Acid_Cool_178
presents he's
| #17 Tutorial |
| For Hellforge |
This Text Are Only Ment To Edcucational Purpose And Not To Be Used Illegaly, I Take No Response For Illegal Use Of This Text. Move On On Your Risc.
| Athour Information |
| acid_cool_178@hotmail.com | ||
| Age | 17 | |
| Web Page | http://acidcool.cjb.net/ | |
| Date | Febuary 2K | |
| Member in | Hellforge | Flying Horse Cracking Force |
| Groups Web Page | Hellforge Login | FHCF Login |
| Program Infromation |
| Name | Cracking Execution Crackme v0.1 | |||
| crackme.exe | ||||
| Athour | The Ghost | |||
| Where to Downlaod | Crackme Website | |||
| Size | 58KB (Only the EXE file) | |||
| Tools used | W32Dasm (with SDR patch) Soft Ice Hiew |
Downlaod At | ||
| 1. Player Tools | ||||
| 2. Programmer Tools | ||||
| What kind of a program | Crackme | Shareware | ||
| Skill | Easy | Not so easy | Hard | X-pert |
| Information about the Protection I |
This crackme got one Name and Code, the programs takes the code and are making i code
and comparing it with the code you enters.
If they are equal then you have done it, else try again :)
I did open the crackme in Ultra Edit and founded out thet the cracke are coded in Visual
Basic 5.0 so i need the W32Dasm with SDR patch.
MSVBVM50.DLL was in text in the crackme.exe file :)
MSVBVM50.DLL are a VB5 Libary
| Before we start |
NOP means No OPeration and are 90 in HEX
In Task3 you MUST READ ETERNAL BLISS TUTORIAL ON SMARTCHECK ON HOW TO CONFIGURE
IT!!
You can find the tutorial at the crackmes webpage :)
Task1 <-- Common Informaion
Task2 <-- Solution I
With Serial Sniffing (Soft Ice)
Task3 <-- Solution II
With Patchng
(Hiew)
Task4 <-- Solution III
With Serial Sniffing (Smart Check)
| The Process |
Task1
Process
Open the crackme in W32Dasm and in "String Data References" can you
find this string "Nice Going!!! you Cracked the " dubbleclick on that
string and you will land here.
* Reference To: MSVBVM50.__vbaFreeStrList, Ord:0000h
|
:0040DB6B FF1578F14000 Call dword ptr [0040F178]
<-- Strange Call 2 ?
:0040DB71 83C40C add esp, 0000000C
:0040DB74 8D4DCC lea ecx, dword ptr [ebp-34]
* Reference To: MSVBVM50.__vbaFreeObj, Ord:0000h
|
:0040DB77 FF159CF14000 Call dword ptr [0040F19C]
<-- Strange call 1 ?
:0040DB7D B904000280 mov ecx, 80020004
:0040DB82 B80A000000 mov eax, 0000000A
:0040DB87 6685F6 test si, si
:0040DB8A 894D94 mov dword ptr [ebp-6C], ecx
:0040DB8D 89458C mov dword ptr [ebp-74], eax
:0040DB90 894DA4 mov dword ptr [ebp-5C], ecx
:0040DB93 89459C mov dword ptr [ebp-64], eax
:0040DB96 894DB4 mov dword ptr [ebp-4C], ecx
:0040DB99 8945AC mov dword ptr [ebp-54], eax
:0040DB9C 745E je 0040DBFC
<-- Jump to bad msgbox if bad code, else move on to good msgbox
* Reference To: MSVBVM50.__vbaStrCat, Ord:0000h
|
:0040DB9E 8B3510F14000 mov esi, dword ptr [0040F110]
* Possible StringData Ref from Code Obj ->"Nice Going!!! you Cracked the "
<-- the title og the good msgbox
->"CrackMe!"
|
:0040DBA4 6824D44000 push 0040D424
<-- You will land here/Here starts the good code
:0040DBA9 686CD34000 push 0040D36C
:0040DBAE FFD6 call esi
Task2
Process
What i did here was to get me to the "Strange Call 2", "Strange Call
1" one false. I used 10 min in ""Strange Call 1" with no serial :(
First starth the crackme and enter the information, i wrote this
Name Acid_Cool_178:
Code: 2951
Go to Soft Ice by pressing CTRL+D and do an bpx hmemcpy
and exit Soft Ice again by pressing CTRL+D
Press on the "register" button and you are in Soft Ice :)
Press F12 seven times and now you will be in good code, i can se that in
the Location.
Lets go to the "Strange Call 2" by entering G 40DB6B [ENTER]
And you're not at the call, fuck!
Press F12 new seven times and you are back in the good code.
G 40DB6B [ENTER]
And you are now at the call, trace into it by pressing F8 or enter T
[ENTER]
Just write D EDX [ENTER] and you will see your code in the code window :)
I could see this in my code window 2.8.6.0.0 and i tries to change my code to that and it
didn't work.
But now i emember, it's a Visual Basic Crackme, Visual Basic are using Wide Charaters
format so the real code are 28600
And that works just fine for me :)
Task3
Process
Scroll up to 0040DB9C and get the offset in W32Dasm's status abr. Note it down and open
the crackme in Hiew
Press F4 (mode) and select "Decode"
Goto (F5) offset
And if you have done everything correct then you will now stant at the jump
Press F3 (Edit) and enter 9090
Update the file (F9) and exit Hiew (F10 or Esc)
What we did here was to NOP the jump so it wont jump to the bad msgbox :)
Task4
Process
Open the crackme in Smart Check and run the crackme
Fill in the information, i wrote this
Name: Acid_Cool_178
Code: 2951
And press on the "Register" button.
NOW stop Smart Check
goto View-->Show Errors and Specific errors.
Now whan you got that viwe then move on to "Command1_click" and scroll down to
intenger(28600)-->String ("28600")
And 28600 are our code :)
| Ending |
Now i have cracked the program in three ways, have i missed anything ?
Patching and Serial sniffing. I gant do any keygen because i'm not skilled to do that.
| Information about the Protection II |
This protection takes the name and generates a code and comparing it with the entred
code.
Acid_Cool_178 are 28600
So Acid_Cool_178 and 2951 as a code will give me the bas msgbox :(
Acid_Cool_178 and 28600 as a code will give me the goos msgbox :)
| Greetings |
LaZaRuS, Wajid, Borna Janes, ManKind, Eddie Van Camper, ACiD BuRN, KoRnFLeX, Eternal_Bliss, Potsmoke, DiABLO. Torn@do, ^AlX^ and all the other i have forgotten