Crackin some really eazy examples of +Rcg
(a nice feature of SoftIce : the BPM)

by TWD

(15 October 1997)


Courtesy of fravia's page of reverse engineering

Well, if you did not try to crack the "first attempt" by +Rcg until now, try it BEFORE reading this essay, because otherwise you'll not enjoy the teachings that this section is intended to give you... reading this nice short essay without having first tried to reverse +Rcg protection would be like reading a detective story from the bottom... well, some people like that :-)




                  Crackin some really eazy examples of +Rcg



Big shout to +Rcg,



your examples are really only a "first attempt". Crackin them took me

5 minutes each. (Just kidding).



Example 1

----------



    This was very easy to crack. I just used my beloved SoftIce 3.0

and set a breakpoint on GetWindowTextA.



>   bpx GetDlgItemTextA



After writing some shit into the Editboxes of tha Register-Dialog

I hit tha Register-Button and SoftIce awakens. We find ourselves

in tha Exec1!CODE. A second call to GetDlgItemTextA follows and tha

procedures ends without doing any string-work. That must mean that the

comparison of the strings is done somewhere else.



:00401314   90                 nop

:00401315   6A0B               push 0000000B

:00401317   6807214000         push 00402107  ** The position of the string

:0040131C   68E8030000         push 000003E8

:00401321   FF7508             push [ebp+08]  ** call USER32!GetDlgItemTextA



To find this we have to use a nice feature of SoftIce : the BPM



When we look, where the little proggy stores the strings we will

find them at ds:402107 and ds:4020F7.



Now we set a breakpoint on these two memory-positions.



>   bpm ds:00402107                     (name)

>   bpm ds:004020F7                     (code)



SoftIce will stop twice somewhere in the Kernel but the third time

we will stop back in our proggy. After debugging around (don't

forget to disable the BPM's) we come to this position :





:00401278           call 00401417

:0040127D           add esp, 00000008

:00401280           mov eax, [00402117]

:00401285           pop ebx

:00401286           cmp eax, ebx

:00401288           je 00401295           ** good guy makes a jump

:0040128A           nop

:0040128B           nop

:0040128C           nop

:0040128D           nop

:0040128E           call 0040146F         ** bad guy dies

:00401293           jmp 0040121A

:00401295           call 00401453

:0040129A           jmp 0040121A



Just change the "je" into a "jmp" and loose all worries.



This was the first example.





Example 2

----------

The second works nearly the same, but it has a nagscreen. Now we try

to kick the nagscreen, cause the registration works exactly the same

as explained above.

To get the nagscreen we use SoftIce 3.0 and set a breakpoint on

DialogBoxParamA.



>   bpx DialogBoxParamA



After starting the proggy SoftIce stops here :



:0040115F     push 00000000

:00401161     push 0040135e           ** The caption of the Box ("NagScreen")

:00401166     push [ebp+08]

:00401169     push 004020B3

:0040116E     push dword ptr [00402074]

:00401174     call USER32!DialogBoxParamA

:00401179     cmp eax, 00000002

:0040117C     je 0040119d             ** Jump if it exits the proggy



To avoid the NagScreen from boring us lets make a little jump over it.

Replace the first push by "jmp 0040117E" and fill the leftover-space

with NOPs.                 **   Never again any NagScreen.



To crack the Register - Dialog see the first part of this file 

(Example 1).





Example 3

----------

Sorry, but this was not possible to do. The damned program crashed after

starting it.

First I thought it is my SoftIce, cause I was waiting for some

Anti-SoftIce traps, but

after disabling SoftIce in the autoexec.bat and restarting the whole

system it still crashed. Maybe +Rcg could have a look at his program.



That's all



(c) by TWD in 1997



    mailto : twd.rulez@gmx.net

(c) TWD 1997. All rights reversed
You are deep inside fravia's page of reverse engineering, choose your way out:

redBack to protecti.htm
redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?