Solution to Psycho Arjani's crackme #0.3 By noptical
Tools: Hiew, and Exdec
Welp, all you fishes out the reading this will now have to ph33r my p-code cracking madness. So, i'm sitting around being a lazy ass when Muad updates crackmes, so, I go look, and theres one elite crackme Smartcheck diddnt want to run because the damn thing was P-Code! So, after about 20 minutes of bitching, i decided to go get exdec. I unzipped it, opened crkme03.exe.. and to my supprise.. Completely fucked up non-understandable code! I started looking through the tuts and crap, nothing that had anything to really do with serials or anything. So i started looking about the disassembled P-Code, and around 40304B i see:
403042: 1c BranchF: 403085 ;Jump to unregistered
403045: 27 LitVar_Missing
403048: 27 LitVar_Missing
40304B: 3a LitVarStr: ( local_00DC ) Registerd ;Title of Messagebox
403050: 4e FStVarCopyObj local_00EC
403053: 04 FLdRfVar local_00EC
403056: f5 LitI4: 0x0 0 (....)
40305B: 3a LitVarStr: ( local_009C ) Good work ;Contents of Messagebox
403060: 04 FLdRfVar local_016C
******Other crap******
403085: 27 LitVar_Missing
403088: 27 LitVar_Missing
40308B: 3a LitVarStr: ( local_00BC ) Oops ;Unreged title
So, one of the first things i noticed, was the BranchF, although i had no idea what it meant. After reading through the tuts provided with Exdec, i found out that BranchF is Jump if False, the equivelant of JNE (nump if not equal). There is also BranchT , Jump if true, (je) and plain old Branch (jmp). So, what we see here is a need to, most likely, just skip that branch at 00403042. Now, i tried a few things here, NOP (90) would crash the program. and just 00, niether worked. One thing i have to mention here, is that Exdec doesnt show you the lenght of the opcodes, so you must take one line, well use 00403042, and subtract it from the next line, 00403045. After that little bit of math, we end up with 3. So we now know the length of 'BranchF' is 3 bytes long. Looking at this addres in Hiew we see lines all scattered, due to the fact its not in ASM, But tou can still modify these 3 bytes successfully. The next thing we need to know, is what the hell the opcodes of a P-Code jump are. Looking back to WP's crackme tut, it tells us:
1C = BranchF
1D = BranchT
1E = Branch
The next part, we have to find the next 2 bytes. Those are the address to jump to, minus the base of the proc. Scroll up through Exdec, at the top of the proc, we see:
402D00: 04 FLdRfVar local_008C
Oke, so 402D00 is the start of the proc. We want to jump to the next line, 403045. 402D00 - 403045 = 0345. In this, we must load 0345 in backwords. So, you split them up, 03 45, and reverse them, 45 03. Now, all we have to do, is go into hiew, go to the line .00403042, F3, and type: 1E4503. F9 to save, F10 to exit. Now, just run crkme03.exe, enter your name and whatever serial, and hit Check!
