Underground InformatioN Center [&articles] 
[network & security news] [RSS & Twitter] [articles, programing info] [books] [links, soft & more...] [soft archive][home]

Solution for Piro's Crackme1

Tools
SoftICE
SmartCheck
IDA
brain & ASM knowlege

Lets start
First disasm our target with IDA.
When you enter the serial (123456) set HMEMCPY. SoftICE will pop when you hit enter. F11 and F10 until you return to 'crackme'.


       (dead-listing from IDA)
00402601      call    ds:MSVBVM60_596          ;rtsInputBox

d eax. Wow! Its my serial.
bpr eax eax+5

00402607      lea     edx, [ebp-0A8h]          
0040260D      lea     ecx, [ebp-24h]
00402610      mov     [ebp-0A0h], eax
00402616      mov     dword ptr [ebp-0A8h], 8
00402620      call    ds:__vbaVarMove          ;not interesting
00402626      lea     ecx, [ebp-98h]
0040262C      lea     edx, [ebp-88h]
00402632      push    ecx
00402633      lea     eax, [ebp-78h]
00402636      push    edx
00402637      lea     ecx, [ebp-68h]
0040263A      push    eax
0040263B      lea     edx, [ebp-58h]
0040263E      push    ecx
0040263F      lea     eax, [ebp-48h]
00402642      push    edx
00402643      push    eax
00402644      lea     ecx, [ebp-38h]
00402647      push    ecx
00402648      push    7
0040264A      call    ds:__vbaFreeVarList       ;not interesting
00402780      add     esp, 20h
00402653      lea     edx, [ebp-24h]
00402656      lea     eax, [ebp-0B8h]
0040265C      mov     dword ptr [ebp-0B0h], offset loc_401FD8
00402666      push    edx
00402667      push    eax
00402668      mov     dword ptr [ebp-0B8h], 8008h
00402672      call    ds:__vbaVarTstEq          ;that's it!!!
F5. SoftICE will pop at:

cs:653C045E   REPZ  CMPSW
              JZ    FUCK_U_CRACKER                                    

d esi.              310032003300340035003600   
d edi.              DF00CB002000CA006C00E800E9005400
Hmmmm. Looks like the correct serial is 'ЯЛ КlийT'. (serial is best viewed with DOS-mode ;) Serial:='alt+223'+'alt+203'+' '+'alt+202'+'l'+'alt+232'+'alt+233'+'T'; Ok. Change JZ with JNZ and do some F10 until you get:

cs:653C04AC  CMP [EBP-04],EBX
ebx=10h
[ebp-04] is length_of_the_serial*2
Correct serial should be 8 symbols long. Ah.Almost forgot. There is a nag. Lets remove it. Run SC and click on the nag menu. Look at the 'Program Event' window -_Click MsgBox[not interesting for us ] In the 'Details' window you see:
CRACKME.EXE!0000248B(no debug info)
In IDA at 0000248A:

0040248A FF 15 28 10 40 00 call    ds:MSVBVM60_595  ;rtsMsgBox
What are you waiting for? Run your favorite hex-editor and change those 6 bytes with NOP.
Thats all
Thanx for reading and...
...sorry my terrible inglish ;)

Greets to...
Genocide Crew members
All my friends (you know who you are)
All crackers in the world ;)

Corbio
corbio@mail.ru
Genocide Crew Member
uinC Member
[c]uinC

Все документы и программы на этом сайте собраны ТОЛЬКО для образовательных целей, мы не отвечаем ни за какие последствия, которые имели место как следствие использования этих материалов\программ. Вы используете все вышеперечисленное на свой страх и риск.

Любые материалы с этого сайта не могут быть скопированы без разрешения автора или администрации.


[network & security news] [RSS & Twitter] [articles, programing info] [books] [links, soft & more...] [soft archive][home]
 Underground InformatioN Center [&articles] 
2000-2015 © uinC Team