CrackMe® Practices for Newbies
PROJECT 5: zipfile.exe

Jeffs Thread
Wednesday, 10-Feb-99 17:36:20
    209.142.55.56 writes:

    :00403BE1 E865160000 call 0040524B First step into this call
    :00403BE6 85C0 test eax, eax
    :00403BE8 7545 jne 00403C2F

    :00403BEA 833D1079400000 cmp dword ptr [00407910], 00000000
    :00403BF1 6880854000 push 00408580

    takes you here:

    * Referenced by a CALL at Address:
    |:00403BE1
    |
    :0040524B 83EC0C sub esp, 0000000C
    :0040524E 833D1079400000 cmp dword ptr [00407910], 00000000
    :00405255 7445 je 0040529C <<---change to EB
    :00405257 8D442400 lea eax, dword ptr [esp]
    :0040525B 6A0C push 0000000C
    :0040525D 50 push eax
    :0040525E FF3504794000 push dword ptr [00407904]


    takes us here:
    :0040529C 33C0 xor eax, eax <<-lands here
    :0040529E 83C40C add esp, 0000000C
    :004052A1 C3 ret<<--returns to

    here:

    :00403BE1 E865160000 call 0040524B
    :00403BE6 85C0 test eax, eax
    :00403BE8 7545 jne 00403C2F << we know not equal...

    :00403BEA 833D1079400000 cmp dword ptr [00407910], 00000000
    :00403BF1 6880854000 push 00408580

    so change:
    :00403BE8 7545 jne 00403C2F <<--- to EB


    x to leave

    I get a error message :

    Zip damaged file...bad crc 0000000...should be 3368d07a
    file transfer error

    BUT the box just behind this error message shows:

    UnZipping File.......


    ??????????

    I do realize that the purpose here is to find the real serial... and although
    there should always be more than one way to skin the cat I have been trying to find
    an area that will unzip this trial...so that I MIGHT THEN be in the area to find
    or recognize something being compared...as this area almost unzipped it
    before it produced an error...I will continue in this vien for a while at least.

    I had ealier changed a jump at:
    00403Ba6 which allowed me to recieve the message:
    "0 files unzipped successfully"
    A little confusing language perhaps saying in effect that nothing happened???

    Since there was no error message I will also play around more in this area;


    I have set many breakpoints that work well; one breakpoint that I have tried was the:

    0emtochara and the charto0emA...thinking that it might be like the multibytetowidechar
    type entry....
    bpx getKeystate took me somewhere confusing....
    getdlgitemtextA works also...

    bpx lstrlenA; & lstrcmpa; & lstrcpy; all have not given me much info either.

    each area seems to produce my fake password but have yet to see any compare

    This is all for the moment...

    Jeff

    Jeff


Message thread:

Jeffs Thread (Jeff) (10-Feb-99 17:36:20)

Back to main board