L ZZZZZZ RRRRR SSSSS L Z R R S L aaa Z aaa R R u u S L a Z a RRRRR u u SSSSS XX L aaaa Z aaaa R R u u S XXXX L a a Z a a R R u u S XXXXXX LLLLLLL aaaaa ZZZZZZZ aaaaa R R uuuuu SSSSSS XXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXX XXXXXX XXXX proudly presents his 31.Cracking Tutorial (12.12.1999) XX Patching the "CCG - CrackThis 2" I. Introduction I.1 The tools II. The essay II.1 The CrackMe II.2 Clonk Planet III. BTW I. Introduction The only reason why I tried this CrackMe is that it is coded in RGH-Profan (YES, I FOUND SOMEONE ELSE WHO CODES IN THIS CRAP ;) Well, I just wanted to have a short look, as the deal is to reverse the Good/Bad jump; no serial, please. But...if a patch would be the only thing to get out of this one, I wouldn't write these lines. So: pay attention ;) I.1 The tools HexWorkshop (Yep, no disassembler, no debugger :) The guy I received this CrackMe from, did not believe me that I only used HexWorkshop to crack it ;) Now he knows: When I say something, better believe it ;) II. The essay II.1 The CrackMe Well, there is something really special about RGH-Profan files. They are somehow like old VB files. One big runtime that is linked to code that get's executed. The advantage about RGH-Profan is that the code that is linked to the runtime is 95% plain text *g* So...have a look at the end of the file and you'll see this: 0003A600 9F20 5247 482D 5052 4F46 414E 3320 4441 . RGH-PROFAN3 DA 0003A610 5445 491A 2020 2020 2020 2020 2020 2020 TEI. 0003A620 006B CC65 6E64 6562 7574 746F 6E25 2C72 .k.endebutton%,r 0003A630 6567 6973 7465 7262 7574 746F 6E25 2C65 egisterbutton%,e 0003A640 6E64 6525 2C72 6567 7769 6E64 6F77 252C nde%,regwindow%, 0003A650 656E 7465 7262 6F78 252C 656E 7465 7262 enterbox%,enterb 0003A660 7574 746F 6E25 2C65 6E74 6572 6564 636F utton%,enteredco 0003A670 6465 242C 646F 6325 2C72 6567 252C 7572 de$,doc%,reg%,ur 0003A680 7334 3925 2C31 252C 3225 2C33 2503 F531 s49%,1%,2%,3%..1 0003A690 363A BA22 5B43 4347 5D20 2D20 4372 6163 6:."[CCG] - Crac 0003A6A0 6B54 6869 7320 322E 3020 2020 2020 2020 kThis 2.0 0003A6B0 2020 2020 2020 2020 2020 2020 2020 2063 c 0003A6C0 6F64 6564 2062 7920 D06F 6322 10BB 3333 oded by .oc"..33 0003A6D0 302C 3235 302D 3330 302C 3135 3009 9040 0,250-300,150..@ 0003A6E0 AE30 2C30 2C30 2926 CE65 6E64 6562 7574 .0,0,0)&.endebut 0003A6F0 746F 6E25 3D40 EE25 922C 2263 6C6F 7365 ton%=@.%.,"close 0003A700 222C 3130 2C39 302C 3830 2C32 3029 2FCE ",10,90,80,20)/. 0003A710 7265 6769 7374 6572 6275 7474 6F6E 253D registerbutton%= 0003A720 40EE 2592 2C22 5265 6769 7374 6572 222C @.%.,"Register", 0003A730 3138 352C 3930 2C31 3030 2C32 3029 09CE 185,90,100,20).. 0003A740 3125 3D32 3334 3335 05BE 322C 3135 04DA 1%=23435..2,15.. 0003A750 382C 300A A222 5374 6174 7573 3A22 05BE 8,0.."Status:".. 0003A760 342C 3131 05DA 3132 2C30 11A2 225B 556E 4,11..12,0.."[Un 0003A770 7265 6769 7374 6572 6564 5D22 0ACE 3225 registered]"..2% 0003A780 3D34 3334 3236 3607 CE72 6567 253D 300B =434266..reg%=0. 0003A790 8940 8A65 6E64 6525 2C31 290F 8540 EC65 .@.ende%,1)..@.e 0003A7A0 6E64 6562 7574 746F 6E25 2908 CE65 6E64 ndebutton%)..end 0003A7B0 6525 3D31 0184 0CCE 3325 3D40 8331 252C e%=1....3%=@.1%, 0003A7C0 3225 2913 8540 EC72 6567 6973 7465 7262 2%)..@.registerb 0003A7D0 7574 746F 6E25 290A 8540 8A72 6567 252C utton%)..@.reg%, 0003A7E0 3129 3340 409B 2274 6865 2070 726F 6767 1)3@@."the progg 0003A7F0 7920 6973 2072 6567 6973 7465 7265 6420 y is registered 0003A800 3B2D 2922 2C22 5265 6769 7374 7261 7469 ;-)","Registrati 0003A810 6F6E 222C 3029 0186 2CCE 7265 6777 696E on",0)..,.regwin 0003A820 646F 7725 3D40 F725 922C 2252 6567 6973 dow%=@.%.,"Regis 0003A830 7465 7222 2C33 3230 2C32 3530 2C32 3030 ter",320,250,200 0003A840 2C31 3030 2928 CE65 6E74 6572 626F 7825 ,100)(.enterbox% 0003A850 3D40 F572 6567 7769 6E64 6F77 252C 2222 =@.regwindow%,"" 0003A860 2C31 302C 352C 3137 302C 2D32 3029 0D40 ,10,5,170,-20).@ 0003A870 40EB 656E 7465 7262 6F78 2529 2FCE 656E @.enterbox%)/.en 0003A880 7465 7262 7574 746F 6E25 3D40 EE72 6567 terbutton%=@.reg 0003A890 7769 6E64 6F77 252C 2245 6E74 6572 222C window%,"Enter", 0003A8A0 3535 2C34 302C 3830 2C32 3029 0184 0184 55,40,80,20).... 0003A8B0 0FCE 646F 6325 3D40 8433 252C 312E 3629 ..doc%=@.3%,1.6) 0003A8C0 1085 40EC 656E 7465 7262 7574 746F 6E25 ..@.enterbutton% 0003A8D0 291A CE65 6E74 6572 6564 636F 6465 243D )..enteredcode$= 0003A8E0 40F8 656E 7465 7262 6F78 2529 1585 408D @.enterbox%)..@. 0003A8F0 656E 7465 7265 6463 6F64 6524 2C44 6F63 enteredcode$,Doc 0003A900 2529 05BE 342C 3131 05DA 3130 2C30 11A2 %)..4,11..10,0.. 0003A910 2220 5B52 6567 6973 7465 7265 645D 2022 " [Registered] " 0003A920 0E40 40ED 7265 6777 696E 646F 7725 2925 .@@.regwindow%)% 0003A930 4040 9B22 5468 616E 6B20 596F 752E 2020 @@."Thank You. 0003A940 3A2D 2922 2C22 5265 6769 7374 6572 6564 :-)","Registered 0003A950 2122 2C30 2907 CE72 6567 253D 3101 8415 !",0)..reg%=1... 0003A960 8740 8D65 6E74 6572 6564 636F 6465 242C .@.enteredcode$, 0003A970 446F 6325 290E 4040 ED72 6567 7769 6E64 Doc%).@@.regwind 0003A980 6F77 2529 2740 409B 2249 4E56 414C 4944 ow%)'@@."INVALID 0003A990 204B 4559 203A 2D28 222C 2255 6E72 6567 KEY :-(","Unreg 0003A9A0 6973 7465 7265 6421 222C 3029 0184 0184 istered!",0).... 0003A9B0 018A 0127 ...' Well, that ASCII text looks like an open book for an old Profan coder like me ;) After 20 mins I converted the stuff I saw there to the following source: REM BEGINNING OF SOURCE declare endebutton%,registerbutton%,ende%,regwindow%,enterbox%,enterbutton%,enteredcode$,doc%,reg%,urs49%,1%,2%,3% WindowTitle "[CCG] - CrackThis 2.0 coded by Šoc" WindowStyle 16 Window 330,250-300,150 Cls @RGB(0,0,0) let endebutton%=CreateButton(%HWnd,"close",10,90,80,20) let registerbutton%=CreateButton(%HWnd,"Register",185,90,100,20) let 1%=23435 Locate 2,15 Color 8,0 Print "Status" Locate 4,11 Color 12,0 Print "[Unregistered]" let 2%=434266 let reg%=0 let 3%=@MUL(1%,2%) Loop1: IF @GetFocus(endebutton%) end ELSEIF @GetFocus(registerbutton%) IF @EQU(reg%,1) @MessageBox("the proggy is registered ;-)","Registration",0) ELSE let regwindow%=@CreateWindow(%HWnd,"Register",320,250,200,100) let enterbox%=@CreateEdit(regwindow%,"",10,5,170,-20) let enterbutton%=@CreateButton(regwindow%,"Enter",55,40,80,20) let doc%=@MUL(3%,1.6) Loop2: IF @GetFocus(enterbutton%) let enteredcode$=@GetText$(enterbox%) IF @EQU$(enteredcode$,Doc%) locate 4,11 color 10,0 print " [Registered] " DestroyWindow(regwindow%) @MessageBox("Thank You. :-)","Registered!",0) let reg%=1 ELSE DestroyWindow(regwindow%) @MessageBox("INVALIDKEY :-(","Unregistered!",0) ENDIF ENDIF goto "Loop1" ENDIF ENDIF goto "Loop2" REM END OF SOURCE Well, what should I say. When I compile this source I will get the same window, the same behaviour and everything else from the original even a nice coding error you'll surely find out if you fiddle with this CrackMe. We get that the serial calculation is like this: 1. let 1%=23435 2. let 2%=434266 3. let 3%=@MUL(1%,2%) (Watch out: The datatype is limited) 4. let doc%=@MUL(3%,1.6) -> The serial is 1587089118 But this is not what we want: We want the patch. So we gotta look at the IF-struct: 0003A8E0 40F8 656E 7465 7262 6F78 2529 1585 408D @.enterbox%)..@. 0003A8F0 656E 7465 7265 6463 6F64 6524 2C44 6F63 enteredcode$,Doc 0003A900 2529 05BE 342C 3131 05DA 3130 2C30 11A2 %)..4,11..10,0.. 0003A910 2220 5B52 6567 6973 7465 7265 645D 2022 " [Registered] " 0003A920 0E40 40ED 7265 6777 696E 646F 7725 2925 .@@.regwindow%)% 0003A930 4040 9B22 5468 616E 6B20 596F 752E 2020 @@."Thank You. 0003A940 3A2D 2922 2C22 5265 6769 7374 6572 6564 :-)","Registered 0003A950 2122 2C30 2907 CE72 6567 253D 3101 8415 !",0)..reg%=1... 0003A960 8740 8D65 6E74 6572 6564 636F 6465 242C .@.enteredcode$, 0003A970 446F 6325 290E 4040 ED72 6567 7769 6E64 Doc%).@@.regwind Now lets patch it - I have chosen this way: 0003A8E0 40F8 656E 7465 7262 6F78 2529 1585 408D @.enterbox%)..@. 0003A8F0 446F 6325 2C44 6F63 2529 0000 0000 0000 Doc%,Doc%)...... 0003A900 0000 05BE 342C 3131 05DA 3130 2C30 11A2 ....4,11..10,0.. 0003A910 2220 5B52 6567 6973 7465 7265 645D 2022 " [Registered] " 0003A920 0E40 40ED 7265 6777 696E 646F 7725 2925 .@@.regwindow%)% 0003A930 4040 9B22 5468 616E 6B20 596F 752E 2020 @@."Thank You. 0003A940 3A2D 2922 2C22 5265 6769 7374 6572 6564 :-)","Registered 0003A950 2122 2C30 2907 CE72 6567 253D 3101 8415 !",0)..reg%=1... 0003A960 8740 8D44 6F63 252C 446F 6325 2900 0000 .@.Doc%,Doc%)... 0003A970 0000 0000 000E 4040 ED72 6567 7769 6E64 ......@@.regwind Change the sourceline "IF @EQU$(enteredcode$,Doc%)" to "IF @EQU$(Doc%,Doc%)" and "IF @NEQ$(enteredcode$,Doc%)" to IF "@NEQ$(Doc%,Doc%)" Now everything is done and the CrackMe accepts every serial :) Oh, well. Doesn't Profan really suck? Not if you read the manual: It says you can encrypt the sourcecode with the directive "$P+" (page 25) - Better read it next time ;) III. BTW Greetings go to: +Sandman, Acid Burn, alpine, Borna Janes, Carpathia, CrazyKnight, DEATH, DEZM, dimwitz, DnNuke, duelist, Eternal Bliss, Fravia+, Iczelion, Jordan, KnowledgeIsPower, Knotty, Lucifer48, MisterE, Neural Noise, noos, Prof.X, R!SC, rubor, Shadow, SiG, tC, The AntiXryst, The Hobgoblin, TORN@DO, viny, Volatility, wAj, _y and all the guys I forget and I'll add next time. visit: hello.to/lazarus :)