Acid_Cool_178
presents he's
| #27 Tutorial |
| For Hellforge |
This Text Are Only Ment To Edcucational Purpose And Not To Be Used Illegaly, I Take No Response For Illegal Use Of This Text. Move On On Your Risc.
| Athour Information |
| acid_cool_178@hotmail.com | ||
| Age | 17 | |
| Web Page | http://acidcool.cjb.net/ | |
| Date | March 2K | |
| Member in | Hellforge | Flying Horse Cracking Force |
| Groups Web Page | Hellforge Login | FHCF Login |
| Program Infromation |
| Name | TCC Packer Crackme 1 By EVC | ||||
| packcm1.exe | |||||
| Size | 34KB (Un-Zipped) | ||||
| Athour | Eddie Van Camper | ||||
| Where to Downlaod | http://campercrew.cjb.net | ||||
| Tools used | Bye PE-Crypt v1.02 by
PC W32Dasm Hiew |
Downlaod At | |||
| 1. Player Tools | |||||
| 2. Programmer Tools | |||||
| What kind of a program | Crackme | Shareware | |||
| Skill | Easy | Not so easy | Hard | X-pert | |
| Information about the Protection I |
This program got one NAG comming up and saying unregistered.
| The Process |
Open PE Crypt and choose packcm1.exe and save it as
unpacked.exe
Now open unpacked.exe in W32Dasm and in the beginning of the code can you se this:
//******************** Program Entry Point ********
<-- Start og program
:00401000 B8E0304000 mov eax, 004030E0
:00401005 BAE1304000 mov edx, 004030E1
:0040100A 3BC2 cmp eax, edx
<-- Compare the time
:0040100C 741A je 00401028
<-- If time are under the evalution period then jump to good code, else move on
to bad code.
:0040100E 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"TCC Packer CrackMe 1By EVC"
<-- Title og the bad messagebox
|
:00401010 6800304000 push 00403000
* Possible StringData Ref from Data Obj ->"The evaluation period has expired.
" <-- The bad words
->" Please register "
|
:00401015 681C304000 push 0040301C
:0040101A 6A00 push 00000000
* Reference To: USER32.MessageBoxA, Ord:01BBh
<-- Here are the bad words are pushed to the screen
|
:0040101C E827000000 Call 00401048
<-- The bad call
:00401021 6A00 push 00000000
* Reference To: KERNEL32.ExitProcess, Ord:0075h
|
:00401023 E81A000000 Call 00401042
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040100C(C)
|
:00401028 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"TCC Packer CrackMe 1 By EVC"
<-- title to teh good messagebox
|
:0040102A 6883304000 push 00403083
* Possible StringData Ref from Data Obj ->"Well done! You've cracked it!"
<-- Guess one time
|
:0040102F 689F304000 push 0040309F
:00401034 6A00 push 00000000
* Reference To: USER32.MessageBoxA, Ord:01BBh
|
:00401036 E80D000000 Call 00401048
:0040103B 6A00 push 00000000
The jump at 0040100C has the @Offset 40C
Open unpacked.exe in Hiew and press enter twice.
Goto (F5) 40C [ENTER]
Edit the ASM Code (F3 and after F3 the press F2)
Change JE to JMP
Update the file by pressing F9 and Exit (F10 or Escape)
Run unpacked.exe an it's cracked :)
| Greetings |
LaZaRuS, Wajid, Borna Janes, ManKind, Eddie Van Camper, ACiD BuRN, KoRnFLeX, Eternal_Bliss, Potsmoke, DiABLO. Torn@do, ^AlX^ and all the other i have forgotten