📄 chap6-1-61.htm.primary
字号:
R!SC 6/6/99
</table>
</div>
<div id="KB4Parent" class="parent"> <span class="p9"><a href="#" onClick="expandIt('KB4'); return false">
4、习题四 答案</a></span></div>
<div id="KB4Child" class="child"> <span class="p9"> </span>
<table width="100%" align="center" cellspacing="0">
<tr bgcolor="#EFEFEF">
<td height="7" class="p9">How to crack R!SC's Play The Game CD-Check Crackme
by Killer_3K [DSi/Shock] <br>
<br>
Tools: Sice&a mempatcher (i use R!SC's process patcher ;p) <br>
<br>
hey there, in this tut i'll teach u how to crack risc's PTG (play the
game) <br>
CD-Check crackme. This Crackme is pretty nice, it detects sice (via int68),
<br>
sorta hidden crc-check, packed, fake conditional jumps that leads to crash
<br>
and more interesting stuff ;p <br>
btw, don't bather unpacking it (it's packed w/ upx), as the readme says
that <br>
ur not allowed to unpack in order to patch, it doesn't really matter anywayz,
<br>
cause the way he fucked around w/ it about 96% of the code u'll get after
dasm <br>
will be garbadge :P <br>
<br>
ok lets get started :) <br>
fireup the crackme.. Doh, we get a msgbox saying "Kill Softice Mr. Cracker"
<br>
ok lets get rid of it :) since the first time i got that crackme i didn't
<br>
know how it detected it, so i'll tell u how i figured out how to kill
the sice <br>
w/o knowing it uses int68 :) <br>
<br>
1) bpx on GetModuleHandleA and run the crackme, sice pops, but we see
Explorer <br>
in the down-right corner, we don't want Explorer now do we :) Press F5
again <br>
till u see 'Play the' in the down-left corner, ok, press F11 and start
tracing :) <br>
u should see this: <br>
<br>
0177:00401143 68F0104000 PUSH
004010F0 <br>
0177:00401148 50
PUSH EAX <br>
0177:00401149 E818060000 CALL
KERNEL32!GetProcAddress <br>
0177:0040114E A3B2204000 MOV
[004020B2],EAX <br>
0177:00401153 33C0
XOR EAX,EAX <br>
0177:00401155 7533
JNZ 0040118A <br>
0177:00401157 3BF6
CMP ESI,ESI <br>
0177:00401159 68E7104000 PUSH
004010E7 <br>
0177:0040115E E80F060000 CALL
KERNEL32!GetModuleHandleA <br>
0177:00401163 68FE104000 PUSH
004010FE <br>
0177:00401168 50
PUSH EAX <br>
0177:00401169 3BF6
CMP ESI,ESI <br>
0177:0040116B E8F6050000 CALL
KERNEL32!GetProcAddress <br>
0177:00401170 A3B2204000 MOV
[004020B2],EAX <br>
<br>
.. <br>
ok, lets trace abit till we pass <br>
<br>
0177:00401168 50
PUSH EAX <br>
0177:00401169 3BF6
CMP ESI,ESI <br>
0177:0040116B E8F6050000 CALL
KERNEL32!GetProcAddress <br>
0177:00401170 A3B2204000 MOV
[KERNEL32!AddAtomW],EAX <br>
0177:00401175 C70530204000433A2F00MOV DWORD
PTR [00402030],002F3A43 <br>
<br>
0177:0040117F 688A114000 PUSH
0040118A <br>
0177:00401184 FF2507214000 JMP
[00402107] <<--- <br>
<br>
ok, lets trace and pass the jmp <br>
u should now see this: <br>
<br>
0177:00401442 33D2
XOR EDX,EDX <br>
0177:00401444 3BF6
CMP ESI,ESI <br>
0177:00401446 7401
JZ 00401449 <br>
0177:00401448 BD686C1440 MOV
EBP,40146C68 <br>
. and some junk code after it <br>
the jz is gonna jump, let it jump, or else the proggi will crash :] <br>
<br>
after the jz is taken, the code changed abit, and will change abit after
<br>
couple of lines u trace.. u should now see this (maybe it will change
abit <br>
during tracing :)): <br>
<br>
0177:00401449 686C144000 PUSH
0040146C <-- will change to Add [edx], BH after we traced
it <br>
0177:0040144E 3AC0
CMP AL,AL <-- will change to INVALID after
we traced it <br>
0177:00401450 7401
JZ 00401453 <br>
. <br>
<br>
ok this jz must be taken as well, or proggi will crash :) <br>
after it comes an interesting piece of code (which change after u trace):
<br>
<br>
0177:00401453 64FF32
PUSH DWORD PTR FS:[EDX] <br>
0177:00401456 8925A9204000 MOV
[004020A9],ESP <br>
0177:0040145C 892DAD204000 MOV
[004020AD],EBP <br>
0177:00401462 648922
MOV FS:[EDX],ESP <br>
0177:00401465 3ADB
CMP BL,BL <br>
0177:00401467 7401
JZ 0040146A
(JUMP ) <br>
<br>
hmm the jz wants to jump here too (i wonder why ;) (note the cmp bl,bl))
<br>
this time we don't have to make it jump, nop it or patch it to 7400 and
the anti-sice <br>
is gone (btw u gotta patch it, as the crackme executes that piece of code
over and over..) <br>
ok, ur prolly wondering why it doesn't detect sice now.. welp that jz
leads us to the <br>
is_sice_there routine.. <br>
lets take a look at that routine <br>
after u'll take the jz u'll reach <br>
0177:0040146A EB20
JMP 0040148C <br>
<br>
which will lead us to a VERY interesting piece of code (will keep changing
during tracing): <br>
<br>
0177:0040148C 663BF6
CMP SI,SI <br>
0177:0040148F 7401
JZ 00401492 (jump) << <br>
0177:00401492 B443
MOV AH,43 ; move 0x43 to AH <br>
0177:00401494 CD68
INT 68 ; int68 (no shit ;)) <br>
0177:00401496 5A
POP EDX <br>
0177:00401497 3BD2
CMP EDX,EDX <br>
0177:00401499 7401
JZ 0040149C (jump) << <br>
0177:0040149C 646789160000 MOV
FS:[0000],EDX <br>
0177:004014A2 3BF6
CMP ESI,ESI <br>
0177:004014A4 7401
JZ 004014A7 (jump) << <br>
0177:004014A7 5A
POP EDX <br>
0177:004014A8 3BD2
CMP EDX,EDX <br>
0177:004014AA 7401
JZ 004014AD (jump) << <br>
0177:004014AD 663D86F3
CMP AX,F386 !!! <br>
0177:004014B1 58
POP EAX <br>
0177:004014B2 7402
JZ 004014B6 (jump) <<<
<br>
<br>
<br>
now, this is the anti-ice part :) u can nop ANY jz from 40148F until 4014B2,
and it will kill <br>
the anti-ice, another way to kill it will be nopping the INT 68, anyway
will fit here :) <br>
<br>
if u'll keep tracing after 4014B2 w/o touching the jumps/int68 u'll reach
this piece of code: <br>
<br>
0177:004014B8 7401
JZ 004014BB (JUMP) <br>
0177:004014B6 3BF6
CMP ESI,ESI <br>
0177:004014BB 68A5104000 PUSH
004010A5 <br>
0177:004014C0 C3
RET <br>
which will lead u to: <br>
0177:004014C1 E85F020000 CALL
00401725 <br>
0177:004010A5 6A00
PUSH 00 <br>
0177:004010A7 6897104000 PUSH
00401097 ; title (type d 401097 in sice and u'll see doh!
in widechar) <br>
0177:004010AC 6863104000 PUSH
00401063 ; msg (type d 401063 in sice an u'll see Load anti-ice..
in widechar) <br>
0177:004010B1 6A00
PUSH 00 <br>
0177:004010B3 E8A8060000 CALL
USER32!MessageBoxW ; msgbox <br>
0177:004010B8 6A00
PUSH 00 <br>
0177:004010BA E8B9060000 CALL
KERNEL32!ExitProcess ; exit proggi <br>
<br>
anywayz if u'll patch ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -