Acid_Cool_178
present he's
| #3 Tutorial |
| Athour Information |
| acid_cool_178@hotmail.com | ||
| Age | 17 | |
| Web Page | http://acidcool.cjb.net/ | |
| Member in | Hellforge | Flying Horse Cracking Force |
| Groups Web Page | Hellforge Login | FHCF Login |
| Program Infromation |
| Name | koRnFLeX VB6 Crackme #1 | |||
| kornflex - vbccrackme1.exe | ||||
| Where to Downlaod | The Crackme Site | |||
| Tools Used | W32Dasm Hiew |
Download at | ||
| Protools | ||||
| Size | 20KB | |||
| What kind of a program | Crackme | Shareware | ||
| Skill | Easy | Not so easy | Hard | X-pert |
| Information about the protection |
Well, i'm still a newbie. Sorry. but this protection has a serial and i will fin it, ehh. i wont find it ;) I will patch it :)
| The Tasks |
Task 1 <-- Patching with W32Dasm and Hiew
Task 2 <-- Serial sniffing with SmartCheck 6.03 and Hiew
Task 3 <-- Having Phun :)
| The Process |
1. Task
First i opened kornflex - vbccrackme1.exe in W32Dasm with SDR enabled. And i founded this
at the "String Data Reference" <Good Job Cracker>
hehe, tnx kornflex.. Best regards to ya ;)
I did scroll up some lines until i coud see this code :00401CDD 7543
JNE 00401D22
JNE => Jump If Not Equal and what the hell must be equal ? and the
answer is: THE SERIAL!!!
Take a look in W32Dasm Statusbar, and you can see this @Offset 00001CDDh
Well, i just love W32Dasm. Open kornflex - vbccrackme1.exe in Hiew.exe and GoTo
(F5) 1CDD And press F3 (Edit and type 90 (nop)) two times
Update the file (F9) and exit (F10 og Esc) and run the crackme again and every code are
accepted.
INFO!! 90 means NOP
and NOP means No Operation!
Well, now you have patched the crackme :)
But why the hell not have some fun with this crackme ??
2. Task
Now we will try to atackk this program with Smart Cheack 6.03, If you haven configured it
yet then read Eternal Bliss'z tutorial's on Smart Check configuration.
Open kornflex - vbccrackme1.exe sn SC and run the program in SC. When the crackme apperas
just type a silly serial (i did type 2951) and ok. the NAG wil appera and click on ok and
stop the program.Goto Command1_click in SC and goto "View" in SC an select
"Show all events" and now you scoud see alot of strange stuff in SC. Now you
shoud see this _vbaStrCmp returns DWORD:1 and click on that one.And BINGO
what do we have here, 12-21-34-43. run the crackme without SC and write this in the serial
field 12-21-34-43 and you got the good MSGBOX :)
3. Task
We have patched the crackme and now when we are getting a NAG every time when we enter a
"valid" serial. Lets get rid of that. Open the crackme in W32Dasm ang goto
"good job cracker" and scroll down until you can see this code.
* Reference To: MSVBVM60.rtcMsgBox, Ord:0253h
|
:00401D0A FF1520104000 Call dword ptr [00401020] <-- The
important NAG Call
:00401D10 8D459C lea eax, dword ptr [ebp-64]
:00401D13 8D4DAC lea ecx, dword ptr [ebp-54]
:00401D16 50 push eax
The important NAG call had offset 1D0A, so just open the crackme in Hiew. GoTo (F5) and
Edit (F3) and enter 90 six times. Update the file (F9) and Quit (F10 and Esc)
Run The Crackme and enter anu serial, wow. the NAG are in wonderland :)
Adn now we will remove tha NAG that pops up and saying "Ah! You fucked up". In
W32Dasm you can see this strin in "String Data References" <Ah! You fucked
up> and scroll down to this code.
* Reference To: MSVBVM60.rtcMsgBox, Ord:0253h
|
:00401D4D FF1520104000 Call dword ptr [00401020]
<-- The important NAG Call
:00401D53 8D559C lea edx, dword ptr [ebp-64]
:00401D56 8D45AC lea eax, dword ptr [ebp-54]
The same procedure as above But this call had the offset at 1D4D. Open the
crackme in Hiew. GoTo (F5) and Edit (F3) and enter 90 six times. Update the file (F9) and
Quit (F10 and Esc)
Run The Crackme and enter anu serial, wow. the NAG are in wonderland :)
| Ending |
Well, i hope that you can understand my english :)
I had plans to include a SoftIce part but i didn't understant SoftIce so i decided to
leave it.
| Greetings |
LaZaRuS, Wajid, Borna Janes, ManKind, Eddie Van Camper, ACiD BuRN, KoRnFLeX, Eternal_Bliss