KeyGen Studio 2002

home *** CD-ROM | disk | FTP | other *** search

/ KeyGen Studio 2002 / KeyGen_Studio_2002.iso / Tutorials / Eternal bliss / EB_TUT14.TXT < prev next >

Wrap

Text File | 1999-08-27 | 5.0 KB | 158 lines

Tutorial Number 14 Written by Etenal Bliss Email: Eternal_Bliss@hotmail.com Website: http://crackmes.cjb.net http://surf.to/crackmes Date written: 19th Mar 1999 Program Details: Name: cRACKME #2 Author: lEK/tOL Tools Used: SoftIce Crackers' Tools written by Borna Janes and I Cracking Method: Code sniffing Viewing Method: Use Notepad with Word Wrap switched on Screen Area set to 800 X 600 pixels (Optional) __________________________________________________________________________ About this protection system No disabled function. Protection is based on a password. __________________________________________________________________________ The Essay In this essay, when I write type "d edx" or similar commands in Softice, I mean it without the quotes. This is a very simple CrackMe, so I won't be explaining much. __________________________________________________________________________ SoftIce Like I said in my 2 essays on general VB cracking, there are 2 main "popular" breakpoints used in VB programs to check serial/password. They are: __vbastrcomp __vbavartsteq Well, since this CrackMe is written in VB, let's try our luck. Set the two breakpoints by typing "d __vbastrcomp" and "d __vbavartsteq" Run the CrackMe. Type in "12345678" for the password. Click on "cHECK"... Did you break into SoftIce on __vbastrcomp?? Well, I did. 8P Here is a dump from Softice... MSVBVM50!__vbaStrComp :7B2F3564 8BEC MOV EBP,ESP :7B2F3566 53 PUSH EBX :7B2F3567 56 PUSH ESI :7B2F3568 57 PUSH EDI :7B2F3569 837D1000 CMP DWORD PTR [EBP+10],00 :7B2F356D BE00000000 MOV ESI,00000000 :7B2F3572 7406 JZ 7B2F357A (NO JUMP) :7B2F3574 8B4510 MOV EAX,[EBP+10] :7B2F3577 8B70FC MOV ESI,[EAX-04] :7B2F357A 837D0C00 CMP DWORD PTR [EBP+0C],00 :7B2F357E BF00000000 MOV EDI,00000000 :7B2F3583 7406 JZ 7B2F358B (NO JUMP) :7B2F3585 8B4D0C MOV ECX,[EBP+0C] :7B2F3588 8B79FC MOV EDI,[ECX-04] :7B2F358B 3BFE CMP EDI,ESI Just these few lines is enough for you to crack the CrackMe. ------------------------ Right after :7B2F3574, if you do a "d eax", you will see this in your code window... :004118E8 31 00 32 00 33 00 34 00-35 00 36 00 37 00 38 00 1.2.3.4.5.6.7.8. This looks like the password we entered right?? Since it is VB, the password has been converted to w.i.d.e. .c.h.a.r.a.c.t.e.r And just after :7B2F3577, if you type "? esi" you will see 00000010 0000000016 "" in your command window (the place where you do your typing) What does this mean?? Well, your password is 8 char. But because it is converted to wide char, it is now double the length, therefore, 16 in Dec and 10 in Hex. **You can actually see that esi=00000010 in the register window. ------------------------ Right after :7B2F3585, if you do a "d ecx", you will see this in your code window... :00401E18 57 00 67 00 FF 00 31 00-2E 00 6B 00 36 00 2E 00 W.g...1...k.6... :00401E28 23 00 FF 00 FF 00 FF 00-FF 00 24 00 20 00 00 00 #.........$. ... And just after :7B2F3588, if you type "? edi" you will see 0000001E 0000000030 "" in your command window. **You can actually see that edi=0000001E in the register window. So, following what I said for esi, since edi=0000001E, when converted to Dec, it is 30. To get the correct length, divide it by 2 and you will get 15. ------------------------ So, our correct password is 15 char. Now, look at the code window after you typed "d ecx". The Hex values (30 of them) are: 57 00 67 00 FF 00 31 00-2E 00 6B 00 36 00 2E 00 23 00 FF 00 FF 00 FF 00-FF 00 24 00 20 00 Ignoring the 00s since they are added in VB, you will have 57 67 FF 31 2E 6B 36 2E 23 FF FF FF FF 24 20 **Count the number of Hex values... it will be 15. Use Crackers' Tools (the proggie I coded with Borna Janes) to convert the Hex values to Ascii. You will get "Wg 1.k6.# $ " **After the "$", there is a space. Ignore the quotations. **Also, if you just look at the ascii shown in SoftIce, you will get the wrong password. Compare what you converted with what is shown! Now, type in the string you converted from the Hex values. You will get a message saying that you have made it! CrackMe Cracked!! __________________________________________________________________________ Final Notes This tutorial is dedicated to all the newbies like me. And because I'm a newbie myself, I may have explained certain things wrongly So, if that is the case, please forgive me. Email me if there is anything you are not clear about. My thanks and gratitude goes to:- The Sandman All the writers of Cracks tutorials and CrackMes