Cracking Projects For Newbies

Project 6-Task 2-long and with little info
Friday, 05-Feb-99 03:14:01
    24.64.74.244 writes:

    Well, I noticed that my original thread was removed, perhaps I spoke to much to soon about winDasm. Hopefully it wasn't that I offended anyone.
    Unfortunately, my assemly and hex knowledge is almost nil, so I hope you don't mind carrying me for awhile. Following is my ramblings upon playing with memo95 with windasm.
    Task 2.

    1. Using W32Dasm, create a dead listing of memory Game '95 and explain as best you can, the 'best' location you think we can 'patch' this program.
    (Hint, locate where the 'Good Cracker' message can be found then look around a little).

    2. Will one patch be enough or will it require more?.

    3. What problems if any, might we encounter if we went ahead and patched this babe??.

    4. What safe guards are in place to prevent you from patching the code, how can we get round them?.

    String Resource ID=61217: "&Register..."
    String Resource ID=61218: "&Registration"
    String Resource ID=61244: "Sorry, the registration code does not match! Try again or Ca"
    String Resource ID=61245: "Thank you for registering %s."
    String Resource ID=61246: "Unregistered"
    String Resource ID=61247: "evaluation copy"
    String Resource ID=61248: "Registered copy to"
    String Resource ID=61249: "The program has been modified!"
    String Resource ID=61250: "The code contains non-hexadecimal characters!"
    String Resource ID=61251: "The %s card set can be used only in the registered version. "
    String Resource ID=61252: "Un®ister..."
    String Resource ID=61253: "The '2 players' mode can be used only in the registered ver"
    String Resource ID=61254: "Are you sure you want to unregister %s?"
    String Resource ID=61265: "&Yes"
    String Resource ID=61266: "&No"
    String Resource ID=61267: "Thank you for unregistering %s."

    Just prior to ID=61244 "sorry...":
    00405c45 85C0 test eax,eax <-------- tests eax
    00405c47 0f8434010000 je 00405D81 <---- jumps (if equal?) to 00405D81
    00405c50 .... else say "Sorry..."

    @ 00405D81 we see that it is referenced by jump at 00405BEA also!
    here...
    cmp dword ptr [ecx], 00000000
    je 00405D81
    else say "Memory game"

    following from 00405d81 ...
    a few jumps later we get too 00405da8, which is called by 00405e69(cond.) and 0040602a(uncond.)

    The next 22 commands are alternating calls and movs. Could this be the location of the hypothesized keymatching algorithm?

    Checking id=61245 "Thank you for registering"
    looking in the code prior to this message, the first conditional jump we see (jne) is:
    0040b742 test eax,eax
    0040b744 jne 0040B9BC
    if we jump there we see:
    the "Sorry, the registration ..." message!

    Looking at the "Thank you for unregistering" message:
    Immeadiately above that is a call 004022Dc
    going there we see
    String Resource ID=61242: "REGISTRATION NAME"
    String Resource ID=61243: "REGISTRATION CODE"
    String Resource ID=61262: "Card set"
    String Resource ID=61263: "Registration name"
    String Resource ID=61264: "Registration code"
    etc...
    prior to the call...
    we were jumped there from 004050ae

    004050a7 cmp byte ptr [ecx+000000c3], 01
    004050ae jne 00405280

    Looking at "The program has been modified!":
    We see we were sent there by:
    004058fc jle 00405929 which falls in the section of code immedieately following the "8530" string reference?!

    It seems that there is more than one location that should be patched:
    So, I would say there are a couple of good locations to try, the 2 je 00405d81 commands at 00405c47 and 00405BEA, and the 0040b744 jne 0040B9BC.
    If I had any clue about assembly language or hex editting I would try to change the je to jne and vice versa.
    Also, the 00405da8, which is called by 00405e69(cond.) and 0040602a(uncond.) (multiple call/movs) could provide the basis for creating our own keygenerator, maybe.

    For possible downfalls to patching, I would say one would have to be careful of a CRC type error checking, although this program does not appear to have one. I would prefer a keygenerator or correct key code to patching, to provide the greatest chance of successfully completing the crack.
    Apparently, there is an intrinsic portion of the program which detects modification, although my assembly language knowledge is next to zilch and I can discern no more.

    Can anyone out there point me in the direction to learn assembly language and hex editting. I have Hedit and Uedit, I just don't know how to use them ie. what hex code replaces a jne with a je?

    JT

    JT


Message thread:

JT: Project 6-Task 2-long and with little info (05-Feb-99 03:14:01)

Back to main board


Message subject:

Name: (optional)

Email address: (optional)

Type your message here:




Back to main board

Copyright © InsideTheWeb, Inc. 1997-1999
All rights reserved.