************************************************************************************************************** Win32Asm CrackMe 3 ************************************************************************************************************** Author: Acid_Cool_178 Protection: CD-Check URL: http://members.nbci.com/_XMCM/norskehf/crackmes/asm/ac_crackme_03.zip Tools: W32Dasm v8.93 Hex-Editor ---> Intro... Welcome to my next Tutorial !!! Well, another CD-Check CrackMe, with a little bug (Well actually a big bug) ;) ---> Let's Begin... Ok, open the CrackMe and you'll get a Message Box saying: "Sorry, CD-Rom are NOT in Your CD-Rom Drive" "Nah" Hmm, press the Button "Ok" and, whoops... we'll get the same Message Box again =/ Press "Ok" and again the same Message Box... Here's the first bug, this CrackMe keeps looping ;) Ok, get out of the CrackMe (CTRL+ALT+DEL or some program like ProcDump to Kill the task). And disassemble the CrackMe in W32Dasm. Now click on "Strn Ref" (String Data References) and double click no the line: "Sorry, CD-Rom are NOT in Your " And you'll see this: -------------------------------------------------------------------------------------------------------------- * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401014(C) | :0040102B 6A00 push 00000000 <--------------- | * Possible StringData Ref from Data Obj ->"Sorry, CD-Rom are NOT in Your " | ->"CD-Rom Drive" | | | :0040102D 6800304000 push 00403000 | | * Possible StringData Ref from Data Obj ->"Nah" | - Good Message Box | | :00401032 682B304000 push 0040302B | :00401037 6A00 push 00000000 | | * Reference To: USER32.MessageBoxA, Ord:01BBh | | | :00401039 E80E000000 Call 0040104C <--------------- :0040103E EB00 jmp 00401040 <--- Jump to next Instruction * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00401029(U), :0040103E(U) | :00401040 EBC3 jmp 00401005 <--- Jump to GetDriveTypeA -------------------------------------------------------------------------------------------------------------- Notice the (C)onditional jump from Offset 00401014 :) (Btw also notice the "jmp 00401040" it jumps actually to nowhere and just continues, then it jumps back to 00401005, weird ;). Let's take a look at 00401014, so scroll a bit up and you'll see this: -------------------------------------------------------------------------------------------------------------- :00401005 685C304000 push 0040305C * Reference To: KERNEL32.GetDriveTypeA, Ord:00F0h | :0040100A E849000000 Call 00401058 :0040100F 83F805 cmp eax, 00000005 <--- Compare EAX with 00000005 (CD-Rom?) :00401012 7402 je 00401016 <--- If equal Jump to the Good Message Box :00401014 7515 jne 0040102B <--- If not equal Jump to the Bad Message Box * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401012(C) | :00401016 6A00 push 00000000 <--------------- :00401018 6838304000 push 00403038 | | * Possible StringData Ref from Data Obj ->"Well DoneCongratZ, NC Crackme " | ->"1 are completedc:\" | | | :0040101D 682F304000 push 0040302F | - Good Message Box :00401022 6A00 push 00000000 | | * Reference To: USER32.MessageBoxA, Ord:01BBh | | | :00401024 E823000000 Call 0040104C <--------------- :00401029 EB15 jmp 00401040 <--- Jump to the Jump to GetDriveTypeA, hmm :) -------------------------------------------------------------------------------------------------------------- As you can see (If you read my previous Tutorial for Acid_Cool_178's Win32Asm CrackMe 2) then it goes exactly the same ;) I'm not going to explain it all twice ;) i'll just say try to do it yourself with the help of my previous Tutorial :) But notice this other jump (jmp 00401040) at Offset 00401029, it jumps back to the beginning of GetDriveTypeA. And so it keeps looping :) You can easily patch that, to make it jump to ExitProcess, but i'll leave that up to you ;) That's All... ---> Greetings... To be honest i'm getting a bit sick of these greetings everytime ;P So i'll just say: Greetings to everyone i know, and to everyone who knows me, and You... ;P Don't trust the Outside, trust the InSiDe !!! Cya... CoDe_InSiDe Email: code.inside@home.nl Homepage: http://codeinside.cjb.net