	  Ŀ
	                                                              Ŀ
	    
	          
	          
	                                               
	                                               
	                                   
	                                   
	                                   
	                                                
	                                                
	                       
	                       
	                 
	                                                                  
	                                                                  
	                         
	                 p r o u d l y     p r e s e n t s                
	                         
	                                                                  
	Ŀ                                            www.tscube.cjb.net
	  


                      ͻ
                        Tutorial for FuzzyCAT's crackme #2   
                      ͼ


note : this tutorial is for the crackme named 'CrackMe#2h.exe'



Ŀ
1.Intro 


Here we are again with a 'matrix crackme'... this time we must :
1) Remove the time limit
2) Find the valid combinaison

As you will see, finding the valid combinaison is easy as pie; the *real* challenge is to remove
the time limit, because we'll have to patch a proggy packed with Petite 2.2 (yeah, we'll patch,
because you know what I think of loaders ;)

for this tutorial, I'll assume that you know how code redirection works, because I won't
re-explain the theory of patching packed targets.



Ŀ
2. A Dead Listing for table 4 ! 


So, the crackme is packed with Petite 2.2 (I think), but it looks like FuzzyCAT renamed the
sections of the crackme to confuse us...

Although Procdump seems to be able to unpack it, it's not really the case because the resulting 
Dead-listing is messed up : we'll have to do it by hand.

The end of the unpacking process is at @46910B... but be careful because it is ALSO the entry
point !

Petite entry point :
0137:0046910B  B800904600          MOV       EAX,00469000

Petite exit point (same address):
0137:0046910B  E90055FEFF          JMP       0044E610  
 
- Use SICE loader to break on entrypoint
- 'BPM 46910B X' then F10 to reach the end of the unpacking process -> JMP 0044E610  
- 'A' then 'JMP EIP' (program enters in an endless loop)
- 'BC *' & F5 to let the crackme run
- Open Procdump
- Left click on 'CrackMe#2h.exe' in the list of the running tasks
- Select 'Dump (full)' and save the dump ('CrackMe#2h_dump.exe' for ex.)
- Again, left click on 'CrackMe#2h.exe' in the list of the running tasks
- Select 'Kill task'

Now you have a unpacked crackme that you can disassemble, but don't run it because it will crash.
The idea was not to have a unpacked working crackme, but rather a clean Dead-Listing with all
stringdata references.



Ŀ
3. The correct matrix combinaison 


Easy as pie : 'button (X,Y)' is the matrix button on line X and row Y


:0044E2C4 53                      push ebx
:0044E2C5 8BD8                    mov ebx, eax
:0044E2C7 8B83D4020000            mov eax, dword ptr [ebx+000002D4]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044E251(C)
|
:0044E2CD 8B10                    mov edx, dword ptr [eax]
:0044E2CF FF92B4000000            call dword ptr [edx+000000B4]

:0044E2D5 3C01                    cmp al, 01 -> is button (1,2) pushed ?
:0044E2D7 0F85F2000000            jne 0044E3CF -> no,fuck off

:0044E2DD 8B83DC020000            mov eax, dword ptr [ebx+000002DC]
:0044E2E3 8B10                    mov edx, dword ptr [eax]
:0044E2E5 FF92B4000000            call dword ptr [edx+000000B4]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044E2BB(C)
|
:0044E2EB 3C01                    cmp al, 01 -> is button (1,4) pushed ?
:0044E2ED 0F85DC000000            jne 0044E3CF -> no, fuck off

:0044E2F3 8B83E8020000            mov eax, dword ptr [ebx+000002E8]
:0044E2F9 8B10                    mov edx, dword ptr [eax]
:0044E2FB FF92B4000000            call dword ptr [edx+000000B4]

:0044E301 3C01                    cmp al, 01 -> is button (2,3) pushed ?
:0044E303 0F85C6000000            jne 0044E3CF -> no, fuck off

:0044E309 8B83F0020000            mov eax, dword ptr [ebx+000002F0]
:0044E30F 8B10                    mov edx, dword ptr [eax]
:0044E311 FF92B4000000            call dword ptr [edx+000000B4]

:0044E317 3C01                    cmp al, 01 -> is button (3,1) pushed ?
:0044E319 0F85B0000000            jne 0044E3CF -> no, fuck off

:0044E31F 8B83D0020000            mov eax, dword ptr [ebx+000002D0]
:0044E325 8B10                    mov edx, dword ptr [eax]
:0044E327 FF92B4000000            call dword ptr [edx+000000B4]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044E2B1(C)

the following code checks if the other buttons are NOT pushed :

:0044E32D 84C0                    test al, al
:0044E32F 0F859A000000            jne 0044E3CF -> fuck off
:0044E335 8B83D8020000            mov eax, dword ptr [ebx+000002D8]
:0044E33B 8B10                    mov edx, dword ptr [eax]
:0044E33D FF92B4000000            call dword ptr [edx+000000B4]
:0044E343 84C0                    test al, al
:0044E345 0F8584000000            jne 0044E3CF -> fuck off
:0044E34B 8B83E0020000            mov eax, dword ptr [ebx+000002E0]
:0044E351 8B10                    mov edx, dword ptr [eax]
:0044E353 FF92B4000000            call dword ptr [edx+000000B4]
:0044E359 84C0                    test al, al
:0044E35B 7572                    jne 0044E3CF -> fuck off
:0044E35D 8B83E4020000            mov eax, dword ptr [ebx+000002E4]
:0044E363 8B10                    mov edx, dword ptr [eax]
:0044E365 FF92B4000000            call dword ptr [edx+000000B4]
:0044E36B 84C0                    test al, al
:0044E36D 7560                    jne 0044E3CF -> fuck off
:0044E36F 8B83EC020000            mov eax, dword ptr [ebx+000002EC]
:0044E375 8B10                    mov edx, dword ptr [eax]
:0044E377 FF92B4000000            call dword ptr [edx+000000B4]
:0044E37D 84C0                    test al, al
:0044E37F 754E                    jne 0044E3CF -> fuck off
:0044E381 8B83F4020000            mov eax, dword ptr [ebx+000002F4]
:0044E387 8B10                    mov edx, dword ptr [eax]
:0044E389 FF92B4000000            call dword ptr [edx+000000B4]
:0044E38F 84C0                    test al, al
:0044E391 753C                    jne 0044E3CF -> fuck off
:0044E393 8B83F8020000            mov eax, dword ptr [ebx+000002F8]
:0044E399 8B10                    mov edx, dword ptr [eax]
:0044E39B FF92B4000000            call dword ptr [edx+000000B4]
:0044E3A1 84C0                    test al, al
:0044E3A3 752A                    jne 0044E3CF -> fuck off
:0044E3A5 8B83FC020000            mov eax, dword ptr [ebx+000002FC]
:0044E3AB 8B10                    mov edx, dword ptr [eax]
:0044E3AD FF92B4000000            call dword ptr [edx+000000B4]
:0044E3B3 84C0                    test al, al
:0044E3B5 7518                    jne 0044E3CF -> fuck off
:0044E3B7 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"Thank You"
                                  |
:0044E3B9 B9D4E34400              mov ecx, 0044E3D4


so, the correct combinaison is :


NFO viewer version              Text editor version
                

Ŀ                +-                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 