Cracking Tutorial for VCCrackMe 1.0
Defeating a protection which is said to prevent non-crackers from cracking it
 
 
Target Program: VCCrackMe 1.0
Description: A target written to improve your cracking knowledge.
Location: http://crackmes.cjb.net
Protection: Code
Tools needed: - SoftICE 3.24
  - Hacker's View
Ob duh: Do I really have to remind you all that by BUYING and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
BTW, It's illegal to use cracked Software!
 
If you're looking for cracks or serial numbers from these pages then your wasting your time, try to search elsewhere on the Web under Warez, Cracks, etc.
Info: Brand and product names are trademarks or registered trademarks of their respective holders.
Level: (X)Beginner ( )Intermediate ( )Advanced ( )Expert
Well I had a quick look at this program since it's seems to be interesting. First of all we need to enter our fake registration code - just as normal. I've enterd 12345 as code. Now enter SoftICE and BPX on HMEMCPY. Leave SoftICE and press Check. SoftICE will pop up now. Press F12 until you're looking at the following code snippet:
 
  :004015AC  8D4DEC           LEA     ECX,[EBP-14]
  :004015AF  8D45E8           LEA     EAX,[EBP-18]
  :004015B2  51               PUSH    ECX
  :004015B3  8D55E4           LEA     EDX,[EBP-1C]
  :004015B6  50               PUSH    EAX
  :004015B7  52               PUSH    EDX
  :004015B8  E8FD020000       CALL    004018BA
  :004015BD  C645FC05         MOV     BYTE PTR [EBP-04],05
  :004015C1  8B00             MOV     EAX,[EAX]                ; move real code to EAX
  :004015C3  8B0E             MOV     ECX,[ESI]                ; move enterd code to ECX
  :004015C5  50               PUSH    EAX                      ; PUSH real code
  :004015C6  51               PUSH    ECX                      ; PUSH enterd code
  :004015C7  FF15F8434000     CALL    [004043F8]               ; compare
  :004015CD  C645FC04         MOV     BYTE PTR [EBP-04],04
  :004015D1  83C408           ADD     ESP,08
  :004015D4  83F801           CMP     EAX,01
  :004015D7  1BC0             SBB     EAX,EAX
  :004015D9  40               INC     EAX
  :004015DA  8945D4           MOV     [EBP-2C],EAX
  :004015DD  E890000000       CALL    00401672
  :004015E2  837DD400         CMP     DWORD PTR [EBP-2C],00    ; correct code enterd?
  :004015E6  7414             JZ      004015FC

So sniff out the code at 4015C5 by typing D EAX. Now your data window will display something like the following:
 
     013F:00750E34 72726F43  2E746365  72452E2E  00726F72      Correct...Error.

So Correct...Error is the correct code. This form of protection can be seen in some sharewares. Very lame but effective enough to prevent non-crackers from registering it.

Eternal Bliss also asks to patch the CrackMe (if it's possible). And as you all have guessed it is possible to patch this program. Just run Hacker's View, change the mode to decode (F4) and replace

    83 7D D4 00 74 14

by

    83 7D D4 00 EB 14


Another target has been Reverse Engineerd. Any questions (no crack requests)?
 

Copyright © 1999 by TORN@DO and The Immortal Descendants. All Rights Reserved.