Crackin some really eazy examples of +Rcg
(a nice feature of SoftIce : the BPM)
by TWD
(15 October 1997)
Courtesy of fravia's page
of reverse engineering
Well, if you did not try to crack the "first attempt" by +Rcg until now,
try it BEFORE reading this essay, because otherwise you'll not enjoy the
teachings that this section is intended to give you... reading this nice short essay without
having first tried to reverse +Rcg protection would be like reading a detective story
from the bottom... well, some people like that :-)
Crackin some really eazy examples of +Rcg
Big shout to +Rcg,
your examples are really only a "first attempt". Crackin them took me
5 minutes each. (Just kidding).
Example 1
----------
This was very easy to crack. I just used my beloved SoftIce 3.0
and set a breakpoint on GetWindowTextA.
> bpx GetDlgItemTextA
After writing some shit into the Editboxes of tha Register-Dialog
I hit tha Register-Button and SoftIce awakens. We find ourselves
in tha Exec1!CODE. A second call to GetDlgItemTextA follows and tha
procedures ends without doing any string-work. That must mean that the
comparison of the strings is done somewhere else.
:00401314 90 nop
:00401315 6A0B push 0000000B
:00401317 6807214000 push 00402107 ** The position of the string
:0040131C 68E8030000 push 000003E8
:00401321 FF7508 push [ebp+08] ** call USER32!GetDlgItemTextA
To find this we have to use a nice feature of SoftIce : the BPM
When we look, where the little proggy stores the strings we will
find them at ds:402107 and ds:4020F7.
Now we set a breakpoint on these two memory-positions.
> bpm ds:00402107 (name)
> bpm ds:004020F7 (code)
SoftIce will stop twice somewhere in the Kernel but the third time
we will stop back in our proggy. After debugging around (don't
forget to disable the BPM's) we come to this position :
:00401278 call 00401417
:0040127D add esp, 00000008
:00401280 mov eax, [00402117]
:00401285 pop ebx
:00401286 cmp eax, ebx
:00401288 je 00401295 ** good guy makes a jump
:0040128A nop
:0040128B nop
:0040128C nop
:0040128D nop
:0040128E call 0040146F ** bad guy dies
:00401293 jmp 0040121A
:00401295 call 00401453
:0040129A jmp 0040121A
Just change the "je" into a "jmp" and loose all worries.
This was the first example.
Example 2
----------
The second works nearly the same, but it has a nagscreen. Now we try
to kick the nagscreen, cause the registration works exactly the same
as explained above.
To get the nagscreen we use SoftIce 3.0 and set a breakpoint on
DialogBoxParamA.
> bpx DialogBoxParamA
After starting the proggy SoftIce stops here :
:0040115F push 00000000
:00401161 push 0040135e ** The caption of the Box ("NagScreen")
:00401166 push [ebp+08]
:00401169 push 004020B3
:0040116E push dword ptr [00402074]
:00401174 call USER32!DialogBoxParamA
:00401179 cmp eax, 00000002
:0040117C je 0040119d ** Jump if it exits the proggy
To avoid the NagScreen from boring us lets make a little jump over it.
Replace the first push by "jmp 0040117E" and fill the leftover-space
with NOPs. ** Never again any NagScreen.
To crack the Register - Dialog see the first part of this file
(Example 1).
Example 3
----------
Sorry, but this was not possible to do. The damned program crashed after
starting it.
First I thought it is my SoftIce, cause I was waiting for some
Anti-SoftIce traps, but
after disabling SoftIce in the autoexec.bat and restarting the whole
system it still crashed. Maybe +Rcg could have a look at his program.
That's all
(c) by TWD in 1997
mailto : twd.rulez@gmx.net
(c) TWD 1997. All rights reversed
You are deep inside fravia's page of reverse engineering,
choose your way out:
Back to protecti.htm
homepage
links
anonymity
+ORC
students' essays
academy database
tools
cocktails
antismut CGI-scripts
search_forms
mail_fravia
Is reverse engineering legal?