KeyGen Studio 2002

home *** CD-ROM | disk | FTP | other *** search

/ KeyGen Studio 2002 / KeyGen_Studio_2002.iso / Tutorials / Code Inside / nh-rmcm.ZIP / nh-rmcm.txt next >

Wrap

Text File | 2001-05-08 | 5.8 KB | 139 lines

Re-Move Crackme by CoDe_InSiDe tutorial by nh E-Mail: nh666@mail.ru Need tools: Soft-Ice v4.xx, Hiew v6.xx. So, let's see crackme in Hiew: .004F0090: BE00114000 mov esi,000401100 ;" @ " .004F0095: 8BFE mov edi,esi .004F0097: 33C0 xor eax,eax .004F0099: B930030000 mov ecx,000000330 ;" 0" .004F009E: 33DB xor ebx,ebx .004F00A0: 33D2 xor edx,edx .004F00A2: AC lodsb .004F00A3: 01C3 add ebx,eax .004F00A5: 2C1F sub al,01F ;"" .004F00A7: 01C2 add edx,eax .004F00A9: AA stosb .004F00AA: E2F6 loop .0004F00A2 -------- (1) .004F00AC: 2BDA sub ebx,edx .004F00AE: 93 xchg ebx,eax .004F00AF: 3DD01B0000 cmp eax,000001BD0 ;" -" .004F00B4: 7506 jne .0004F00BC -------- (2) .004F00B6: 6800114000 push 000401100 ;" @ " .004F00BB: C3 retn so, file is crypted, but crypting is very easy: sub al,01fh =)) so, we can uncrypt this file in hiew. we get rm-uncr.exe =) and now, change first byte by offset 4f0090 to 0cch, and set breakpoint bpint 3 (don't forget to change 0cch to 0beh it soft-ice %)) trace it: yo, after some tracing, it's easily to understand that all code is executed after calling push 40000b; push xxx; retn;, so, set breakpoint to 40000a (retn) and trace...=)) .00401000: 60 pushad .00401001: 33C0 xor eax,eax .00401003: 33C9 xor ecx,ecx .00401005: B12B mov cl,02B ;"+" .00401007: BE20114000 mov esi,000401120 ;" @ " .0040100C: BF00004000 mov edi,000400000 ;" @ " .00401011: F3A4 repe movsb .00401013: E838000000 call .000401050 -------- (1) .00401018: C3 retn .00401020: 680B004000 push 00040000B ;" @ " .00401025: 68A0114000 push 0004011A0 ;" @α" .0040102A: C3 retn so, what do we see? soft-ice detecting, so, FrogsIce helps us...=)) continue, and we see some interesting checks: .00401233: FF153C004F00 call d,[0004F003C] ; GetTickCount(...) .00401239: 91 xchg ecx,eax .0040123A: C3 retn .00401228: A100144000 mov eax,[000401400] .0040122D: 2BC8 sub ecx,eax .0040122F: C3 retn ; of course al isn't 0, but we patch byte .40122e to do sub ecx,ecx ; & that's all .0040121D: 91 xchg ecx,eax .0040121E: 84C0 test al,al .00401220: 7506 jne .000401228 -------- (1) .00401222: C3 retn next checks: .004010E9: 60 pushad .004010EA: FF153C004F00 call d,[0004F003C] ; GetTickCount .004010F0: 93 xchg ebx,eax .004010F1: BF80124000 mov edi,000401280 ;" @└" .004010F6: 33C9 xor ecx,ecx .004010F8: B510 mov ch,010 ;"" ; hmmm.... .004010FA: 803FCC cmp b,[edi],0CC ;"ª" .004010FD: 7411 je .000401110 -------- (1) .004010FF: 47 inc edi .00401100: E2F8 loop .0004010FA -------- (2) .00401102: FF153C004F00 call d,[0004F003C] ; GetTickCount .00401108: 2BC3 sub eax,ebx .0040110A: 84C0 test al,al .0040110C: 7502 jne .000401110 -------- (3) .0040110E: 61 popad .0040110F: C3 retn .00401110: 61 popad .00401111: 68B0114000 push 0004011B0 ;" @_" .00401116: C3 retn so, i think it's necessary to change mov ch,10 to mov cl,10 =))) & sub eax,ebx to sub eax,eax and the last check: .00401316: 83EE05 sub esi,005 ;"" .00401319: 8BFE mov edi,esi .0040131B: 83EF10 sub edi,010 ;"" .0040131E: 57 push edi .0040131F: 33C9 xor ecx,ecx .00401321: B11F mov cl,01F ;"" .00401323: F3A4 repe movsb ; it this place esi=4f041f, so we patch it... .00401325: 81FE0F014F00 cmp esi,0004F010F ;" Oñ" .0040132B: 7501 jne .00040132E -------- (2) .0040132D: 5F pop edi .0040132E: C3 retn after that, we get out patch file nh-rmcm.xck: [BeginXCK]───────-───────-──────-─────────-─ ─ ─ · · ■ Description : [W98] Re-Move Crackme by CoDe_InSiDe ■ Crack made by : nh [BeginCRK]───────-───────-──────-─────────-─ ─ ─ · · [W98] Re-Move Crackme by CoDe_InSiDe made via FW by nh Shareware limitation RE-MOVE.EXE 000003F8: D4 D0 000003FE: 30 22 00000409: E2 DF 0000052E: E7 E8 00000627: 2E 3E 00000628: 20 23 [EndCRK]───────-───────-──────-─────────-─ ─ ─ · · [EndXCK]───────-───────-──────-─────────-─ ─ ─ · · that's all /nh