📄 lesson14101.htm
字号:
eb28 <br>
<br>
wayhey, then we finally reach the good boy message box!! yippee!!! <br>
<br>
after studying the code, and realising what has been done, it just does
some simple checks, <br>
then compares the return codes against what they should be, we dont want
it re-labeling our <br>
hard disk drive to 'overflow', or creating a file called 'my.dog', basically,
we can skip the <br>
whole routine, and just end up at the goodboy message box..so bpx at the
first instruction <br>
<br>
015F:004011B3 68EB234000 PUSH
004023EB ; pointer to 'kernel32.dll',0 <br>
<br>
and re-assemble it to jump to the good-boy message box.. <br>
<br>
a 4011b3 <ret> <br>
jmp 401396 <ret> <br>
<esc> <br>
x <ret> <br>
<br>
015F:004011B3 E9DE010000 JMP
00401396 ; skip whole of check, go straight to
jail <br>
; do not pass go, do not collect 200.. <br>
:) <br>
<br>
then you have a almost cracked checkcd.exe... just gotta patch it, but
i cant be bothered, so <br>
i used my process patcher to create a loader for it..(availble from http://csir.xxx.xxx
:) <br>
<br>
no plugz.. :) <br>
<br>
happy reversing / cracking / whatever.. <br>
<br>
R!SC 6/6/99
</table>
</div>
<div id="KB4Parent" class="parent"> <span class="p9"><a href="#" onClick="expandIt('KB4'); return false">
4、习题四 答案</a></span></div>
<div id="KB4Child" class="child"> <span class="p9"> </span>
<table width="100%" align="center" cellspacing="0">
<tr bgcolor="#EFEFEF">
<td height="7" class="p9">How to crack R!SC's Play The Game CD-Check Crackme
by Killer_3K [DSi/Shock] <br>
<br>
Tools: Sice&a mempatcher (i use R!SC's process patcher ;p) <br>
<br>
hey there, in this tut i'll teach u how to crack risc's PTG (play the
game) <br>
CD-Check crackme. This Crackme is pretty nice, it detects sice (via int68),
<br>
sorta hidden crc-check, packed, fake conditional jumps that leads to crash
<br>
and more interesting stuff ;p <br>
btw, don't bather unpacking it (it's packed w/ upx), as the readme says
that <br>
ur not allowed to unpack in order to patch, it doesn't really matter anywayz,
<br>
cause the way he fucked around w/ it about 96% of the code u'll get after
dasm <br>
will be garbadge :P <br>
<br>
ok lets get started :) <br>
fireup the crackme.. Doh, we get a msgbox saying "Kill Softice Mr. Cracker"
<br>
ok lets get rid of it :) since the first time i got that crackme i didn't
<br>
know how it detected it, so i'll tell u how i figured out how to kill
the sice <br>
w/o knowing it uses int68 :) <br>
<br>
1) bpx on GetModuleHandleA and run the crackme, sice pops, but we see
Explorer <br>
in the down-right corner, we don't want Explorer now do we :) Press F5
again <br>
till u see 'Play the' in the down-left corner, ok, press F11 and start
tracing :) <br>
u should see this: <br>
<br>
0177:00401143 68F0104000 PUSH
004010F0 <br>
0177:00401148 50
PUSH EAX <br>
0177:00401149 E818060000 CALL
KERNEL32!GetProcAddress <br>
0177:0040114E A3B2204000 MOV
[004020B2],EAX <br>
0177:00401153 33C0
XOR EAX,EAX <br>
0177:00401155 7533
JNZ 0040118A <br>
0177:00401157 3BF6
CMP ESI,ESI <br>
0177:00401159 68E7104000 PUSH
004010E7 <br>
0177:0040115E E80F060000 CALL
KERNEL32!GetModuleHandleA <br>
0177:00401163 68FE104000 PUSH
004010FE <br>
0177:00401168 50
PUSH EAX <br>
0177:00401169 3BF6
CMP ESI,ESI <br>
0177:0040116B E8F6050000 CALL
KERNEL32!GetProcAddress <br>
0177:00401170 A3B2204000 MOV
[004020B2],EAX <br>
<br>
.. <br>
ok, lets trace abit till we pass <br>
<br>
0177:00401168 50
PUSH EAX <br>
0177:00401169 3BF6
CMP ESI,ESI <br>
0177:0040116B E8F6050000 CALL
KERNEL32!GetProcAddress <br>
0177:00401170 A3B2204000 MOV
[KERNEL32!AddAtomW],EAX <br>
0177:00401175 C70530204000433A2F00MOV DWORD
PTR [00402030],002F3A43 <br>
<br>
0177:0040117F 688A114000 PUSH
0040118A <br>
0177:00401184 FF2507214000 JMP
[00402107] <<--- <br>
<br>
ok, lets trace and pass the jmp <br>
u should now see this: <br>
<br>
0177:00401442 33D2
XOR EDX,EDX <br>
0177:00401444 3BF6
CMP ESI,ESI <br>
0177:00401446 7401
JZ 00401449 <br>
0177:00401448 BD686C1440 MOV
EBP,40146C68 <br>
. and some junk code after it <br>
the jz is gonna jump, let it jump, or else the proggi will crash :] <br>
<br>
after the jz is taken, the code changed abit, and will change abit after
<br>
couple of lines u trace.. u should now see this (maybe it will change
abit <br>
during tracing :)): <br>
<br>
0177:00401449 686C144000 PUSH
0040146C <-- will change to Add [edx], BH after we traced
it <br>
0177:0040144E 3AC0
CMP AL,AL <-- will change to INVALID after
we traced it <br>
0177:00401450 7401
JZ 00401453 <br>
. <br>
<br>
ok this jz must be taken as well, or proggi will crash :) <br>
after it comes an interesting piece of code (which change after u trace):
<br>
<br>
0177:00401453 64FF32
PUSH DWORD PTR FS:[EDX] <br>
0177:00401456 8925A9204000 MOV
[004020A9],ESP <br>
0177:0040145C 892DAD204000 MOV
[004020AD],EBP <br>
0177:00401462 648922
MOV FS:[EDX],ESP <br>
0177:00401465 3ADB
CMP BL,BL <br>
0177:00401467 7401
JZ 0040146A
(JUMP ) <br>
<br>
hmm the jz wants to jump here too (i wonder why ;) (note the cmp bl,bl))
<br>
this time we don't have to make it jump, nop it or patch it to 7400 and
the anti-sice <br>
is gone (btw u gotta patch it, as the crackme executes that piece of code
over and over..) <br>
ok, ur prolly wondering why it doesn't detect sice now.. welp that jz
leads us to the <br>
is_sice_there routine.. <br>
lets take a look at that routine <br>
after u'll take the jz u'll reach <br>
0177:0040146A EB20
JMP 0040148C <br>
<br>
which will lead us to a VERY interesting piece of code (will keep changing
during tracing): <br>
<br>
0177:0040148C 663BF6
CMP SI,SI <br>
0177:0040148F 7401
JZ 00401492 (jump) << <br>
0177:00401492 B443
MOV AH,43 ; move 0x43 to AH <br>
0177:00401494 CD68
INT 68 ; int68 (no shit ;)) <br>
0177:00401496 5A
POP EDX <br>
0177:00401497 3BD2
CMP EDX,EDX <br>
0177:00401499 7401
JZ 0040149C (jump) << <br>
0177:0040149C 646789160000 MOV
FS:[0000],EDX <br>
0177:004014A2 3BF6
CMP ESI,ESI <br>
0177:004014A4 7401
JZ 004014A7 (jump) << <br>
0177:004014A7 5A
POP&nbs⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -