Reverse Code Engineering RCE CD +sandman 2000

home *** CD-ROM | disk | FTP | other *** search

/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / Mib / BBCRACK.ZIP / BBCRACK.ASM next >

Wrap

Assembly Source File | 1998-08-18 | 19.0 KB | 742 lines

;Brains Breaker v2.1 crack ;Written by Cruehead as a part of the 1999 +HCU strainer .386 locals jumps .model flat,STDCALL include win32.inc ;Some very usefull includes ;------------------------------------------- ; .-.-.- Begining of the DATA segment -.-.-. ;------------------------------------------- .data FILE_ATTRIBUTE_NORMAL EQU 080h ;Some constants that we declare here GENERIC_WRITE EQU 40000000h GENERIC_READ EQU 80000000h OPEN_EXISTING EQU 3h OPEN_ALWAYS EQU 4h FILE_BEGIN EQU 0h FILE_CURRENT EQU 1h FILE_END EQU 2h SW_SHOWNORMAL EQU 1h KEY_EXECUTE EQU 3C000007h MyHwnd dd 0 ;We'll save the handle for the window here GoButHwnd dd 0 ;The handle for the 'Patch it" button ExitButHwnd dd 0 ;The handle for the 'Exit' button EditHwnd dd 0 ;The handle for the edit field NameHwnd dd 0 ;The handle for the name edit field msg MSGSTRUCT <?> wc WNDCLASS <?> lppaint PAINTSTRUCT <?> szNULL db 0 ymenu dd 0 hInst dd 0 hMenu dd 0 hDlg dd 0 SubKey db 'SOFTWARE\Classes\BrainsBreaker_Puzzle\ID',0 TheID db 'ID',0 BBID db 105h dup (0) HowManyBytes dd 105h RegHandle dd 0 Counter db 0 IniFile db 'BBRK.INI',0 Serial db '$L25OOO' UserID db '123' INIInfo db 13,10,'[PackFull]',13,10 db '0= ',13,10 ;Name db '1=123',13,10 ;ID db '2= ',13,10 ;EncSerial db '3=2100',13,10 ;Version? db '4= ',13,10 ;EncName db '5= ',13,10 ;EncID db 0 EncrSource db 8 dup (0) UserName db 20 dup (0) UserLength db 0 EnterName db '--- Enter your name ---' TitleName db 'Crack for Brains Breaker v2.21 - Written By Cruehead',0 ClassName db 'ASMCLASS32',0 ClassButton db 'BUTTON',0 ClassEdit db 'EDIT',0 TransStr db 'TRANSPARENT',0 PatchText db 'Lets go - Crack it!',0 ExitText db 'Exit!',0 ;--- Different action messages so the user knows what's happening --- EditWaiting db ' Action: Waiting...',0 Error1 db ' Error: BBRK32.EXE not found!',0 Error2 db ' Error: File already cracked / Wrong version!',0 Error3 db ' Error: Wrong filesize!',0 Error4 db ' Error: Registry information not found!',0 Done db ' Done! Enjoy it!',0 ;--- What we need to open the file --- filename db 'BBRK32.EXE',0 handle dd 0 ;--- What we need to read the file --- ReadBuffer db 2 dup (0) ;We will read two bytes to this location BytesRead dd 0 ;Will hold how many bytes actually read ;--- What we need to write to the file --- WriteBuffer db 090h,090h,0FFh,0EBh,052h ;We will patch the program with this ;(the bytes are in reverse order) BytesWritten dd 0 ;Will hold how many bytes actually written CorrectFileSize dd 091000h ;FileSize of the correct file Original dw 02E75h ;This is the original word that we will change ;(the bytes are in reverse order) ;---------------------------------------- ; .-.-.- Code Segment starts here -.-.-. ;---------------------------------------- .code start: push 0 call GetModuleHandle ;get hmod (in eax) mov [hInst], eax ;hInstance is same as HMODULE ;in the Win32 world push 0 push offset ClassName call FindWindow or eax,eax ;More than one program opened? jz reg_class ret ;No, only one open at time reg_class: ; ; initialize the WndClass structure ; mov [wc.clsStyle], CS_HREDRAW + CS_VREDRAW + CS_GLOBALCLASS mov [wc.clsLpfnWndProc], offset WndProc mov [wc.clsCbClsExtra], 0 mov [wc.clsCbWndExtra], 0 mov eax, [hInst] mov [wc.clsHInstance], eax push IDC_ARROW push 0 call LoadCursor mov [wc.clsHCursor], eax mov [wc.clsHbrBackground], COLOR_BACKGROUND mov dword ptr [wc.clsLpszClassName], offset ClassName push offset wc call RegisterClass ;Create the main window push 0 ;lpParam push [hInst] ;hInstance push 0 ;menu push 0 ;parent hwnd push 270 ;height push 390 ;width push 150 ;y push 170 ;x push WS_OVERLAPPEDWINDOW ;Style push offset TitleName ;Title string push offset ClassName ;Class name push 0 ;Extra style call CreateWindowEx mov [MyHwnd], eax ;Save the handle for later use ;This creates the 'Patch it' Button push 0 ;lpParam push 0 ;hInstance push 0 ;menu push [MyHwnd] ;parent hwnd push 30 ;height push 140 ;width push 85 ;y push 120 ;x push WS_CHILD+BS_DEFPUSHBUTTON ;Style push offset PatchText ;Title string push offset ClassButton ;Class name push 0 ;Extra style call CreateWindowEx mov [GoButHwnd], eax ;Save this handle ;This creates the 'Exit' Button push 0 ;lpParam push 0 ;hInstance push 0 ;menu push [MyHwnd] ;parent hwnd push 30 ;height push 140 ;width push 118 ;y push 120 ;x push WS_CHILD+BS_DEFPUSHBUTTON ;Style push offset ExitText ;Title string push offset ClassButton ;Class name push 0 ;Extra style call CreateWindowEx mov [ExitButHwnd], eax ;Save the handle ;Create the edit field push 0 ;lpParam push 0 ;hInstance push 0 ;menu push [MyHwnd] ;parent hwnd push 20 ;height push 300 ;width push 200 ;y push 40 ;x push WS_CHILD+ES_READONLY ;Style push offset EditWaiting ;Title string push offset ClassEdit ;Class name push WS_EX_CLIENTEDGE ;Extra style call CreateWindowEx mov [EditHwnd], eax ;Save the handle ;Create the name edit field push 0 ;lpParam push 0 ;hInstance push 0 ;menu push [MyHwnd] ;parent hwnd push 20 ;height push 280 ;width push 45 ;y push 50 ;x push WS_CHILD ;Style push 0 ;Title string push offset ClassEdit ;Class name push WS_EX_CLIENTEDGE ;Extra style call CreateWindowEx mov [NameHwnd], eax ;Save the handle push SW_SHOWNORMAL ;Show the Main window push [MyHwnd] call ShowWindow push SW_SHOWNORMAL ;Show the 'Patch it" button push [GoButHwnd] call ShowWindow push SW_SHOWNORMAL ;Show the 'Exit" button push [ExitButHwnd] call ShowWindow push SW_SHOWNORMAL ;Show the edit filed push [EditHwnd] call ShowWindow push SW_SHOWNORMAL ;Show the name edit filed push [NameHwnd] call ShowWindow push [MyHwnd] ;We have to do this in order to call UpdateWindow ;show the buttons and the edit field ;Here we come to the messageloop - A very important thing in a win32 program msg_loop: push 0 push 0 push 0 push offset msg call GetMessage cmp ax, 0 je end_loop push offset msg call TranslateMessage push offset msg call DispatchMessage jmp msg_loop end_loop: push [msg.msWPARAM] call ExitProcess ;---------------------------------------------------------------------------- ; WARNING: Win32 requires that EBX, EDI, and ESI be preserved! ; ; Here we put the events we want to respond on. ;---------------------------------------------------------------------------- WndProc proc hwnd:DWORD, wmsg:DWORD, wparam:DWORD, lparam:DWORD push esi push edi push ebx LOCAL theDC:DWORD cmp [wmsg], WM_DESTROY je wmdestroy cmp [wmsg], WM_PAINT je wmpaint cmp [wmsg], WM_SIZE je wmsize cmp [wmsg], WM_COMMAND je wmcommand jmp defwndproc wmcommand: mov eax ,[lparam] cmp [GoButHwnd], eax ;Did the user click on the 'Patch it' button? je StartMeUp ;Then jump cmp [ExitButHwnd], eax ;Did the user click on the 'Exit' button? je wmdestroy ;If so - lets jump mov eax,0 jmp finish ;---- ; Here is the start of the real interesting part ; ---- StartMeUp: push 20 push offset UserName push [NameHwnd] call GetWindowTextA test eax,eax jnz NoProblem mov eax,0 jmp finish NoProblem: mov UserLength,al push offset [RegHandle] push offset [SubKey] push 080000002h ;HKEY_LOCAL_MACHINE call RegOpenKeyA test eax,eax je ContinuePlease push -1 call MessageBeep ;Just a cute litle beep push offset Error4 ;"Registry error" message push [EditHwnd] call SetWindowTextA push [EditHwnd] ;We need to do this in order to show the call UpdateWindow ;above message mov eax,0 jmp finish ContinuePlease: push offset [HowManyBytes] push offset [BBID] push 0h push [RegHandle] call RegQueryValueA test eax,eax je RegistryFine push -1 call MessageBeep ;Just a cute litle beep push offset Error4 ;"Registry error" message push [EditHwnd] call SetWindowTextA push [EditHwnd] ;We need to do this in order to show the call UpdateWindow ;above message mov eax,0 jmp finish RegistryFine: push 0 ;Must be zero if win95 push FILE_ATTRIBUTE_NORMAL ;We're dealing with a normal file push OPEN_EXISTING ;Opens a file if it exists, otherwise error push 0 ;Cant be inherited push 0 ;File can't be shared push GENERIC_READ+GENERIC_WRITE ;Read and write access push offset filename ;offset to our filename call CreateFileA cmp eax,-1 ;Did an error occur? jnz FileFound ;Take the jump if everything is ok push -1 call MessageBeep ;Just a cute litle beep push offset Error1 ;"File not found" message push [EditHwnd] call SetWindowTextA push [EditHwnd] ;We need to do this in order to show the call UpdateWindow ;above message mov eax,0 jmp finish FileFound: mov handle,eax push 0 push [handle] call GetFileSize ;Get the filesize in eax cmp eax,CorrectFileSize ;Is it the correct filesize? je GoodFileSize ;If yes - take the jump and continue push [handle] ;Close the file call CloseHandle push -1 call MessageBeep ;Just a cute litle beep push offset Error3 ;"File length dont match" message push [EditHwnd] call SetWindowTextA push [EditHwnd] ;We need to do this in order to show the call UpdateWindow ;above message mov eax,0 jmp finish GoodFileSize: push FILE_BEGIN ;Move the filepointer from the start of the file push 0 push 0403B8h ;Here is the address where we shall read/patch push handle ;Filehandle call SetFilePointer push 0 push offset BytesRead ;How many bytes actually read push 2 ;Read 2 bytes push offset ReadBuffer ;Address to the readbuffer push [handle] ;Filehandle call ReadFile mov ax,word ptr [ReadBuffer] ;Get the word we just read from the file in ax cmp ax, Original ;Compare this word with what it should be if ;this is an uncracked version je LetsPatch ;If they matches everything is ok, take the jump push [handle] ;Close the file call CloseHandle push -1 call MessageBeep ;Just a cute litle beep push offset Error2 ;"Already Patched / wrong version" message push [EditHwnd] call SetWindowTextA push [EditHwnd] ;We need to do this in order to show the call UpdateWindow ;above message mov eax,0 jmp finish LetsPatch: ;--- Because the ReadFile functions also increases the filepointer we have to move it --- ; backwards in order to make it point to the correct patching posision. We read two bytes ; and so the filepointer was moved two bytes ahead - we must move it back two bytes backwards ; to make it point to the correct position push FILE_CURRENT ;Move the filepointer from the current position push 0 push -2 ;Move the filepointer two bytes backwards push handle ;Filehandle call SetFilePointer push 0 push offset BytesWritten ;How many bytes actually written push 2 ;Write 2 bytes push offset WriteBuffer ;Write from this buffer push [handle] ;the file handle call WriteFile push FILE_BEGIN ;Move the filepointer from the start of the file push 0 push 059300h ;Here is the address where we shall read/patch push handle ;Filehandle call SetFilePointer push 0 push offset BytesWritten ;How many bytes actually written push 3 ;Write 3 bytes push offset WriteBuffer+2 ;Write from this buffer push [handle] ;the file handle call WriteFile push [handle] ;Now we're ready so lets close the file call CloseHandle ;Patching done, now lets concentrate on the .INI file part: mov al,BBID[4] ;Create the Encryption Source mov EncrSource[0],al ;from the ID which BrainsBreaker mov al,BBID[9] ;creates the first time it's executed mov EncrSource[1],al mov al,BBID[7] mov EncrSource[2],al mov al,BBID[12] mov EncrSource[3],al mov al,BBID[16] mov EncrSource[4],al mov al,BBID[18] mov EncrSource[5],al mov al,BBID[21] mov EncrSource[6],al mov al,BBID[37] mov EncrSource[7],al lea esi,EncrSource xor ebx,ebx call FixEncrSource ;EncrSource is now 4 bytes long lea edi,INIInfo+16 lea esi,UserName xor ecx,ecx mov cl,UserLength rep movsb push 0 ;Must be zero if win95 push FILE_ATTRIBUTE_NORMAL ;We're dealing with a normal file push OPEN_ALWAYS ;Opens a file if it exists - if not it's created push 0 ;Cant be inherited push 0 ;File can't be shared push GENERIC_READ+GENERIC_WRITE ;Read and write access push offset IniFile ;offset to our filename call CreateFileA mov [handle],eax push FILE_END ;Move the filepointer from the start of the file push 0 push 0 ;Here is the address where we shall read/patch push [handle] ;Filehandle call SetFilePointer lea esi,UserName lea edi,EncrSource lea ebx,INIInfo+115 mov cl,UserLength EncUserName: mov al,[esi] xor al,[edi] call DivideItUp mov [ebx],ah mov [ebx+1],al add ebx,2 inc Counter cmp Counter,4 jne GoOn mov Counter,0 sub edi,4 GoOn: inc esi inc edi dec cl cmp cl,0 jnz EncUserName mov Counter,0 lea esi,Serial lea edi,EncrSource lea ebx,INIInfo+65 mov cl,7 EncSerial: mov al,[esi] xor al,[edi] call DivideItUp mov [ebx],ah mov [ebx+1],al add ebx,2 inc Counter cmp Counter,4 jne GoOn2 mov Counter,0 sub edi,4 GoOn2: inc esi inc edi dec cl cmp cl,0 jnz EncSerial mov Counter,0 lea esi,UserID lea edi,EncrSource lea ebx,INIInfo+157 mov cl,3 EncID: mov al,[esi] xor al,[edi] call DivideItUp mov [ebx],ah mov [ebx+1],al add ebx,2 inc Counter cmp Counter,4 jne GoOn3 mov Counter,0 sub edi,4 GoOn3: inc esi inc edi dec cl cmp cl,0 jnz EncID push 0 push offset BytesWritten ;How many bytes actually written push 197 ;Write 197 push offset INIInfo ;Write from this buffer push [handle] ;the file handle call WriteFile push [handle] ;Now we're ready so lets close the file call CloseHandle push offset Done ;"Everything went ok" message push [EditHwnd] call SetWindowTextA push [EditHwnd] ;We need to do this in order to show the call UpdateWindow ;above message mov eax,0 jmp finish wmpaint: push offset lppaint push [hwnd] call BeginPaint push eax ;The device context push offset TransStr push eax call SetBkMode pop eax ;Device context in eax again push 23 ;Numbers of chars push offset EnterName ;The string push 25 ;Y push 121 ;X push eax ;DC call TextOut push offset lppaint push [hwnd] call EndPaint mov eax,0 jmp finish defwndproc: push [lparam] push [wparam] push [wmsg] push [hwnd] call DefWindowProc jmp finish wmdestroy: push 0 call PostQuitMessage mov eax, 0 jmp finish wmsize: mov eax, 0 jmp finish finish: pop ebx ;Remember we must restore these registers pop edi ;because the OS need them pop esi ret WndProc endp public WndProc FixEncrSource: mov cl,[esi+ebx] cmp cl,039h ja FixLetter sub cl,030h jmp DoneFirstPart FixLetter: sub cl,057h DoneFirstPart: xor dx,dx mov ax,010h mul cl mov dl,al mov cl,[esi+ebx+1] cmp cl,039h ja FixLetter2 sub cl,030h jmp DoneSecondPart FixLetter2: sub cl,057h DoneSecondPart: add cl,dl mov [esi],cl inc ebx inc esi cmp ebx,4 jne FixEncrSource ret DivideItUp: xor ah,ah shl ax,4 cmp ah,9 jbe L1 add ah,037h jmp Done1 L1: add ah,030h Done1: mov dl,ah shr ax,4 and ax,0fh cmp al,9 jbe L2 add al,037h jmp Done2 L2: add al,030h Done2: mov ah,dl ret end start