PhrozenCrew CrackMe No. 3 - Tutorial

PhrozenCrew CrackMe No. 3 - CrackMe Archive (180k).

This particular challenge is another missing file protection, although the author of this CrackMe is using borrowed code to encrypt the file PE header and also to kick File Monitor, though the File Monitor detection seems only partially effective on my system (the time delay is long enough to snatch the necessary information). Launch the CrackMe and click continue, unsurprisingly you'll note the status as being not correct. Its actually best to reverse the protection from here.

The first stage (assuming you didn't attempt to use File Monitor) is to find the name of our missing file, a >bpx CreateFileA will be sufficient, note how the PE encryptor confuses W32Dasm and to a certain extent IDA, anyhow, set the breakpoint in SoftICE and click retest.

:0040121C PUSH 004021BE <-- Name and path of missing file.
:00401221 CALL KERNEL32!CreateFileA
:00401226 CMP EAX,-01 <-- Does file exist.
:00401229 JZ 00401269 <-- Jump_file_does_not_exist.

So a fairly rudimentary test here, obviously check the push 004021BE with a >d 004021BE and be sure to note the precise path of the missing file (C:\NETSCAPE\Users\default\bookmark.htm), you obviously now need to create this file with the correct path, and I recommend inserting some text into the file. The file length is then retrieved (although not checked) before we reach the real check a few F10's further on.

:0040124F CALL 0040107A <-- Trace this and CALL 00401000 below it.
:00401254 CMP EAX,01 <-- Check file.
:00401257 JNZ 00401269 <-- Jump bad file.

The checking mechanism is a fairly pleasant affair, the registers AL and AH are repetitively used to verify each of the missing files characters, you should easily locate the good text in memory, with the file name bookmark.htm the missing text is predictably, hereby concluding this missing file protection.

Return to CrackMe's

© 1998 CrackZ. 23rd July 1998.