Reverse Code Engineering RCE CD +sandman 2000

home *** CD-ROM | disk | FTP | other *** search

/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / E_bliss / bs-cm1.txt < prev next >

Wrap

Text File | 2000-05-25 | 4KB | 70 lines

Brad Soblesky Crackme #1 Tuturial ░ ░ ░ ░ ▄▓ ▄▄ ░░ ▄▄▄▄■ ░░▀ ■▄▄▄ ▄▄ ▐█▓▌ ▄▀▀ ▀■ ▀ ░░ ▀ ■▀ ▀▀▄ ██▌ ■ ▄▄▀▀ ▄▄██▀██▄▄ ▄▄▄███▄▄ ▀▄▄ ■ ▄▄▄███▄▄▐██ ▄▄████▄▄ ▀▄▄ ▄▀▀ ▄███▀ ▀██▓▄ ▄████▀ ▀██▓▄ ▀▄ ▄▄▀ ▄████▀ ▀██▓██ ▄████▀ ▀██▓▄ ▀▀ ▄ ▐███▌ ░ ▐██▓▌ ▐████▌ ░ ▐██▓▌ ▄ ▀▀ ▐████▌ ░ ▐████▌ ▐████▌ ▐██▓▌ ■██▄▄▓▌ ████ ░▒░ ████ █████▄▄▄ ▀▀▀▀ ▐█▄▄█▓ █████ ░ █████ █████▄▄▀▀▀▀▀▀▀ ▐████ ░░ ▓██▌ ░▒▓▒░ ▐███ ▄▄▄▄▄ ▀▀▀████▄ ████▌ ▓███▌ ▐████ ▓███▌ ░░░░░░ ░ ███▌ ░ ▐▓███ ░▒▓▒░ ▓███▌▓███▌ ░░░ ▐████ ▐▓██ ▓███▌ ▄▀▀ ▐████ ▓███▌ ░░░░░░░ ▓██▌ ▐▓███ ░▒░ ▓███▌▐▓███ ░ ▓███▌ ▐▓██ ▐▓███ ▓███▌ ▐▓███ ▐▓███ ▐▓▓██▌ ░ ▐▓███▌ ▓▓██▌ ▐▓███ ▓███▌ ▓▓██▌ ░ ▐▓███ ▓▓██▌ ▓▓▓██▌ ■▓▓▓▓██ ░ ▓█████■ ▀▓▓█▄ ▄▓██▀ ▐▓████ ▄ ▀▓██▄ ▄▓██▀ ▀▓██▄ ▀▓███▄ ▀▀▀██▄ ▄▓█▀▀▀ ▀▀█▀▀ ▄▓▓▓▀▀ ▀▀█▀▀ ▀▀▀▀ js ▀▀▀▀▀▄▄ ░ iNSiDE ▄▄▀▀▀▀▀ ░ ▀▄ ░ ░░ ▄▀ ░░ ░ ░░ Tutor : duelist Data Wrote : April 6, 1999 Who : Begginers Target : Brad Soblesky Crackme #1 Size : 20kb (!) Tools Used : SoftIce Method : Code Sniffing -=* Protection *=- Well this crackme is a VERY simple one, and requires only a password, which normally (if not always) means that it is hardcoded in the program! -=* Our Aproach *=- Using softice, this should be an EASY work! Knowing that this app uses MFC, i will start with one of the most basic bpx for this type of crackmes written with MFC. 1) Switch to softice (Control + D) and "bpx lstrlen" (you SHOULD break a little before the point were the app compares your code with the correct one) 2) Enter any code you want and press Check, then hit F12 to go back to program code: .0000155F: 50 push eax ; your fake code .00001560: FF1504204000 call [KERNEL32!lstrlen] -> .00001566: 8945F0 mov [ebp-10],eax .00001569: 837DF001 cmp dword ptr [ebp-10],01 ; is code >= 1 char length? /- .0000156D: 7316 jae .000001585 ; if yes, jump to the compare routine | .0000156F: 6A40 push 040 \ | .00001571: 682C304000 push 00040302C | | .00001576: 6834304000 push 000403034 | Opsss, no code was entered, | .0000157B: 8B4DE0 mov ecx,[ebp-20] | showing an error message! | .0000157E: E87B050000 call .000001AFE | | .00001583: EB3C jmps .0000015C1 / \- .00001585: 8D4DE4 lea ecx,[ebp-1C] .00001588: 51 push ecx ; REAL code being push'ed .00001589: 8D55F4 lea edx,[ebp-0C] .0000158C: 52 push edx ; your FAKode being push'ed .0000158D: FF1500204000 call [KERNEL32!lstrcmp] ;stop here and do a "d ecx"... Bingo! .00001593: 85C0 test eax, eax ; compare codes... 3) Did you understand? Stop at lstrcmpA call and do 'd ecx' and you get the real code, which is <BrD-SoB> ... Cheers! -=* Final Notes *=- This was a simple tuturial that should help you when dealing with MFC applications that have an hardcoded password (and sometimes not).