Patching reflexx crackme vol1. by alazon

This tutorial are coming from

Acid Cool 178

Tutorial Number 44

Target

rEefleXX CrackMe Vol. 1 by aLaZoN

Protection        	Code
Downlaod it at 	crackmes.cjb.net
Date			23.04.2000

Toolz

W32Dasm / Hiew

Get it at protools.cjb.net


Essay

Well, this are a new patching tutorial from me but this are more special.
When you are running the crackme and are entering one dummy code and are checkking in. You will get the messagebox "Key is wrong" remember that. Dissassemble the crackme in W32dasm and in "String data references" ans look for the string "key is wrong" i founded this.

* Possible StringData Ref from Data Obj ->"Wrong"		<-- The caption
                                  |	
:0040164D 68E0B04200              push 0042B0E0			<-- the "words"

* Possible StringData Ref from Data Obj ->"Key is wrong"	<-- The message	
                                  |
:00401652 68D0B04200              push 0042B0D0			<-- The message words
:00401657 EB0C                    jmp 00401665			<-- Jump 1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401649(C)							<-- Remember
|
:00401659 6A40                    push 00000040			<-- ? 40 ?

* Possible StringData Ref from Data Obj ->"OK"			<-- The good caption
                                  |
:0040165B 68CCB04200              push 0042B0CC			<-- The "words"

* Possible StringData Ref from Data Obj ->"Key is OK"		<-- The good message
                                  |
:00401660 68C0B04200              push 0042B0C0			<-- the "words"

Here can we see that there must be one compare routing and we are at the end of it. try to scroll some up and you can see this.

:0040161A 8A10                    mov dl, byte ptr [eax]
:0040161C 8A1E                    mov bl, byte ptr [esi]
:0040161E 8ACA                    mov cl, dl
:00401620 3AD3                    cmp dl, bl			<-- Compare routine 1
:00401622 751E                    jne 00401642			<-- Jump over the XOR EAX,EAX
:00401624 84C9                    test cl, cl
:00401626 7416                    je 0040163E			<-- Jump to XOR EAX,EAX
:00401628 8A5001                  mov dl, byte ptr [eax+01]
:0040162B 8A5E01                  mov bl, byte ptr [esi+01]
:0040162E 8ACA                    mov cl, dl
:00401630 3AD3                    cmp dl, bl			<-- Compare routing 2
:00401632 750E                    jne 00401642			<-- Jump over the XOR EAX,EAX
:00401634 83C002                  add eax, 00000002
:00401637 83C602                  add esi, 00000002
:0040163A 84C9                    test cl, cl
:0040163C 75DC                    jne 0040161A			<-- Loop

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401626(C)
|
:0040163E 33C0                    xor eax, eax			<-- EAX = 0
:00401640 EB05                    jmp 00401647			<-- Jump to another compare routine

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401622(C), :00401632(C)
|
:00401642 1BC0                    sbb eax, eax
:00401644 83D8FF                  sbb eax, FFFFFFFF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401640(U)
|
:00401647 85C0                    test eax, eax
:00401649 750E                    jne 00401659			<-- IF EAX = 0 then jump to the good message
:0040164B 6A10                    push 00000010

Now, this are special and complicated to explain for me, if one jump to XOR EAX,EAX are activated so will EAX be 0. and we don't want that to happend.
We want EAX = 1 and one flag are set. I can tell you wich flag, hehe,, i just don't now..

If you want to patch this crackme then change the JNE jump at 00401649 to JMP ant it will jump to the good code on every code that you are using..

Ending

LaZaRuS, Wajid, Borna Janes, ManKind, Eddie Van Camper, ACiD BuRN, KoRnFLeX, Eternal_Bliss, Potsmoke, DiABLO. Torn@do, ^AlX^ , AC|D, Dark Wolf, Marton and all the other i have forgotten