop running
giving you a warning), but disabling it is a really easy job !
Go back to W32Dasm, back to the String Data References screen, double click
on the 'ERROR' message, you'll be transfered to
this code :
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:004010E8(C)
|
:004010EE 6840100000 push 00001040
* Possible StringData Ref from Data Obj ->"ERROR"
|
:004010F3 68BD204000 push 004020BD
* Possible StringData Ref from Data Obj ->"ERROR: Program has detected
tampering. "
->"Execution terminated"
|
:004010F8 6881204000 push 00402081
:004010FD FF3500204000 push dword ptr [00402000]
You should know what to do by now ! Yep, you've guessed it, back-tracing again
!!!
This call is called from [004010E8], let's check
the code there (which is just above)...
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:004010D0(C)
|
:004010DE 813D04204000697A0000 cmp dword ptr [00402004], 00007A69
:004010E8 7504 jne 004010EE
:004010EA C9 leave
:004010EB C21000 ret 0010
No need to back-trace this one, though ... we found our goal ! a JNE !!!
The program here tests if it's an original one (not-tampered), if it's NOT,
then it will give us the ERROR message, we just have to change the JNE here
to NOP (2 of them), so the programe won't care at all, whether it's an original
or a cracked one ..
Run your cracked version now, and tada !!! We've done it, (actually you did
!!) ..
Congratulations !!!
You've
done it ! you've learned how to defeat nag boxes using new methods, and learned
how to crack CRC checking !! This will sure come handy when you start cracking
real programs.
//END BIT
- This is all folks, hope you enjoyed the tut and had a good time !