ReFleXZ'99 Trial CrackMe v1.00
|
This tutorial is coming from... |
|
ReFleXZ '99 Url: Http://ReFleXZ99.cjb.net Email: ReFleXZ99@fcmail.com |
|
About the essay... |
|
Written by: CyberBlade Email:CyberBlade@gmx.net Date: 21th March 1999
|
|
-= Introduction =- |
|
ReFleXZ tells us about the protection: 1) Serial 2) Nag Screen 3) Anti-SmartCheck You`re allowed to patch the program ONLY to remove the Anti-SmartCheck protection. In the first protection patching is NOT allowed! Finding correct serial you must force the program to display "Good job..." message. You must also find how to remove the nag without patching! |
|
-= First we will crack the Smartcheck protection =- |
|
About this protection: |
The Anti-SmartCheck routine is not placed at the start of the CrackMe as it is usually done. Instead the Anti-SmartCheck routine is placed behind the Register Button (In this case it's labelled "Check it"). After you will have loaded the CrackMe into SmartCheck and have pushed the "Check it" button the program will perform an endless loop. I tried to run the CrackMe parallel to SmartCheck and it worked. So I recognised, that the titlebar isn't related to protection mechanism. There must be an other way how the CrackMe recognises that it is loaded into SmartCheck.
Perform the following steps to crack the protection mechanism:
Start SmartCheck and run the CrackMe. Then enter any serial number and push the "Check it" button.
CrackMe will perform an endless loop. Stop the CrackMe and have a look at what SmartCheck has logged....
You'll find Command1_Click
Click on this line and select in the "View" menu of SmartCheck, "Show All Events" and "Show Arguments".
Now expand the thread by clicking on the + sign.
This is what you will see
+Timer() returns double: 63717.5 (displayed as single-precision floating point)
Double(63717.5) --> Long(63717)
Expanding the Timer() thread will result in:
é Timer()
ê GetLocalTime(PTR:0064F2E4)
ë Timer returns double: 63717.5 (displayed as single-precision floating point)
Double(63717.5) --> Long(63717)
After this you should get a hunch...
It's is a time based protection routine. Let me explain this: The CrackMe records the time it needs to process the routine and if the elapsed time exceeds a specific value, the penny drops J and the CrackMe recognises that SmartCheck is used. **BINGO**
Select the line showing this: Double(63717.5) --> Long(63717)
This is the place where the recorded elapsed time is converted from Double format to Long format. Look at the window that shows the details. In the header line the location is displayed where this operation was called from.
[Reflexz1.exe!0000CBB1 (no debug info)]
So all we have to do now is to look for the next comparison after offset 0000CBB1.
Open the CrackMe in HIEW:
Decode it by pressing F4 and selecting "Decode" :)
Now press F5 and enter the above displayed offset (CBB1),
trace down a bit till you land here:
.0000CC1B 3BC7 cmp eax,edi
.0000CC1D 0F84C8000000 je .0000CCEB ' jump if SmartCheck wasn't used (good guy jump)
press F3 and change the second line into:
.0000CC1D E9C9000000 jmp .0000CCEB
Press F9 to update the changes you have made and return to Windows. Now load the patched CrackMe into SmartCheck again and by magic, the SmartCheck detection routine is CrAcKeD ! J
Very simple, isn't it ?!?
This was the easy part...
|
-= Now, after we have cracked the Anti-SmartCheck routine we can concentrate on the SERIAL =- |
What's the matter with the serial ?
The serial consists of a nine digit combination. It is calculated in the CrackMe, so there's no need to look for hardcoded serials. L
Let's start...
Run the CrackMe, and enter the following serial: 987654321
Click on the "Check it" button and you will get the message: "Wrong serial!" "Sorry, try again!"
Return to SmartCheck and see what it has logged.
Click on the + sign next to the Command1_Click event to expand it's thread:
.
.
|
Len(String:"98765432..",long:1,Variant:Integer:1) |
' Get the length of the entered serial |
|
Text1.text |
|
|
Text1.text |
|
|
Integer(1) --> Long(1) |
' This is the counter, it contains the current position where the CrackMe is reading from. (For example: If the Counter has the value 1, it is pointing to the first digit of the number entered.) |
|
Mid$(String:"98765432..",long:1, Variant:Integer:1) |
' Get the first digit of the key. In this case it is the digit 9. |
|
Asc(String: "9") returns Integer: 57 |
' Get its AscII- value. I don't know why it's translated to AscII. Maybe the program checks, if the character is a digit. |
|
Integer(1) --> Long(1) |
' Again the counter is needed |
|
Mid$(String:"98765432..",long:1, Variant:Integer:1) |
' Get the first digit of the key |
|
Asc(String: "9") returns Integer: 57 |
' Get its AscII - value |
|
Hex$(VARIANT:Integer:0) |
' Convert the number 0 to hex |
|
|
' ** Where does this number (0) come from ? |
|
Text1.text |
|
|
Integer(1) --> Long(1) |
' Again the counter... |
|
Mid$(String:"98765432..",long:1, Variant:Integer:1) |
' Get the first digit of the key |
|
Ucase$("0") |
' Convert "0" to Upper Case, but since "0" is a digit this operation will have no result. |
|
Len(String:"0") returns long:1 |
' Get the length of "0" |
|
Len(String:"0") returns long:1 |
' Get the length of "0" |
|
Len(String:"0") returns long:1 |
' Get the length of "0" |
|
Mid$(String:"98765432..",long:1, Variant:Integer:1) |
' Get the first digit of the key |
|
Asc(String: "0") returns Integer: 48 |
' Get the AscII- value of "0" |
|
Asc(String: "0") returns Integer: 48 |
' Get the AscII- value of "0" |
|
Ucase$("9") |
' Convert "9" to Upper Case, but since "0" is a digit this operation will have no result. |
|
Len(String:"9") returns long:1 |
' get the length of "9" |
|
Len(String:"9") returns long:1 |
' get the length of "9" |
|
Len(String:"9") returns long:1 |
' get the length of "9" |
|
Mid$(String:"9",long:1, Variant:Integer:1) |
' Get the first digit of the number 9 ??? K |
|
Asc(String: "9") returns Integer: 57 |
' Get the AscII - value of "9" |
|
Asc(String: "9") returns Integer: 57 |
' Get the AscII - value of "9" |
|
|
' Something is not shown here, there must be a comparison... |
|
Hex$(Variant:Boolean:False) |
' If this comparison is true the entered digit is correct. |
|
MsgBox("VARIANT:String:"Sorry, t...",Integer:0, VARIANT:String:"Wrong se..."... |
' Display the error message |
** To find out where the "0" comes from, you have to do the following:
Click on the line I have highlighted in yellow and select in the "View" menu of SmartCheck the options "Show All
Events" and "Show Arguments".
Two lines above the Hex-function you will see this line:
__vbaVArXor(VARIANT:Integer:1, VARIANT:Integer:1) returns DWORD:64f410
This is a constant, it will never change.
This is the current value of the Counter (In the next loop it will be 2, after that loop 3 and so on.)
**Note: I have only written down the important parts of the routine.
|
If Len(text1.text) <> 9 then |
' If the length of the key entered isn't nine, |
|
MsgBox "Sorry, try again", "Wrong serial"... |
' then display the error message and |
|
Exit Sub |
' exit the subroutine |
|
End If |
' end of If operation |
|
|
|
|
For Counter = 1 to 9 |
' The Counter is increased in every loop |
|
CorrectDigit = 1 Xor Counter |
' Xor 1 with the value of the Counter |
|
Digitentered = Mid(Text1.text, counter, 1) |
' Get the character of the entered key the counter is currently pointing to. |
|
If Correctdigit <> Digitentered then |
' If the calculated digit is not equal to the digit of the key entered, then |
|
MsgBox "Sorry, try again", "Wrong serial"... |
' Display the message box containing the bad job message. |
|
Exit Sub |
' Exit the subroutine |
|
End If |
' End of If operation |
|
Next counter |
' return to the top of the "for next loop" |
|
|
|
|
MsgBox "GOOD MESSAGE" |
' If every digit of the entered key is correct then create the message box containing the GOOD MESSAGE J |
|
|
|
Let's calculate the correct key now:
(Counter = 1)
1 xor 1 = 0 'first digit of the correct key is 0
(Counter = 2 )
1 xor 2 = 3 'second digit of the correct key is 3
(Counter = 3)
1 xor 3 = 2 'third digit of the correct key is 2
(Counter = 4)
1 xor 4 = 5 'fourth digit of the correct key is 5
(Counter = 5)
1 xor 5 = 4 'fifth digit of the correct key is 4
(Counter = 6 )
1 xor 6 = 7 'sixth digit of the correct key is 7
(Counter = 7)
1 xor 7 = 6 'seventh digit of the correct key is 6
(Counter = 8)
1 xor 8 = 9 'eighth digit of the correct key is 9
(Counter = 9)
1 xor 9 = 8 'ninth digit of the correct key is 8
Voila !!!
The correct key is: 032547698
|
-= Removing the Nag-Screen =- |
Lets begin...
Return to "Show Errors and Specific Events" mode. Scroll up to the beginning of the list until you find:
+ReFleXZ1_Load
Click on the + sign next to it, to expand its thread. Because the listing is too long to put everything here I omit the unimportant parts.
You will see the following:
|
ReFleXZ1_Load |
|
|
OnError(long:1) |
|
|
Open(C:\Windo...", Integer:1, long:-1, long:1) fails |
'CrackMe tries to open a non-existing file. |
|
Nag (Form) created |
'Therefore the Nag-Screen is created |
|
________Snip________ |
|
|
Nag.Show |
|
|
________Snip________ |
|
|
ReFleXZ1_Load |
|
Select the line that shows the following: Open(C:\Windo...", Integer:1, long:-1, long:1) fails
After having highlighted the line have a look at the window showing the details, it will tell you the full length of the filename the CrackMe tries to open.
You should see the following:
"C:\Windows\Favorites\ReFleXZ.url"
It seems as if the CrackMe checks if we have bookmarked the URL of ReFleXZ.
Now create the above mentioned highlighted file and fill in two lines of any data. This is because a Bookmark File must contain two lines.
Then start the CrackMe again.
The following line will appear in SmartCheck:
+ReFleXZ1_Load
Click on the + sign next to it, to expand its thread. Because the listing is too long to put everything here I omit the unimportant parts.
You will see the following:
|
ReFleXZ1_Load |
|
|
OnError(long:1) |
|
|
Open(String:"C:\Windo..", Integer:1, long:-1, long:1) |
'Open the Bookmark File |
|
InputNum(Integer:1) |
'Read the first line of the data in the Bookmark File |
|
InputNum(Integer:1) |
'Read the second line of the data in the Bookmark File |
|
Close(Integer:1) |
'Close the BookmarkFile |
|
Nag(Form) created |
|
|
________Snip________ |
|
|
-ReFleXZ1_Load |
|
Click on the red highlighted line and select the "Show All
Events" and "Show Arguments" option in the "View" of SmartCheck.
Scrolling down a bit will lead you to the following comparison:
__vbaStrCmp(String:"[Interne...", String:"The data you put in the first line"
Select it and have a look at the window showing the details. You will see the following: [InternetShortcut]
This is the data that should be in the first line of the Bookmark File. Now put this text in the first line of the Bookmark File. By repeating all the steps above you will find out that the second line should contain this line:
URL=http://ReFleXZ99.cjb.net
It's really great how simple it was to remove the Nag-Screen using such an intelligent tool like SmartCheck. J
|
-= Final Notes =- |
If I made mistakes and explained things wrongly then please mail me and I will correct my mistakes. You can also mail me if there is anything you are not clear about. Any comment is appreciated. Don't hesitate to send your remarks to: CyberBlade@gmx.net
|
Disclaimer... |
|
This tutorial is written for EDUCATIONAL purposes only. ReFleXZ is not responsibile for any damage caused with this essay or any of its parts. Also, in this tutorial you'll not find any serial numbers, so try to search |
Copyright © 1999 by ReFleXZ '99
All rights reserved