******************************************************************************************************************************************** CrackMe #4 ******************************************************************************************************************************************** Author: n0p3x Protection: CD Check URL: http://www.phrozencrew.co.uk/crackme4.zip Tools: SoftICE V4.05 W32Dasm V8.93 Hex-Editor ---> Intro... Welcome to my next Tutorial !!! This is a very easy example of a CD Check :) The API that most of the time is used for CD Checks is "GetDriveTypeA". ---> Let's Begin... Open the CrackMe, and a Message Box pops up saying: "This program isn't being run from a CD, Please insert the CD" Hehe offcourse it's not runned from a CD ;) But we're going to fool the program so it thinks we're running it from a CD :) Now click "Ok" and you'll see a window with 3 buttons (Exit, Re-Test CD, About), and an "Edit Box" which says: "Invalid CD In Drive" Now get into SoftICE (CTRL+D) and type "bpx GetDriveTypeA" followed by "enter". Then out of SoftICE (CTRL+D) and press the button "Re-Test CD" and SoftICE should popup. Now type "BC *" to clear the breakpoint and press (F12) 1 time and you'll see this: -------------------------------------------------------------------------------------------------------------------------------------------- :0040108A 83F805 cmp eax, 00000005 <--- Interesting Compare :) :0040108D 7526 jne 004010B5 <--- If not equal we jump and get the bad Message Box, else continue :0040108F 6800100000 push 00001000 * Possible StringData Ref from Data Obj ->"Well Done" | :00401094 6898204000 push 00402098 * Possible StringData Ref from Data Obj ->"This program is being run from " ->"a CD" | :00401099 6874204000 push 00402074 :0040109E 6A00 push 00000000 * Reference To: USER32.MessageBoxA, Ord:0000h | :004010A0 E86D040000 Call 00401512 * Possible StringData Ref from Data Obj ->"Correct CD In Drive" | :004010A5 68A2204000 push 004020A2 * Possible Reference to Dialog: DialogID_0001, CONTROL_ID:0065, "" | :004010AA 6A65 push 00000065 :004010AC 53 push ebx * Reference To: USER32.SetDlgItemTextA, Ord:0000h | :004010AD E85A040000 Call 0040150C :004010B2 5B pop ebx :004010B3 5D pop ebp :004010B4 C3 ret -------------------------------------------------------------------------------------------------------------------------------------------- Ok, here it Compares EAX with 00000005 (Which means CDROM Drive) and then followed by a "jne 004010B5". So to defeat this we can change the "jne 004010B5" into NOP (90) or we can change the "cmp eax, 00000005" into "cmp eax, 00000003" (which means Fixed Drive), we're gonna do the second patch. Now write down the address of the "cmp eax, 00000005" or keep in mind and disassemble the CrackMe with W32Dasm. Then press (SHIFT+F12) and fill in the address "0040108A" and press "Ok". Now look at the bottom of W32Dasm you'll see a line like this: Line:148 Pg 3 and 4 of 21 Code Data @:0040108A @Offset 0000068Ah in File:crackme4.exe The only thing important now is "@Offset 0000068Ah" write it down. Then close W32Dasm and open the CrackMe in your Hex-Editor. Now go to that address "0000068A" and change it into this: 83F805 into 83F803 Save the file and run it, a Message Box pops up saying that the CrackMe was runned from a CD :) That's all. ---> Greetings... Everyone from TrickSoft (www.TrickSoft.net) Everyone from Cracking4Newbies (www.Cracking4Newbies.com) Everyone from Keygenning4Newbies (Keygenning4Newbies.cjb.net) And You... Don't trust the Outside, trust the InSiDe !!! Cya... CoDe_InSiDe Email: code.inside@home.nl