********************************************************************************************************************** Win32Asm CrackMe 2 ********************************************************************************************************************** Author: Acid_Cool_178 Protection: CD-Check URL: http://members.nbci.com/_XMCM/norskehf/crackmes/asm/ac_crackme_02.zip Tools: W32Dasm v8.93 Hex-Editor ---> Intro... Welcome to my next Tutorial !!! The second CrackMe from Acid_Cool_178 :) It's a simple CD-Check. ---> Let's Begin... Ok, as always first open the CrackMe to see what's going on :) You'll get immediately a Message Box saying: "Sorry, CD-Rom are NOT in Your CD-Rom Drive" "Nah" Remember the first line for W32Dasm :) Now click the "Ok" button and the CrackMe quits. Ok, now disassemble the CrackMe in W32Dasm and click on "Strn Ref" (String Data References). And double click on the line: "Sorry, CD-Rom are NOT in Your " And you'll see this: ---------------------------------------------------------------------------------------------------------------------- * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040100F(C) | :00401026 6A00 push 00000000 <-------------- | * Possible StringData Ref from Data Obj ->"Sorry, CD-Rom are NOT in Your " | ->"CD-Rom Drive" | | | :00401028 6804304000 push 00403004 | | * Possible StringData Ref from Data Obj ->"Nah" | - Bad Message Box | | :0040102D 6800304000 push 00403000 | :00401032 6A00 push 00000000 | | * Reference To: USER32.MessageBoxA, Ord:01BBh | | | :00401034 E809000000 Call 00401042 <--------------- :00401039 EB00 jmp 0040103B <--- Jump to ExitProcess ---------------------------------------------------------------------------------------------------------------------- Now notice on top "0040100F(C)", the Message Box has been called by a (C)onditional Jump at Offset 0040100F :) So scroll a bit up till that Address "0040100F" and you'll see this: ---------------------------------------------------------------------------------------------------------------------- * Possible StringData Ref from Data Obj ->"1" | //******************** Program Entry Point ******** :00401000 685C304000 push 0040305C * Reference To: KERNEL32.GetDriveTypeA, Ord:00F0h | :00401005 E844000000 Call 0040104E <--- Get Drive Type Information :0040100A 83F805 cmp eax, 00000005 <--- Compare EAX with 00000005 (is it a CD-Rom Drive?) :0040100D 7402 je 00401011 <--- If equal jump to the Good Message Box :0040100F 7515 jne 00401026 <--- Else jump to Bad Message Box * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040100D(C) | :00401011 6A00 push 00000000 <--------------- :00401013 6838304000 push 00403038 | | * Possible StringData Ref from Data Obj ->"Well DoneCongratZ, NC Crackme " | ->"1 are completed1" | | | - Good Message Box :00401018 682F304000 push 0040302F | :0040101D 6A00 push 00000000 | | * Reference To: USER32.MessageBoxA, Ord:01BBh | | | :0040101F E81E000000 Call 00401042 <--------------- :00401024 EB15 jmp 0040103B <--- Jump to ExitProcess ---------------------------------------------------------------------------------------------------------------------- You see that little nice Compare over there? ;) There it checks if it's a CD-Rom, if it is we get the Good Message Box, else the Bad Message Box :) So we can defeat this CrackMe in several ways: 1. Change the instruction "cmp eax, 00000005" into "cmp eax, 00000001" (00000001 means "C:\" ;) 2. Change the "je 00401011" into "jmp 00401011" 3. Change the "jne 00401026" into "nop nop" or "jne 00401011" :) 4. Or we can change that it Jumps from the Entry Point to the Good Message Box :) We're gonna do them all ;) ---> Method 1 Double click on "cmp eax, 00000005" then look at the bottom of W32Dasm you'll see this: "@Offset 0000040Ah" Then open the CrackMe in your Hex-Editor and go to location "0000040A". There change this: 83F805 (cmp eax, 00000005) into: 83F801 (cmp eax, 00000001) Save the File and run it (don't forget to close W32Dasm otherwise we can't save), it works ;) ---> Method 2 Ok, disassemble the CrackMe again in W32Dasm (if you closed W32Dasm ;) and double click on the instruction "je 00401011" then you'll see at the bottom this: "@Offset 0000040Dh" Then open the CrackMe in your Hex-Editor and go to location "0000040D". There change this: 7402 (je "Jump if Equal") into: EB02 (jmp "Jump") Save the File and run it (don't forget to close W32Dasm otherwise we can't save), it works ;) ---> Method 3 Ok, disassemble the CrackMe again in W32Dasm (if you closed W32Dasm ;) and double click on the instruction "jne 00401026" then you'll see at the bottom this: "@Offset 0000040Fh" Then open the CrackMe in your Hex-Editor and go to location "0000040F". There change this: 7515 (jne "Jump if Not Equal") into: 9090 (NOP, NOP) or into: 7500 (jne "Jump if Not Equal") Save the File and run it (don't forget to close W32Dasm otherwise we can't save), it works ;) ---> Method 4 Double click on the Entry Point (location "00401000") to see what's the real Address ;) it's: "@Offset 00000400h" Then open the CrackMe in your Hex-Editor and go to location "00000400". you'll see there: 685C304000E84400000083F80574027515 We're going to make it Jump from the beginning till after the "7515" (jne) :) So change it into this: EB0F304000E84400000083F80574027515 Ok, now why this line? ;) First of all you need to know when your calculating Jumps, is that you need to start counting after the Jump instruction till you reach the beginning of the Instruction where you want to Jump to, and offcourse don't forget to count in Hex. ;) Let me explain: From here... (After the Jump Instruction) Till here... (Beginning destination place) | | EB 0F 30 40 00 E8 44 00 00 00 83 F8 05 74 02 75 15 | | Our Jump 0 1 2 3 4 5 6 7 8 9 A B C D E F | | | | | | | | | | | | | | | | EB 0F 30 40 00 E8 44 00 00 00 83 F8 05 74 02 75 15 | | Our Jump See it's simple :) So replace the first 2 Bytes with "EB0F". Save the File and run it (don't forget to close W32Dasm otherwise we can't save), it works ;) That's All... ---> Greetings... To be honest i'm getting a bit sick of these greetings everytime ;P So i'll just say: Greetings to everyone i know, and to everyone who knows me, and You... ;P Don't trust the Outside, trust the InSiDe !!! Cya... CoDe_InSiDe Email: code.inside@home.nl Homepage: http://codeinside.cjb.net