Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 07-18-2005, 08:48 AM
kaza007 kaza007 is offline
Member
 
Join Date: Jul 2005
Posts: 7
Default

Hi all,
I was after some advice re setting a breakpoint in Softice.

I have a crackme called "MarketingPro" April 2004 edition. It uses Installshield for the installation.
After decompiling the Setup.inx, I found the following,

ChkRegKey(local_string3, local_string4, global_string16, "", ""); // dll: MINSCHK.dll
local_string3 - Name
local_string4 - Company Name
global_string16 - Key (format xxxx-xxxx-xxxx-xxxx-xxxx-xxxx)

I can't seem to break into MINSCHK.dll using Softice. I set the breakpoint BPX ChkRegKey, which comes back symbol not defined. I have included the dll in the Softice dat file.

I have included the W32Dcompile of MINSCHK.dll for the hell of it.

I have tried to study what is happening in ChkRegKey routine but I don't get it! Especially,
Call 004023CC - does this change the strings to numbers?
Call 004011D3 - is this the algo to work out the correct key?

Any tips would be appreciated.

regards,
kaza007
Reply With Quote
  #2  
Old 07-19-2005, 06:00 PM
kaza007 kaza007 is offline
Member
 
Join Date: Jul 2005
Posts: 7
Default

Ok, Call 004023CC counts the number of bytes for an entered string and returns with the value in EAX.

Kaza007.
Reply With Quote
  #3  
Old 07-23-2005, 01:39 AM
kaza007 kaza007 is offline
Member
 
Join Date: Jul 2005
Posts: 7
Default

Here is a link to the prog.

MarketingPro <- link works again!

I have not included the whole thing but there are enough files to check out the install program.

I patched the Setup.inx successfuly to accept any key but when the setup tries to install the database it comes up with an error. I believe it must use the key to do other checks as well!

kaza007.
Reply With Quote
  #4  
Old 08-04-2005, 02:16 AM
kaza007 kaza007 is offline
Member
 
Join Date: Jul 2005
Posts: 7
Default

Thanks for the feedback guys!
The silence is deafening.

Well, I have done a search on Softice and come up with a way of breaking into the DLL the hard way.
Softice has a feature"i3here" which uses the Int 3 command to pop straight into Softice when called.

So I substituted a byte at the start of the DLL with 0xCC (Int 3) and entered the command "i3here on" in Softice and bang! You are in Softice every time the DLL is called.

Now all I have to do is work out what the routine is actually doing!
Any ideas????

Routine at 401345 is doing alot of comparing with the Key, but I am not sure whats going on!

Kaza007.
Reply With Quote
  #5  
Old 08-10-2005, 05:22 AM
kaza007 kaza007 is offline
Member
 
Join Date: Jul 2005
Posts: 7
Default

Here is a bit more that I have worked out.
Call 407DD4 makes the characters of the Key all Uppercase.

Call 401345 gets each char from the key and extracts a new char from a lookup table. I am not sure what it compares the new characters to!!

Kaza007
Reply With Quote
  #6  
Old 08-15-2005, 04:25 PM
quitsendingmetrash quitsendingmetrash is offline
Member
 
Join Date: Dec 2003
Posts: 29
Default

your feed back is appreciated although i am not so sure your definition of a crackMe is the same as everyone elses.
Reply With Quote
  #7  
Old 08-17-2005, 02:32 AM
kaza007 kaza007 is offline
Member
 
Join Date: Jul 2005
Posts: 7
Post

So what is the definition of a "Crackme"?

A program/software that someone or many users have but is crippled or times out until a vaild serial is entered for the registration process?

If not the above what is it? Am i asking advice in the wrong forum?

I have not added link to the whole program as it is very large, over 500meg. If anyone wants the whole thing I will be glad to upload it where you like.

kaza007,
Reply With Quote
  #8  
Old 08-18-2005, 12:18 PM
quitsendingmetrash quitsendingmetrash is offline
Member
 
Join Date: Dec 2003
Posts: 29
Default

Actually I should have just kept my mouth shut as I am not qualified to help you. I happen to like that you were posting your progress even though you had recieved no feed back. Watching others troubleshoot facinates me (educates me as well). Most of the people surrounding me in the real world would rather shout over their shoulder asking how to do something rather than making the 1st attempt to figure it out.

The definition of crackMe is like anything else in life. Whatever each individual wants it to be. I was thinking more along this
http://www.crackmes.de/
line when I made my unnesessary post.
lates and good luck with your crackMe!
Reply With Quote
  #9  
Old 08-22-2005, 08:05 AM
kaza007 kaza007 is offline
Member
 
Join Date: Jul 2005
Posts: 7
Default

Thanks for the post quitsendingmetrash.
At least you have made the effort to give me some sort of feedback.

Thanks for the link. The site looks very interesting and I will visit it more often when I get more time. Definately a good place to learn more on the subject!
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.