Cracking Tutorial [tC's CrackMe 10.0 <ID: 7>]

Cracking Tutorial for tC's CrackMe 10.0 <ID: 7>
Disabling the Count Down Initializing Code

Target Program:	tC's CrackMe 10.0 <ID: 7>
Rules:	Today you have to patch the CrackMe that it cannot expire. Little challenge. Try to change only ONE BYTE!
Location:	http://crackmes.cjb.net
Protection:	Time Limit
Tools needed:	- SoftICE 3.24
	- Hacker's View
Ob duh:	Do I really have to remind you all that by BUYING and NOT stealing the software you use will ensure that these software houses will continue to produce even better software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems. BTW, It's illegal to use cracked Software! If you're looking for cracks or serial numbers from these pages then your wasting your time, try to search elsewhere on the Web under Warez, Cracks, etc.
Info:	Brand and product names are trademarks or registered trademarks of their respective holders.
Level:	(X)Beginner ( )Intermediate ( )Advanced ( )Expert

Well, as you may know, I'm visiting sites to get tutorials and to add them to the Public Tutorial Search Engine ... so as I visited CrackMe« Practises For Newbies some time ago I couldn't belive that tC's CrackMe 10.0 <ID: 7> still wasn't rated ... neither there was a tutorial for it out ... and since I seeked a little challenge, I downloaded the CrackMe ... and I've cracked it within the minute I started working on it. Then I decided to support some more Newbies out there, which might learn something new from this tutorial ... at least I do hope so (if you do learn something useful, please drop me a short message so that I know that I should continue my work ... which might otherwise NOT be the case ... since I'm HEAVILY thinking about stopping teaching HOW TO CRACK !!!).

Ok. First of all we need to have a look at our target. So as we've executed the Crackme, we got the following short 'hint' from tC:

   This demo version will only work for 20 seconds, then it will shut-down and you had to restart it.

Well as you can see from the text I've underlined, the only protection is that it will close itself after 20 seconds. Ok. Now we have to think about an Win32 API function that could do that ... hmmm - maybe kind of a timer. In the case of a timer, it needs to be initialized using the SetTimer function. The SetTimer function has the following parameters (remember that the params are in REVERSE ORDER in your programs):

UINT SetTimer(                 HWND hwnd,       // handle of window for timer messages                 UINT idtimer,    // timer identifier                 UINT uTimeout,   // time-out value                 TIMERPROC tmprc // address of timer procedure               );

So set a BPX to SetTimer and restart the CrackMe. Now the following code snippet will be displayed:

   :0043D3DF  66837B2E00   CMP     WORD PTR [EBX+2E],00
   :0043D3E4  7433         JZ      0043D419
   :0043D3E6  6A00         PUSH    00                    ; address of timer proc
   :0043D3E8  56           PUSH    ESI                   ; time-out value (21 seconds)
   :0043D3E9  6A01         PUSH    01                    ; timer identifier
   :0043D3EB  8B4328       MOV     EAX,[EBX+28]
   :0043D3EE  50           PUSH    EAX                   ; handle of window for timer messages
   :0043D3EF  E8648FFCFF   CALL    USER32!SetTimer
   :0043D3F4  85C0         TEST    EAX,EAX               ; has timer set up correctly?
   :0043D3F6  7521         JNZ     0043D419              ; if so => JMP
    ...       ...
   :0043D419  33C0         XOR     EAX,EAX

Now we have to think of a posibility to change only 1 byte ... why? Well tC asked for it. I wouldn't call this a challenge, since everyone should see that if everything works right, the JMP 43D419 at 43D3F6 will be executed ... and what's just before that SetTimer parameters? Well a deciding check. So we can change

66837B2E007433

to

66837B2E00EB33

Now that SetTimer code is never executed ... and due this reason, the CrackMe won't ever shut down itself. CrackMe solved!

Another target has been Reverse Engineerd. Any questions (no crack requests)?

"There's always one way to crack a target - just think a bit!" - TORN@DO ------------------------------------------------------- Forum: http://disc.server.com/discussion.cgi?id=42877 Website: http://learn2crk.cjb.net -------------------------------------------------------