|
|
|
Win Code Reversing |
|
|
|
|
|
|
|
|
|
Program Name: giz_crackme.exe Program Type: Genius Crackme Program Location: HERE Program Size: 25 K |
||
|
Softice V3.2 - Debugger Procdump V1.5-Unpacker Process Patcher 2.5 by Thewd-Memory Patcher W32Dasm-Disassembler |
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
GizmoS CrackMe ReverSing
Written by PlAyEr
|
|
It´s a very small crackme,coded in Vb 6,nothing special.
|
|
The program is packed with petite 2.1,there are 3 things to crack,a
code,a nag and name/serial;also there is anti-smartcheck!.
|
|
When you first start giz_crackme.exe,you´ll see an input box asking for a code;let´s start at another point,we have Procdump,the very nice tool by UCF which can unpack our application,because when you try to open it with w32dasm,you won´t get any string data and so on;once we started Procdump
Click on Unpack.
You´ll see a long list of different packers,we know it is packed with petite 2.1 (use Gettyp for finding out which packer it uses ).We follow the instructions of procdump,wait till it is loaded,click ok and wait till the save dialog pops up.Save it as giz_cracked.exe for example;HMM,now let´s load the unpacked file in W32dasm and take a look of our String Data Reference,which is now visible... you´ll probably notice 4698-Gizmo-1296,c00l the code is blacklisted,let´s try it,but you must start the original exe,the other won´t work :-(
Okay,First protection solved,an easy one;let´s go on!Enter anything
as name and as serial;and you´ll see the error message "Part II fucked..."
and the program terminates;well,let´s look again at the string data,yes
there it is!You will see this:
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00403F3A(C)
|
* Possible StringData Ref from Data Obj ->"Try again"
|
:004040D8 BAF0284000
mov edx, 004028F0
:004040DD 8D8D74FFFFFF
lea ecx, dword ptr [ebp+FFFFFF74]
:004040E3 FF15A0104000
call dword ptr [004010A0]
:004040E9 B90A000000
mov ecx, 0000000A
:004040EE B804000280
mov eax, 80020004
:004040F3 898D3CFFFFFF
mov dword ptr [ebp+FFFFFF3C], ecx
:004040F9 898D4CFFFFFF
mov dword ptr [ebp+FFFFFF4C], ecx
:004040FF 8D950CFFFFFF
lea edx, dword ptr [ebp+FFFFFF0C]
:00404105 8D8D5CFFFFFF
lea ecx, dword ptr [ebp+FFFFFF5C]
:0040410B 898544FFFFFF
mov dword ptr [ebp+FFFFFF44], eax
:00404111 898554FFFFFF
mov dword ptr [ebp+FFFFFF54], eax
* Possible StringData Ref from Data Obj ->"Part II
fucked..."
|
:00404117 C78514FFFFFF04284000 mov
dword ptr [ebp+FFFFFF14], 00402804
:00404121 C7850CFFFFFF08000000 mov
dword ptr [ebp+FFFFFF0C], 00000008
Ok,noticed the Conditional Jump?Yea,think so;now go to
403F3A,you´ll see this:
:00403EF3 8D955CFFFFFF
lea edx, dword ptr [ebp+FFFFFF5C]
:00403EF9 51
push ecx
:00403EFA 52
push edx
:00403EFB C78570FFFFFF00000000 mov
dword ptr [ebp+FFFFFF70], 00000000
:00403F05 898564FFFFFF
mov dword ptr [ebp+FFFFFF64], eax
:00403F0B C7855CFFFFFF08800000 mov
dword ptr [ebp+FFFFFF5C], 00008008
:00403F15 FF1560104000
call dword ptr [00401060]
:00403F1B 8B1DDC104000
mov ebx, dword ptr [004010DC]
:00403F21 8D8D6CFFFFFF
lea ecx, dword ptr [ebp+FFFFFF6C]
:00403F27 8BF0
mov esi, eax
:00403F29 FFD3
call ebx
:00403F2B 8D8D5CFFFFFF
lea ecx, dword ptr [ebp+FFFFFF5C]
:00403F31 FF150C104000
call dword ptr [0040100C] __VbaFreeVar VB COMPARE
CALL!
:00403F37 6685F6
test si, si
Check if serial is correct
:00403F3A 0F8498010000
je 004040D8 Jump if NOT right
* Possible StringData Ref from Data Obj ->"Get ready
for part 3..."
|
:00403F40 BA88294000
mov edx, 00402988
:00403F45 8D8D78FFFFFF
lea ecx, dword ptr [ebp+FFFFFF78]
Next Step:Modify winice.dat,add msvbm60.dll AND remove msvbm50.dll,they
won´t work together.Restart the computer,go back to your registration
screen,
set a bpx hmemcpy and trace until the crackme code(not the msvbm60.dll
CODE!);there you need to set a bpx 403F31
.SOFTICE BREAKS!Now trace into with F8 abd you´ll see this code snipplet:
Exported fn(): __vbaFreeVar
- Ord:0083h
:6ADAF09E 56
push esi
:6ADAF09F 8BF1
mov esi, ecx
:6ADAF0A1 668B0E
mov cx, word ptr [esi]
:6ADAF0A4 6683F908
cmp cx, 0008
:6ADAF0A8 7252
jb 6ADAF0FC
:6ADAF0AA F6C540
test ch, 40
:6ADAF0AD 754D
jne 6ADAF0FC
:6ADAF0AF 8BC1
mov eax, ecx
:6ADAF0B1 25FFFF0000
and eax, 0000FFFF
:6ADAF0B6 80E47F
and ah, 7F
:6ADAF0B9 83F811
cmp eax, 00000011
:6ADAF0BC 0F87C5720000
ja 6ADB6387
:6ADAF0C2 33D2
xor edx, edx
:6ADAF0C4 8A905817DB6A
mov dl, byte ptr [eax+6ADB1758]
:6ADAF0CA FF24953817DB6A
jmp dword ptr [4*edx+6ADB1738]
:6ADAF0D1 8B4608
mov eax, dword ptr [esi+08] <-Moves real
and fake key to eax
:6ADAF0D4 85C0
test eax, eax <-type "d eax" and you see
the real and fake serial,in my case (PlAyEr),i´ll see 242C233926
as real code
:6ADAF0D6 7424
je 6ADAF0FC
:6ADAF0D8 50
push eax
Now run it and,yes,second solved,but now something strange:"Get ready
for part 3...",hmm,think a moment and press ok;FUCK a nag screen,
but we´ll try to solve it.Now,we must start si again,bpx
hmemcpy before pressing ok at the 2nd protection and now we
need a good breakpoint,so have a
look for "Get ready for part 3...":
:00403F40 BA88294000
mov edx, 00402988
:00403F45 8D8D78FFFFFF
lea ecx, dword ptr [ebp+FFFFFF78]
:00403F4B FF15A0104000
call dword ptr [004010A0]
:00403F51 BB04000280
mov ebx, 80020004
:00403F56 BF0A000000
mov edi, 0000000A
:00403F5B 8D950CFFFFFF
lea edx, dword ptr [ebp+FFFFFF0C]
:00403F61 8D8D5CFFFFFF
lea ecx, dword ptr [ebp+FFFFFF5C]
:00403F67 899D44FFFFFF
mov dword ptr [ebp+FFFFFF44], ebx
:00403F6D 89BD3CFFFFFF
mov dword ptr [ebp+FFFFFF3C], edi
:00403F73 899D54FFFFFF
mov dword ptr [ebp+FFFFFF54], ebx
:00403F79 89BD4CFFFFFF
mov dword ptr [ebp+FFFFFF4C], edi
* Possible StringData Ref from Data Obj ->"Congratulation!"
|
:00403F7F C78514FFFFFFB0264000 mov
dword ptr [ebp+FFFFFF14], 004026B0
:00403F89 C7850CFFFFFF08000000 mov
dword ptr [ebp+FFFFFF0C], 00000008
Ok,let´s set a bpx anywhere there,i.e.
403F67.You must be in the crackme code,remember;well softice
breaks,and we trace...
until we notice,that after one call the rectangle of the nag is beeing
painted,it is this one:
:004040A1 56
push esi
:004040A2 894104
mov dword ptr [ecx+04], eax
:004040A5 895108
mov dword ptr [ecx+08], edx
:004040A8 8B9528FFFFFF
mov edx, dword ptr [ebp+FFFFFF28]
:004040AE 89510C
mov dword ptr [ecx+0C], edx
:004040B1 FF97B0020000
call dword ptr [edi+000002B0] <-Here you notice
loading of nag!
:004040B7 85C0
test eax, eax
:004040B9 DBE2
fclex
:004040BB 0F8D27010000
jnl 004041E8
:004040C1 68B0020000
push 000002B0
Now,what to do?Yea,let us nOP the call,fire up your hexeditor,but...FUCK!The file is packed,so the offsets don´t match,so we have to make a loader which patches the memory every time;i´ll asume you to use the process patcher i used,it is very easy.Ctreate the script file and then run the ppatch.exe,which automatically loads the crackme,enter the reg.data and look for the nag...It´s AWAY,we have done it,congratulations!!!
Program cracked.
|
|
Here you get exclusively the script file for our loader:
:#Process Patcher Configuration File
[Version]
1
[Friendly Name]
Gizmos crackme
[Program Filename]
giz_cr~1.exe
[Number of Bytes]
6
[Memory Addresses]
0x4040B1:0xFF:0x90
0x4040B2:0x97:0x90
0x4040B3:0xB0:0x90
0x4040B4:0x02:0x90
0x4040B5:0x00:0x90
0x4040B6:0x00:0x90
#End of Configuration File
|
|
Gizmo,very nice crackme,took me sometime to do it,nice work!
But it wasn´t good for me enough. *grin*
My thanks and gratitude goes to:
aDENOZiN,_Blade,Blaster99,PRD_NLS,cg,@ll TbC members,C.Connor,Zor,Acid_Burn,Torn@do,Itsgallus,sn00pee,Prof.X,TheAntiXryst,members
of BEC,_zeus,Speedy,Storemaster,Sevando,Berserka,Moolok,Skorpien,CrazyK
and everybody i forgot,tell me,if you should be here!!!
|
|
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.
Essay by: PlAyEr
Page Created: 15th September
1999