Cracking Projects For Newbies

Project 6 -- Task 3, Q1 and Q2
Sunday, 07-Feb-99 17:14:53
    129.27.200.50 writes:

    Question 1
    ==========

    I loaded Memo95.exe with the SoftICE Symbol Loader and forced a break at WinMain. Then I set an execution breakpoint at position :0040B73A -> BPX 0040B73A. After exiting SoftICE (X) , I started the registration dialogue and entered a random name and serial number.

    SoftICE popped up at 0040B73A.

    :0040B73A call 0040CCC0
    ------------------------

    A subroutine starting at 0040CCC0 will be invoked. Intuitively this could be the routine for checking the fake serial number against the correct one.

    The following registers changed after the call (F10 in SoftICE):
    EAX=00000001 -> EAX=FFFFFFFF
    ECX=0068F9DC -> ECX=007A0E3C
    EDX=006A002C -> EDX=006A0F2C
    and of course EIP
    The flags changed from odIszapc tp odIszApc.

    Looking at the memory positions ECX and EDX pointing to, I found out, that ECX points to my fake serial number and EDX TO THE CORRECT ONE!.

    :0040B73F add esp, 00000008
    ----------------------------

    I dont't know much about assembly but the stack pointer register is increased by $08 here.
    ESP=0068F414 -> ESP=0068F41C that means that two double words are removed from the stack, right?
    After all, the fake and real serial code are no longer needed.....

    :0040B742 test eax, eax
    ------------------------

    Test makes a logical AND with the two arguments, so the result of this operation can be true or false. Because here EAX is testet against itself the rsult can only be false ($00 by defintion) if EAX=00 what means that the ZERO FLAG will be set after this operation. Otherwise the operation will produce a value unequal $00 (true by definition), the ZERO FLAG will not be set.

    :0040B744 jne 0040B9BC
    -----------------------

    The jne is executed when the ZERO FLAG is NOT set. That measn when EAX is unequal to $00.
    0040B9BC is the string reference for the invalid serial code (see Task 2).

    Question 2
    ===========

    The address of the fake code is moved to ECX, the address of the real code to EDX. Byte 1 from ECX is taken and moved to AL then AL is compared with byte 1 of EDX. If the two bytes match and are unequal to $00 the next two bytes are compared in the same way. Then the addresse for the beginning of the two codes is increased by two (bytes) and the loop is enterd again.

    The routine returnes with EAX set to $00 if the codes are matching otherwise with a value of $FF.

    Question 3
    ===========

    hmmmmm.....trapping getwindowstexta took me somewhere -> lost in code, there are too many calls before position 0040B73A (section from question 1). I have no idea where the serial code is generated...any hints, Sandman ?

    Microslave


Message thread:

Microslave: Project 6 -- Aren't You a little bit fast ? (03-Feb-99 04:57:18)

Back to main board


Message subject:

Name: (optional)

Email address: (optional)

Type your message here:




Back to main board

Copyright © InsideTheWeb, Inc. 1997-1999
All rights reserved.