Protection : time limit, packed Level : easy/intermediate (i cannot say it is easy for newbies) Tools needed : *SoftIce *ProcDump or any other dumper *hexeditor *fresh Coke
Run the prog, a messagebox tells you that the evaluation period has
expired... There is an useful API for cracking those kind of protections :
VOID GetLocalTime(
LPSYSTEMTIME lpSystemTime // address of system time structure
);
So let's put a bpx on getlocaltime under SIce, launch the crackme and
the debugger comes back, you arrive at :
00406237 CALL [KERNEL32!GetLocalTime] ;we exited this call with F12
0040623D CMP WORD PTR [EDI],07CF ;compares the year to 7CFh=1999d
00406242 JG 00406280 ;if greater than 1999, bad msgbox
00406244 JL 0040624D ;if less then, good messagebox, crackpad is available
00406246 CMP WORD PTR [EDI+02],06 ;compares the month to 06(=june)
0040624B JGE 00406280 ;if greater then, jump to bad msgbox
0040624D PUSH 30
0040624F PUSH 004062E0 ;caption of the good msgbox
00406254 PUSH 004062F0 ;text of the good msgbox
00406259 PUSH 00 ;handle of the good msgbox
0040625B CALL [USER32!MessageBoxA] ;calls the good msgbox
00406261 POPAD
00406262 JMP 00401000 ;jmp to crackpad prog
There are several
possibilities to patch this : we could nop the lines 406242 and 40624B, but it
isn't very "professional". The best solution seems to be the following one :
when you arrive at line 40623D under SIce, type :
a then enter
jmp 406261 then enter
esc
the prog will jump from :
0040623D CMP WORD PTR [EDI],07CF
to :
00406261 POPAD
00406262 JMP 00401000 ;jmp to crackpad prog
and this memory patch works perfectly.
3)The final patch of the death
If you disassemble the crackme, you won't find any string data references or code looking like the one we patched in memory. Edit the PE of the prog with procdump you see :
_________________________________________________________________________________________________
Name Virt Size Virt Offset Raw Size Raw Offset Characteristics
.text 00004000 00001000 000002C00 00000800 E0000020
.bss 00001000 00005000 000000000 00000000 C0000080
.data 00002000 00006000 000000000 00000000 C0000040
.rsrc 00002000 00008000 000001800 00003400 C0000040
.reloc 00003000 0000B000 000000000 00000000 C2000040
.reloc 00001000 0000C000 000000400 00000400 E2000060
0000033D 0000D000 000000000 00000000 C2000080
_________________________________________________________________________________________________
The last section is
strange, it has no name (hehe, the fucking prog was packed...) and you can see
that the size of the data section is 0 ! That's why we couldn't find the good
asm code ! Let's dump this prog to see clearlier...
With a right click on Crackpad.exe, choose full dump and
save the new executable as crackpad_dump.exe for example. Edit the new PE and
you see :
_________________________________________________________________________________________________
Name Virt Size Virt Offset Raw Size Raw Offset Characteristics
.text 00004000 00001000 000003968 00000600 E0000080
.bss 00001000 00005000 000000000 00005000 C0000080
.data 00002000 00006000 000001494 00004000 C0000040
.rsrc 00003000 00008000 000002B70 00005600 C2000040
.reloc 00001000 0000B000 000000000 00008200 C2000040
.reloc 0000033D 0000C000 00000033D 00008200 E2000060
00001000 0000D000 000000000 00008600 C2000080
_________________________________________________________________________________________________
To be able to see all
String Data Reference and to patch quickclier, just change the characteristics
of the section data into E0000020 (right click on .data, edit section and
characteristics). Hehe, if you dasm the crackme now, you'll be able to patch the
prog by changing the bytes 6681 at line 406237 into EB22 (=jmp 406261) with an
hexeditor...
4)Final words
Well this crackme is easy if you know a little about dumping and packed files. I like r!sc's crackmes because they aren't here to suck you, but to help you to progress into cracking. Thanx r!sc !I greet my groups : DQF, digital Factory, HellForge
and my friends (no specific order) : ACiD BuRN, BoomBox, BlndAngl, Lucifer48, Volatility, Tscube, Visionz, amante4, alpine, FatBoyJoe, Warez Pup, Eternal_bliss, r!sc, [mega], Sushi, MagicRaphoun, TaMaMbolo, Kahel,V-Rom, Ep-180, morrinth, Tres`ni, Dawai, DXF, CiniMod, xor, Air2k, grAnix, LordOfLa, karlitoXZ, [ManKind], Falcon^, Dazzler.... and all I've forgotten ;-)