KeyGen Studio 2002

home *** CD-ROM | disk | FTP | other *** search

/ KeyGen Studio 2002 / KeyGen_Studio_2002.iso / Tutorials / CrackMesCbjNet / lsdv1point0_patch_tut.txt < prev next >

Wrap

Text File | 2001-09-21 | 8.0 KB | 268 lines

How to patch LSDv1point0 Crackme by WebMasta(webmasta@pgc-force.com) -------------------------------------------------------------------- Tutorial by CraXor ------------------ Tools needed: ------------- SoftIce 4.05 ( or anything from 3.24 ) Hiew6 ( for patching the damn thing ) Win32Dasm8 + vb patch (for dissassembly) RTD WinPatch ( for creating an exe -> my asm is not so good) Brain and Zen :) Start: ------ Ok Let's begin I was sent this Crackme via Irc by another online cracker :) So first things first : Dissassemble lsdv1point0.exe ( very fast) ok so the very first thing we see is this : Import Module 001: MSVBVM60.DLL This means it is a Visual Basic App and thus very crappy to crack :) so now minimize the dissassembly window and run the program ... Type in your name and key : User Name : Cracked by CraXor Registration Code : 123456789 ok click 'Register' OOps ! Invalid registr..... blah blah ( Note the caption of the msgbox 'Error') ok back in W32dasm look for the string ref 'Error' , once found double click it and lets see where we are now : * Reference To: MSVBVM60.__vbaVarTstNe, Ord:0000h | :00402B6F E816E7FFFF Call 0040128A ; Serial test maybe ? :00402B74 66898520FFFFFF mov word ptr [ebp+FFFFFF20], ax :00402B7B 8D4DBC lea ecx, dword ptr [ebp-44] * Reference To: MSVBVM60.__vbaFreeObj, Ord:0000h | :00402B7E E8F5E6FFFF Call 00401278 ; Free str ? :00402B83 8D4DAC lea ecx, dword ptr [ebp-54] * Reference To: MSVBVM60.__vbaFreeVar, Ord:0000h | :00402B86 E8E7E6FFFF Call 00401272 ; Free variable ? :00402B8B 0FBF8520FFFFFF movsx eax, word ptr [ebp+FFFFFF20] :00402B92 85C0 test eax, eax ; MMmm test :00402B94 0F84BD000000 je 00402C57 ; Bad Boy / Good Boy :00402B9A C7458404000280 mov [ebp-7C], 80020004 :00402BA1 C7857CFFFFFF0A000000 mov dword ptr [ebp+FFFFFF7C], 0000000A :00402BAB C7459404000280 mov [ebp-6C], 80020004 :00402BB2 C7458C0A000000 mov [ebp-74], 0000000A * Possible StringData Ref from Code Obj ->"Error" | :00402BB9 C78564FFFFFFBC234000 mov dword ptr [ebp+FFFFFF64], 004023BC ; We end up here ! :00402BC3 C7855CFFFFFF08000000 mov dword ptr [ebp+FFFFFF5C], 00000008 :00402BCD 8D955CFFFFFF lea edx, dword ptr [ebp+FFFFFF5C] :00402BD3 8D4D9C lea ecx, dword ptr [ebp-64] * Reference To: MSVBVM60.__vbaVarDup, Ord:0000h | :00402BD6 E88BE6FFFF Call 00401266 * Possible StringData Ref from Code Obj ->"User Name or Registration Code " ->"is Incorrect, please Call Technical " ->"Support if you have purchased " ->"a LSD v1.0 key!" | :00402BDB C78574FFFFFFD4224000 mov dword ptr [ebp+FFFFFF74], 004022D4 Ok so after that code listing has confused the hell out of you ;) hehe If we scroll up a bit we see : :00402B92 85C0 test eax, eax ; MMmm test :00402B94 0F84BD000000 je 00402C57 ; Bad Boy / Good Boy mmm note this address's Offset : '2b94' ( look at the bottom of the windasm screen when you put the blue bar over the above code ) ok double click the 'Error' string ref again ... we end up here : * Reference To: MSVBVM60.__vbaVarTstNe, Ord:0000h | :00403018 E86DE2FFFF Call 0040128A ; Test serial :0040301D 0FBFC0 movsx eax, ax :00403020 85C0 test eax, eax :00403022 0F84E1000000 je 00403109 ; Good boy / Bad Boy :00403028 C785A8FEFFFF04000280 mov dword ptr [ebp+FFFFFEA8], 80020004 :00403032 C785A0FEFFFF0A000000 mov dword ptr [ebp+FFFFFEA0], 0000000A :0040303C C785B8FEFFFF04000280 mov dword ptr [ebp+FFFFFEB8], 80020004 :00403046 C785B0FEFFFF0A000000 mov dword ptr [ebp+FFFFFEB0], 0000000A * Possible StringData Ref from Code Obj ->"Error" | :00403050 C78588FEFFFFBC234000 mov dword ptr [ebp+FFFFFE88], 004023BC ; We end up here :0040305A C78580FEFFFF08000000 mov dword ptr [ebp+FFFFFE80], 00000008 :00403064 8D9580FEFFFF lea edx, dword ptr [ebp+FFFFFE80] :0040306A 8D8DC0FEFFFF lea ecx, dword ptr [ebp+FFFFFEC0] so as you can see if we scroll up a bit we see : :00403020 85C0 test eax, eax :00403022 0F84E1000000 je 00403109 ; Good boy / Bad Boy so note this address's Offset '3022' Ok now you have two places to patch .... but !!! if you patch them it still says " User name invalid ..." !!! BLAH Ok Now to take some TOUGH action ! Load Symbol loader ... Load the Export MSVbVM60.dll in your windows/system directory now load the file 'lsdv1point0.exe' to make things easy: So in Windasm we noticed three main vb calls everytime : __vbaVarTstne ; This one we'll use __vbafreeObj __vbafreevar so we're gonna break on __vbaVarTstNe run the proggie through Symbol loader : when softice breaks at the EP ( entry point) : type : 'bpx msvbvm60!__vbavarTstNe' NB! --- Note the usage of 'msvbvm60! this is very important in any vb program you are trying to crack !!!! k lets continue : ----------------- and then press CTRL+D to return to the proggie ... Type in your name and reg key : User Name : Cracked by CraXor Registration Code : 123456789 ok Click 'Register' bOOM! SoftIce breaks ... type " P RET" to return to the calling function : * Reference To: MSVBVM60.__vbaVarTstNe, Ord:0000h | :00403018 E86DE2FFFF Call 0040128A :0040301D 0FBFC0 movsx eax, ax :00403020 85C0 test eax, eax :00403022 0F84E1000000 je 00403109 ; Change this !!!! so we see our old friend .... in SoftIce type : 'R FL Z' it changes the Zero Register Flag ok then trace with F10 .... till you get here : * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040322D(U) | :004037AA 83BDFCFDFFFF00 cmp dword ptr [ebp+FFFFFDFC], 00000000 :004037B1 0F857BFAFFFF jne 00403232 ; OOOOO NASTY BOY ! if you have traced through a couple of times you'll see that the above line : :004037B1 0F857BFAFFFF jne 00403232 ; OOOOO NASTY BOY ! Needs to be changed to je 403232 So note the addy ! '4037b1' Fire up Windasm and click on 'Goto' then type in the addy You'll end up here : * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040322D(U) | :004037AA 83BDFCFDFFFF00 cmp dword ptr [ebp+FFFFFDFC], 00000000 :004037B1 0F857BFAFFFF jne 00403232 ; Change me plz :) ok note the offset '37b1' Ok close windasm and fire up Hiew ! ok start hiew eg. 'Hiew lsdv1point0.exe' ok press the enter-key three times to get to the asm code ;) now press F5 and type in your first offset '3022' ok now press F3 and change the 0F84E1000000 to 0F85E1000000 ok now repeat for the other two ... You basicly change the current to its opposite eg. 0F85 ==> 0F84 0F84 ==> 0F85 Ok Press F9 ( to save the file ) and Wolla you have a cracked CrackMe ! :) type in any name and serial ( Note please enter at least one char for the Name input box or else the proggie will blow up in yer face ;)) and wolla ! you are registered ... Finale ------ This took me about half an hour and next I'm gonna try to find the right serial ... so maybe you'll see another tut from me ( This was my first ) Any Feedback can be sent to koos1@ign.com Cheers ! Greets ------ Webmasta for his crackme's ( Xtreme2 hints plz ! ;)) All the ppl on #cracking4newbies,tKc,Arthaxerxes,R!Sc,Anynomous lurker and all those ppl who write Tutors and help us Newbies ! Knowledge is Power ! CraXor