home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Reverse Code Engineering RCE CD +sandman 2000
/
ReverseCodeEngineeringRceCdsandman2000.iso
/
RCE
/
E_bliss
/
eb_tut14.txt
< prev
next >
Wrap
Text File
|
2000-05-25
|
5KB
|
158 lines
Tutorial Number 14
Written by Etenal Bliss
Email: Eternal_Bliss@hotmail.com
Website: http://crackmes.cjb.net
http://surf.to/crackmes
Date written: 19th Mar 1999
Program Details:
Name: cRACKME #2
Author: lEK/tOL
Tools Used:
SoftIce
Crackers' Tools written by Borna Janes and I
Cracking Method:
Code sniffing
Viewing Method:
Use Notepad with Word Wrap switched on
Screen Area set to 800 X 600 pixels (Optional)
__________________________________________________________________________
About this protection system
No disabled function. Protection is based on a password.
__________________________________________________________________________
The Essay
In this essay, when I write type "d edx" or similar commands in Softice,
I mean it without the quotes. This is a very simple CrackMe, so I won't be
explaining much.
__________________________________________________________________________
SoftIce
Like I said in my 2 essays on general VB cracking, there are 2 main
"popular" breakpoints used in VB programs to check serial/password.
They are:
__vbastrcomp
__vbavartsteq
Well, since this CrackMe is written in VB, let's try our luck.
Set the two breakpoints by typing "d __vbastrcomp" and "d __vbavartsteq"
Run the CrackMe. Type in "12345678" for the password. Click on "cHECK"...
Did you break into SoftIce on __vbastrcomp?? Well, I did. 8P
Here is a dump from Softice...
MSVBVM50!__vbaStrComp
:7B2F3564 8BEC MOV EBP,ESP
:7B2F3566 53 PUSH EBX
:7B2F3567 56 PUSH ESI
:7B2F3568 57 PUSH EDI
:7B2F3569 837D1000 CMP DWORD PTR [EBP+10],00
:7B2F356D BE00000000 MOV ESI,00000000
:7B2F3572 7406 JZ 7B2F357A (NO JUMP)
:7B2F3574 8B4510 MOV EAX,[EBP+10]
:7B2F3577 8B70FC MOV ESI,[EAX-04]
:7B2F357A 837D0C00 CMP DWORD PTR [EBP+0C],00
:7B2F357E BF00000000 MOV EDI,00000000
:7B2F3583 7406 JZ 7B2F358B (NO JUMP)
:7B2F3585 8B4D0C MOV ECX,[EBP+0C]
:7B2F3588 8B79FC MOV EDI,[ECX-04]
:7B2F358B 3BFE CMP EDI,ESI
Just these few lines is enough for you to crack the CrackMe.
------------------------
Right after :7B2F3574, if you do a "d eax", you will see this in your
code window...
:004118E8 31 00 32 00 33 00 34 00-35 00 36 00 37 00 38 00 1.2.3.4.5.6.7.8.
This looks like the password we entered right?? Since it is VB, the password
has been converted to w.i.d.e. .c.h.a.r.a.c.t.e.r
And just after :7B2F3577, if you type "? esi" you will see
00000010 0000000016 ""
in your command window (the place where you do your typing)
What does this mean?? Well, your password is 8 char. But because it is
converted to wide char, it is now double the length, therefore, 16 in Dec
and 10 in Hex.
**You can actually see that esi=00000010 in the register window.
------------------------
Right after :7B2F3585, if you do a "d ecx", you will see this in your
code window...
:00401E18 57 00 67 00 FF 00 31 00-2E 00 6B 00 36 00 2E 00 W.g...1...k.6...
:00401E28 23 00 FF 00 FF 00 FF 00-FF 00 24 00 20 00 00 00 #.........$. ...
And just after :7B2F3588, if you type "? edi" you will see
0000001E 0000000030 ""
in your command window.
**You can actually see that edi=0000001E in the register window.
So, following what I said for esi, since edi=0000001E, when converted to Dec,
it is 30. To get the correct length, divide it by 2 and you will get 15.
------------------------
So, our correct password is 15 char. Now, look at the code window after you
typed "d ecx". The Hex values (30 of them) are:
57 00 67 00 FF 00 31 00-2E 00 6B 00 36 00 2E 00
23 00 FF 00 FF 00 FF 00-FF 00 24 00 20 00
Ignoring the 00s since they are added in VB, you will have
57 67 FF 31 2E 6B 36 2E 23 FF FF FF FF 24 20
**Count the number of Hex values... it will be 15.
Use Crackers' Tools (the proggie I coded with Borna Janes) to convert
the Hex values to Ascii. You will get
"Wg 1.k6.# $ "
**After the "$", there is a space. Ignore the quotations.
**Also, if you just look at the ascii shown in SoftIce, you will get the
wrong password. Compare what you converted with what is shown!
Now, type in the string you converted from the Hex values.
You will get a message saying that you have made it!
CrackMe Cracked!!
__________________________________________________________________________
Final Notes
This tutorial is dedicated to all the newbies like me.
And because I'm a newbie myself, I may have explained certain things wrongly
So, if that is the case, please forgive me. Email me if there is anything
you are not clear about.
My thanks and gratitude goes to:-
The Sandman
All the writers of Cracks tutorials and CrackMes