Reverse Code Engineering RCE CD +sandman 2000

home *** CD-ROM | disk | FTP | other *** search

/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / E_bliss / tc5.txt < prev next >

Wrap

Text File | 2000-05-25 | 4KB | 127 lines

Terminal Cilla's Tutorial#5 [Target Infos:] [Name :] CrackMe 5 [Author:] FireWorX [Type :] RegCode [Where :] http://crackmes.cjb.net [Needed Tools:] SoftIce [Our Aim:] Find the RegCode ----------------------------------------------------------------------------- Hi Reader. I'm sorry for all grammatical and orthographic errors. Today we deal with "CrackMe 5" by 'FireWorX'. I assume that you already configured your SoftIce and that you are basicly down with SI - otherwise stop reading and take a "SoftIce4Newbies - Tutorial". Still here? Ok, let's go! Step1: ------ What's the first thing we realized at this crackme? Of course, we don't have a "ok-or check-button". So what does that mean? The program will check every single input. Ok let's enter a value: I used: Test-990088 Hmm, nothing happen! Step2: ------ Let's hunt our wanted regcode with SoftIce. Set a breakpoint on 'hmemcpy' and press <F5> to return to the program. But what's going on now, we don't return! Pressin' <F5> again and again and we are still in SoftIce. Ok, let's think a bit. The fact that we are still break on 'hmemcpy' could be that there's a permanent memory-access. And what did we also saw while pressin' <F5>? Yes, we were always at the same position. Seein' all this we must be in a big loop! Since we don't have an endless-loop;) there must be an end-condition. Our loop could be like this: ******************************** repeat If 'input<>Serial' then 'condition'=false else 'condition'=true; until 'condition'=true; ******************************** So, let's go on with SoftIce: 1 * F11 11 * F12 ----------------------------------------------------------------------- Step3: (writing down our serial;) ------ :00441A0E 8B45FC mov eax, dword ptr [ebp-04]->we are here; :00441A11 50 push eax ->our code in eax; :00441A12 8D55F8 lea edx, dword ptr [ebp-08] :00441A15 8B83C8020000 mov eax, dword ptr [ebx+000002C8] :00441A1B E8A417FEFF call 004231C4 :00441A20 8B55F8 mov edx, dword ptr [ebp-08]->!; :00441A23 58 pop eax :00441A24 E83321FCFF call 00403B5C->compare routine; :00441A29 7549 jne 00441A74 ->if 'our code<>real code' then goto loop; Controlling the eax-register will show us our serial. Tracin' further will bring us to :00441A20 were 'edx' get the value 'RegCode' - isn't it the label above the input-box? At :00441A29 is a conditional-jump. Here is a decision wether you have won or lost. Before that jump there's a call - let's examine him. Pressin' <F8> while we are on the call will bring us here: ------------------------------------------------------ :00403B5C 53 push ebx :00403B5D 56 push esi :00403B5E 57 push edi :00403B5F 89C6 mov esi, eax :00403B61 89D7 mov edi, edx :00403B63 39D0 cmp eax, edx ->! Something is compared at :00403B63 - let's see what. In 'eax' is our dummy code stored and what do we got in 'edx'? Hmm, once again it's 'Regcode'. Hey, maybe FireWorX tryed to trick us with that CrackMe. In order to prove our assumption, we enter 'Regcode' and *boom* a "cracked"-msg appears. Well, our job is done! Thx4Readin' ----------------------------------------------------------------------------- -=I'm still a newbie - So I can only get better!=- (c) Terminal Cilla (april 1999) Peace&Respects 2: FireWorX, Eternal_Bliss, The_Sandman, Torn@do, duelist, Sanhedrin and all crackme-coders and tutorial-writers. ________________________ | Be sure to visit: | | http://crackmez.cjb.net| | & | | http://crackmes.cjb.net| |________________________|