home *** CD-ROM | disk | FTP | other *** search
/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / E_bliss / cm1a_sol.txt < prev    next >
Text File  |  2000-05-25  |  5KB  |  131 lines
  1. Tutorial: Crackme 1a (nOp3x)
  2. By: Sanhedrin
  3.  
  4. Tools:  W32DASM
  5.         Softice
  6.  
  7.  
  8. This was a fun crackme to do because it forces the cracker to use a little brain 
  9. power to get the correct code.  So, let's begin.
  10.  
  11. Startup softice, enter the serial
  12.  
  13. 12344321
  14.  
  15. and set a breakpoint:
  16.  
  17. bpx getdlgitemtexta
  18.  
  19. press OK and once you have broken into softice, disable the breakpoint.
  20.  
  21. * Reference To: USER32.GetDlgItemTextA, Ord:0000h
  22.                                   |
  23. :0040115D E8E4030000              Call 00401546
  24. :00401162 8D4DF4                  lea ecx, dword ptr [ebp-0C]<--- you will land here
  25. :00401165 51                      push ecx
  26. :00401166 E811FFFFFF              call 0040107C<----call to the serial calculation
  27. :0040116B 59                      pop ecx
  28.  
  29. * Possible Reference to Dialog: DialogID_0001 
  30.  
  31.  
  32. At 00401166 press F8 to trace into the call function.  This will get you to 
  33. 0040107C.  
  34.  
  35. This crackme takes our serial number and, after a few calculations, compares
  36. it with the actual number.  A curve is thrown at us however.  Our entered number
  37. is compared to a hardcoded number, and are calulcated with different equations.
  38. The end numbers should be the same for the program to be cracked.  Thus, following
  39. code:
  40.  
  41. * Referenced by a CALL at Address:
  42. |:00401166   
  43. |
  44. :0040107C 55                      push ebp<----you will land here
  45. :0040107D 8BEC                    mov ebp, esp
  46. :0040107F 53                      push ebx
  47. :00401080 57                      push edi
  48. :00401081 8B5D08                  mov ebx, dword ptr [ebp+08]
  49. :00401084 53                      push ebx
  50.  
  51. * Reference To: cw3220._atol, Ord:0000h
  52.                                   |
  53. :00401085 E880040000              Call 0040150A
  54. :0040108A 59                      pop ecx
  55. :0040108B 8BD0                    mov edx, eax
  56. :0040108D B9E7030000              mov ecx, 000003E7
  57. :00401092 81C2495F0E00            add edx, 000E5F49<----add 000E5F49 to our number (12344321)
  58. :00401098 81C1A93E0F00            add ecx, 000F3EA9<----add 000F3EA9 to the hard coded number (999)
  59. :0040109E 90                      nop
  60. :0040109F 90                      nop
  61. :004010A0 40                      inc eax
  62. :004010A1 47                      inc edi
  63. :004010A2 43                      inc ebx
  64. :004010A3 48                      dec eax
  65. :004010A4 4F                      dec edi
  66. :004010A5 4B                      dec ebx
  67. :004010A6 90                      nop
  68. :004010A7 90                      nop
  69. :004010A8 83C258                  add edx, 00000058<----add 58 to our new number
  70. :004010AB 83C1A9                  add ecx, FFFFFFA9<----subtract 57 from the new hard coded number
  71. :004010AE 3BD1                    cmp edx, ecx<----compare the two numbers
  72. :004010B0 7518                    jne 004010CA<----jump to bad luck if not correct
  73. :004010B2 6800100000              push 00001000
  74.  
  75. * Possible StringData Ref from Data Obj ->"Well Done"
  76.                                   |
  77. :004010B7 68AB204000              push 004020AB
  78.  
  79. * Possible StringData Ref from Data Obj ->"Congratulations. You successfully "
  80.                                         ->"cracked this program"
  81.                                   |
  82. :004010BC 6874204000              push 00402074
  83. :004010C1 6A00                    push 00000000
  84.  
  85. * Reference To: USER32.MessageBoxA, Ord:0000h
  86.                                   |
  87. :004010C3 E872040000              Call 0040153A
  88. :004010C8 EB16                    jmp 004010E0
  89.  
  90. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  91. |:004010B0(C)
  92. |
  93. :004010CA 6800100000              push 00001000
  94.  
  95. * Possible StringData Ref from Data Obj ->"Bad luck"
  96.                                   |
  97. :004010CF 68E5204000              push 004020E5
  98.  
  99. * Possible StringData Ref from Data Obj ->"Bad luck. You have failed to crack "
  100.                                         ->"this program"
  101.                                   |
  102. :004010D4 68B5204000              push 004020B5
  103. :004010D9 6A00                    push 00000000
  104.  
  105. * Reference To: USER32.MessageBoxA, Ord:0000h
  106.                                   |
  107. :004010DB E85A040000              Call 0040153A
  108.  
  109.  
  110. --Solution--
  111.  
  112. First, at 004010AE (cmp EDX, ECX), type
  113.  
  114. ? EDX <---- 13286306 (our number)
  115. ? ECX <---- 999993 (the number we want it to be)
  116.  
  117. Knowing the calculation above, we know that
  118.  
  119. ECX + 999051 - 57 = 999993
  120. EDX + 941927 + 58 = 13286306
  121.  
  122. Therefore, to get the real number we use
  123.  
  124. 999993 - 58 - 941927 = 58008
  125.  
  126.  
  127. Thanks to all of those coders that make these crackmes, and of course to Eternal Bliss.
  128.  
  129.  
  130. Sanhedrin
  131. stachi@geocities.com