Cracking Projects For Newbies

Task 2
Thursday, 04-Feb-99 15:58:53
    195.92.194.15 writes:

    Finally manage to change my name and Message Subject... 8P

    1. Using W32Dasm, create a dead listing of memory Game '95 and
    explain as best you can, the 'best' location you think we can
    'patch' this program.
    (Hint, locate where the 'Good Cracker' message can be found then
    look around a little).

    Method 1: (requires two separate patches)

    1st String: (Sorry, the registration code does not match! Try again or Ca)

    :00405C3D E87E700000 call 0040CCC0 =====Important CALL
    :00405C42 83C408 add esp, 00000008
    :00405C45 85C0 test eax, eax
    :00405C47 0F8434010000 je 00405D81 =====Jump to Good message
    :00405C4D 8B45E4 mov eax, dword ptr [ebp-1C]

    * Possible Reference to String Resource ID=61244: "Sorry, the registration code does not match! Try again or Ca"
    |
    :00405C50 683CEF0000 push 0000EF3C


    You can change je 00405D81(0F8434010000) to jne 00405D81 (0f8534010000). This is actually the code used during startup of the program. But if you use the correct code, you will be shown the Bad Message.



    ---------------Next reference to it--------------


    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:0040B744(C) =====Take note of where the Conditional Jump is from
    |

    * Possible Reference to String Resource ID=61244: "Sorry, the registration code does not match! Try again or Ca"
    |
    :0040B9BC 683CEF0000 push 0000EF3C


    ===================================================


    2nd String: (Thank you for registering %s)
    This is the part of code used during registration.

    :0040B73A E881150000 call 0040CCC0 =====Important CALL
    :0040B73F 83C408 add esp, 00000008
    :0040B742 85C0 test eax, eax
    :0040B744 0F8572020000 jne 0040B9BC =====Jump to Bad Message, see above
    :0040B74A 8B45EC mov eax, dword ptr [ebp-14]
    :0040B74D FF701C push [eax+1C]
    :0040B750 C7405C01000000 mov [eax+5C], 00000001


    You can replace jne 0040B9BC (0F8572020000) with je 0040B9BC (0F8472020000). But if you use the correct code, you will be shown the Bad Message.



    * Reference To: USER32.GetParent, Ord:0115h
    |
    :0040B757 FF151C594300 Call dword ptr [0043591C]
    :0040B75D 50 push eax
    :0040B75E E8AF170100 call 0041CF12
    :0040B763 FF701C push [eax+1C]

    * Reference To: USER32.GetMenu, Ord:0101h
    |
    :0040B766 FF1544594300 Call dword ptr [00435944]
    :0040B76C 50 push eax
    :0040B76D E875460100 call 0041FDE7
    :0040B772 50 push eax
    :0040B773 8B4DEC mov ecx, dword ptr [ebp-14]
    :0040B776 FF711C push [ecx+1C]

    * Reference To: USER32.GetParent, Ord:0115h
    |
    :0040B779 FF151C594300 Call dword ptr [0043591C]
    :0040B77F 50 push eax
    :0040B780 E88D170100 call 0041CF12
    :0040B785 8BC8 mov ecx, eax
    :0040B787 E8CE62FFFF call 00401A5A

    * Possible Reference to String Resource ID=61245: "Thank you for registering %s."
    |
    :0040B78C 683DEF0000 push 0000EF3D


    ========================================================


    Another Method: (requires 1 patch)

    Using W32Dasm and tracing into the call at 0040CCC0 that was refered to above,

    :0040CCC0 83EC04 sub esp, 00000004
    :0040CCC3 833D24F1420000 cmp dword ptr [0042F124], 00000000
    :0040CCCA 53 push ebx
    :0040CCCB 56 push esi
    :0040CCCC 7537 jne 0040CD05
    :0040CCCE 8B4C2410 mov ecx, dword ptr [esp+10]
    :0040CCD2 8B542414 mov edx, dword ptr [esp+14]

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:0040CCF0(C)
    |
    :0040CCD6 8A01 mov al, byte ptr [ecx]
    :0040CCD8 3A02 cmp al, byte ptr [edx]
    :0040CCDA 751E jne 0040CCFA =====A jump after compare...Suspicious
    :0040CCDC 0AC0 or al, al
    :0040CCDE 7412 je 0040CCF2 =====Jumping out of the loop
    :0040CCE0 8A4101 mov al, byte ptr [ecx+01]
    :0040CCE3 3A4201 cmp al, byte ptr [edx+01]
    :0040CCE6 7512 jne 0040CCFA =====A jump after compare...Suspicious
    :0040CCE8 83C102 add ecx, 00000002
    :0040CCEB 83C202 add edx, 00000002
    :0040CCEE 0AC0 or al, al
    :0040CCF0 75E4 jne 0040CCD6 ======A loop to 40CCD6

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:0040CCDE(C)
    |
    :0040CCF2 33C0 xor eax, eax
    :0040CCF4 5E pop esi
    :0040CCF5 5B pop ebx
    :0040CCF6 83C404 add esp, 00000004
    :0040CCF9 C3 ret


    There are two jumps right after compare and you can see the ecx and edx are advanced two bytes in 0040CCE8 and 0040CCEE. First, I presume that this is the actual compare routine where each character of what you entered is compared with the real code. So, at
    :0040CCCE 8B4C2410 mov ecx, dword ptr [esp+10]
    :0040CCD2 8B542414 mov edx, dword ptr [esp+14]

    I changed the mov edx, dword ptr [esp+14] to mov ecx, edx which means that now ecx and edx will have the same value!!

    How to do this...
    1) Check the number of bytes for mov edx, dword ptr [esp+14] (4 bytes)
    2) Take note of the address of mov edx, dword ptr [esp+14]
    3) Choose "Debug" and "Load Process" in W32Dasm
    4) In the right window, choose goto address and type in the address you get in step 2
    5) Choose "Patch Code"
    6) You will be shown another window. Type in mov ecx, edx in "Enter New Instructions Below"
    7) Press Enter
    8) Under "Code Patch Listing", you will see
    :0040CCD2 89D1 mov ecx, edx
    which means two bytes are used. (89D1 = 2 bytes)

    9) Add in two more NOP like in Step 6
    10) Total of 4 bytes.

    :0040CCD2 89D1 mov ecx, edx
    :0040CCD4 90 nop
    :0040CCD5 90 nop

    11) Copy the Assembly code 89D19090 and terminate the process
    12) Using a hexeditor, go to the file offset of mov edx, dword ptr [esp+14] which is 0000C0D2
    and replace 8B542414 with 89D19090
    13) Save it. And it's cracked.


    ========================================================


    2. Will one patch be enough or will it require more?.

    If I use method 2, only 1 patch is enough.


    ========================================================


    3. What problems if any, might we encounter if we went ahead and
    patched this babe??.
    4. What safe guards are in place to prevent you from patching the
    code, how can we get round them?.

    LOL.... I forgot there is such a thing called "Read-Only" and could not save the file till I changed it. I couldn't trigger the CRC check.

    Eternal Bliss


Message thread:

Task 1: Eternal Bliss (03-Feb-99 10:51:18)

Back to main board


Message subject:

Name: (optional)

Email address: (optional)

Type your message here:




Back to main board

Copyright © InsideTheWeb, Inc. 1997-1999
All rights reserved.