home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Reverse Code Engineering RCE CD +sandman 2000
/
ReverseCodeEngineeringRceCdsandman2000.iso
/
RCE
/
Mendoza
/
lxthowto3.txt
< prev
next >
Wrap
Text File
|
2000-05-25
|
9KB
|
155 lines
the right way to go!
▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
█ ▄▄▄▄ █ █ ▄▄▄▄ ▀▀▀▀▀▀▀▀▀ ▄▄▄▄ ▄▄▄▄ ▀▀▀▀ ▄▄▄▄ ▀▀▀▀▀▀▀▀▀▀█
█ ████ █ █ ████▀████ ████ ████ ████ ████▀████ ████ ████ █
█ ████ ▀▀▀▀ ████ ████ ████▄████ ████ ████ ████ ████ ████ █
█ ████ ████ ▄▄▄▄▄████ ▄▄▄███▄▄▄ ████ ████ ▄▄▄▄ ████ ████ █
█ ████ ████ ████ ████ ████ ████ ████ ████ █ █ ████▀▀▀▀▀ █
█ ████▄████ ████▄████ ████ ████ ████ ████ █ █ ████ █▀▀▀▀▀
█ ▀▀▀▀ ▄▄▄▄▄▄▄▄▄▄ ▀▀▀ ▄▄▄▄▄ ▀▀▀ ▀▀▀ ▀▀▀▀ █ █ ▀▀▀▀ █
▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀
GERMAN CRACKING FORCE / PC -───▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
Cracking - HowTo #3 made for you by JoGy [Laxity]
I read the tutorial from Yaan!, another cracker from Laxity, and
thought: I should show you the differences between cracking with a
disassembler and a debugger. So I decided to write this tutorial
about cracking Ghosttyper 1.0e with SoftIce.
This tutorial won't show you how SoftIce works; but it will show you
how to crack a shareware program using it.
What you will need:
* SOFTICE v. 3.0 or higher:
SoftIce is a "must-have" in the scene. Try to get it at
http://cracking.home.ml.org/ and don`t blame me, if you can`t find
it or if it`s deadlinked !
* PIECE OF PAPER:
You'll need it later to write down the right code 8)
Oky, let's start. Open the ghosttyper.exe with the SymbolLoader from
SoftIce and execute it by clicking on the LOAD button in SoftIce.
You will be in SoftIce at the beginning of the program. So it's
time to configure SoftIce a little bit: write 'data' [enter] and
write 'r' [enter]. Now a part of the SoftIce window shows the CPU
registers and another shows the offset-adresses and what's in them.
Press [F5] to let the program run, again. The Ghosttyper window,
where you should register, will be opened. Click on the 'register'
button and enter your name and a dummy code (e.g. 98765432). BEFORE
you click on the OK button go back in SoftIce by pressing [CRT] &
[d] at the same time. Back in ICE you have to set a breakpoint. There
are many breakpoints possible to set, but the one I prefer is for
breaking on highmemcopy. This bp will be activated if the program calls
the hmemcopy-procedure. (this program reads in three values, so it
calls the hmemcopy procedure three times. Set the breakpoint by typing
this in SoftIce: 'bpx (that means breakpoint) hmemcpy' [ENTER].
Now press [F5] again to switch back to Ghosttyper. Click the ok
button. Immediately you will be back in ICE due to the breakpoint at
hmemcpy. Press [F5] two times. Now press the [F12] button until you
are out of the 16-bit adresses in the 32-bit adresses. You will stop
at 0137:00436E92 POP ESI. We are not more in KERNEL but in the GHOSTTYPER
CODE and that's what we want. The prog has read all neccessary information
with hmemcpy. But where are the codes ? They have to be somewhere..
so let's search for the dummy code 98765432! Probably the code is on an
adress beginning with 013F:????????. So let's move to those adresses
by typing 'd 013F:00000000'. Now let's search:
type 's (for search) 0 l ffffffff (type as much times the 'f' as the length
of your code is. Each 'f' stands for one position in your dummy code) '98765432''!
's 0 l ffffffff '98765432' [ENTER]
After that you will see 'pattern found at 013F:00ADB778' ! Now, try
to think, (if it is possible)...our dummy code is on the address
013F:00ADB778.hmmm......
What we wanna find is the compare between our dummy code and the
right code: so all we have to do is to set another breakpoint that will be
activated if our dummy code is moved, read , deleted or overwritten.
Therefore we use 'bpm (breakpoint on memory access) 013F:00ADB778'[ENTER].
After you defined this bpm press [F5] and you will be back immediately at
the address 0137:00402AF1 INC ESI. So, this means that something happens to
our dummy code here; look at the [esi] register by typing: 'd esi'[ENTER].
WOW! Our code is in the esi-register. The line above MOV BL, [ESI] has moved
the first number of our code into the BL register. Trace further by pressing
[F10] and let's try to understand what happens to our code: There are many
compares but it's not THE cmp WE are looking for. At the address 0137:00402B1D
ADD EAX,EBX the first numba will be moved into the EAX register. If you trace
further you will notice that we are in a loop which moves one codenumba after
another into the EAX register by using ADD EAX, EBX. Press [F10] until you
reach 0137:0046301F MOV ESI, EAX. (before you should have left two calls by
tracing through RET instructions.) Type '? eax' and you will see our dummy
code in the eax register. Now it will be moved to the esi register. Trace one
step further and type ' ? esi' and you will see our dummy code in the esi register.
Trace two steps further and you are diggin gold: CMP ESI, EAX. Yeah. Thatsit.
The call before has given eax the right code. Get its value by typing
'? eax' and use your peace of paper to write your code it down !
If you wanna know how the code was calculated... have a look into the
call before. But that's only neccessary if you want to code a keygenerator.
(Maybe in the next tutorial ?)
You made it. You ripped a code out of a shareware progarm using
SoftIce !
Did you notice that it`s much cheaper to register a ProG this way
???? Common....
If you understand it and you have fun cracking other progs: JOIN
US...
JOIN LAXITY - GERMAN CRACKING FORCE!!! Mail us and become a trial
memba !
Perhaps I will write some other tutorials (if you want to !), but
don't terrorize me by sending too much mail. (a tuti like this needs its time
to be done!)
GOOD LUCK by TRYING to CRACK sharewareProGs!
CU
JoGy [Laxity]
████████████████████████████████████████████████████████████████████████████
██│╔══════════════════════════─» Membaz: «─══════════════════════════╗│██
██│║ Animalo │ founder, cracker │▄ laxity_hq@gmx.net ║│██
██│║──────────────│──────────────────────────│──────────────────────────║│██
██│║ SONIC 98 │ cracker, iNET admin │▄ laxity_s98@gmx.net ║│██
██│║ pCsK8R │ cracker │▄ laxity_pc@gmx.net ║│██
██│║ Yaan! │ cracker │▄ laxity_yaan@hotmail.com ║│██
██│║ JoGy │ cracker │▄ jogy_laxity@hotmail.com ║│██
██│║ The Brain │ cracker │▄ the.brain.@gmx.net ║│██
██│║ xCrk │ cracker │▄ xcrk@bigfoot.com ║│██
██│║ vTeC │ cracker │▄ @ ║│██
██│║ Swoop │ cracker │▄ @ ║│██
██│║ Smakkker │ cracker │▄ @ ║│██
██│║ Twister │ cracker │▄ @ ║│██
██│║ Tiger of THT │ gfxer │▄ @ ║│██
██│║ Raptor #1 │ driver │▄ @ ║│██
██│║════════════════════════════════════════════════════════════════════║│██
██│║ Trial Membaz: ║│██
██│║────────────────────────────────────────────────────────────────────║│██
██│║ _awe_ │ gfxer, tester │▄ @ ║│██
██│║════════════════════════════════════════════════════════════════════║│██
██│║ Greetz ║│██
██│║────────────────────────────────────────────────────────────────────║│██
██│║ APP - GCG - GWA98 - NEXUS98 - UCF2000 - PC98 ║│██
██│║════════════════════════════════════════════════════════════════════║│██
██│║ Join Laxity ║│██
██│║────────────────────────────────────────────────────────────────────║│██
██│║ Are you a cracker?... Contact laxity and ask him if you can join! ║│██
██│║ We need also slaves for our irc, spread, test and help section... ║│██
██│║════════════════════════════════════════════════════════════════════║│██
██│║ iNET ║│██
██│║────────────────────────────────────────────────────────────────────║│██
██│║ IRC EFNET: │ #laxity98 ║│██
██│║ German Hq │ http://gcf.notrix.de ║│██
██│╚════════════════════════════════════════════════════════════════════╝│██
████████████████████████████████████████████████████████████████████████████