Re-Move Crackme by CoDe_InSiDe tutorial by nh

E-Mail: nh666@mail.ru

Need tools: Soft-Ice v4.xx, Hiew v6.xx.

So, let's see crackme in Hiew:

.004F0090: BE00114000                   mov       esi,000401100 ;" @ "
.004F0095: 8BFE                         mov       edi,esi
.004F0097: 33C0                         xor       eax,eax
.004F0099: B930030000                   mov       ecx,000000330 ;"  0"
.004F009E: 33DB                         xor       ebx,ebx
.004F00A0: 33D2                         xor       edx,edx
.004F00A2: AC                           lodsb
.004F00A3: 01C3                         add       ebx,eax
.004F00A5: 2C1F                         sub       al,01F ;""
.004F00A7: 01C2                         add       edx,eax
.004F00A9: AA                           stosb
.004F00AA: E2F6                         loop     .0004F00A2   -------- (1)
.004F00AC: 2BDA                         sub       ebx,edx
.004F00AE: 93                           xchg      ebx,eax
.004F00AF: 3DD01B0000                   cmp       eax,000001BD0 ;"  -"
.004F00B4: 7506                         jne      .0004F00BC   -------- (2)
.004F00B6: 6800114000                   push      000401100 ;" @ "
.004F00BB: C3                           retn

so, file is crypted, but crypting is very easy: sub al,01fh =))
so, we can uncrypt this file in hiew. we get rm-uncr.exe =)
and now, change first byte by offset 4f0090 to 0cch, and set breakpoint
bpint 3 (don't forget to change 0cch to 0beh it soft-ice %))
trace it:
yo, after some tracing, it's easily to understand that all code is executed
after calling push 40000b; push xxx; retn;, so, set breakpoint to 40000a (retn)
and trace...=))

.00401000: 60                           pushad
.00401001: 33C0                         xor       eax,eax
.00401003: 33C9                         xor       ecx,ecx
.00401005: B12B                         mov       cl,02B ;"+"
.00401007: BE20114000                   mov       esi,000401120 ;" @ "
.0040100C: BF00004000                   mov       edi,000400000 ;" @  "
.00401011: F3A4                         repe      movsb
.00401013: E838000000                   call     .000401050   -------- (1)
.00401018: C3                           retn


.00401020: 680B004000                   push      00040000B ;" @ "
.00401025: 68A0114000                   push      0004011A0 ;" @"
.0040102A: C3                           retn


so, what do we see? soft-ice detecting, so, FrogsIce helps us...=))
continue, and we see some interesting checks:

.00401233: FF153C004F00                 call      d,[0004F003C]  ; GetTickCount(...)
.00401239: 91                           xchg      ecx,eax
.0040123A: C3                           retn

.00401228: A100144000                   mov       eax,[000401400]
.0040122D: 2BC8                         sub       ecx,eax
.0040122F: C3                           retn

; of course al isn't 0, but we patch byte .40122e to do sub ecx,ecx
; & that's all

.0040121D: 91                           xchg      ecx,eax
.0040121E: 84C0                         test      al,al
.00401220: 7506                         jne      .000401228   -------- (1)
.00401222: C3                           retn

next checks:

.004010E9: 60                           pushad
.004010EA: FF153C004F00                 call      d,[0004F003C] ; GetTickCount
.004010F0: 93                           xchg      ebx,eax
.004010F1: BF80124000                   mov       edi,000401280 ;" @"
.004010F6: 33C9                         xor       ecx,ecx
.004010F8: B510                         mov       ch,010 ;"" ; hmmm....
.004010FA: 803FCC                       cmp       b,[edi],0CC ;""
.004010FD: 7411                         je       .000401110   -------- (1)
.004010FF: 47                           inc       edi
.00401100: E2F8                         loop     .0004010FA   -------- (2)
.00401102: FF153C004F00                 call      d,[0004F003C] ; GetTickCount
.00401108: 2BC3                         sub       eax,ebx
.0040110A: 84C0                         test      al,al
.0040110C: 7502                         jne      .000401110   -------- (3)
.0040110E: 61                           popad
.0040110F: C3                           retn
.00401110: 61                           popad
.00401111: 68B0114000                   push      0004011B0 ;" @_"
.00401116: C3                           retn

so, i think it's necessary to change mov ch,10 to mov cl,10 =)))
& sub eax,ebx to sub eax,eax


and the last check:

.00401316: 83EE05                       sub       esi,005 ;""
.00401319: 8BFE                         mov       edi,esi
.0040131B: 83EF10                       sub       edi,010 ;""
.0040131E: 57                           push      edi
.0040131F: 33C9                         xor       ecx,ecx
.00401321: B11F                         mov       cl,01F ;""
.00401323: F3A4                         repe      movsb

; it this place esi=4f041f, so we patch it...

.00401325: 81FE0F014F00                 cmp       esi,0004F010F ;" O"
.0040132B: 7501                         jne      .00040132E   -------- (2)
.0040132D: 5F                           pop       edi
.0040132E: C3                           retn

after that, we get out patch file nh-rmcm.xck:

[BeginXCK]----          
  Description      : [W98] Re-Move Crackme by CoDe_InSiDe
  Crack made by    : nh
[BeginCRK]----          
[W98] Re-Move Crackme by CoDe_InSiDe                        made via FW by nh

Shareware limitation                
RE-MOVE.EXE
000003F8: D4 D0
000003FE: 30 22
00000409: E2 DF
0000052E: E7 E8
00000627: 2E 3E
00000628: 20 23

[EndCRK]----          
[EndXCK]----          

that's all

/nh

