1. markh51:

There are, at least two GOOD reasons why I question whether you have search before you ask a question.

1.) You NEVER state that you have SEARCHED for the answer to a question.

2.) You CONTINUE to ask questions that I KNOW have answers EASILY available by searching.

Take, for example your question "Do I use "bpm address" ? Then what do I look for ?

This tells me your haven't the slightest idea what a CRC check is doing and that, despite your protestations to the contrary, you haven't paid much attention to the Softice manual on the use of BPM (Address) and you really didn't SEARCH for information on the subject, or at least you didn't do so with ANY thought about what you were looking for.

Take for example this search:

The very first entry is to:

#Cracking4Newbies SoftIce Tutorial, found at http://www.woodmann.net/krobar/beginner/04.htm

Does that address LOOK FAMILIAR? It's right here.

It contains the statement:

BREAKPOINTING ON MEMORY ACCESS
--------------------------------------------------------
The R/W tells SoftICe whether to pop up on a read or write operation to that address. The default is RW (read & write)

The third entry in the search was: Guide to SoftICE Commands
http://www.woodmann.com/crackz/Tutorials/Sicecref.htm

Does that address LOOK FAMILIAR? It's also right here.

It contains: BPM
Break point on memory access
BPM[size] address [R|W|RW|X] [debug register] [IF expression] [DO bp-action]

There are pages and pages of other references.

I KNOW this information is IN THE F*CKING MANUAL with explainations and examples.

There are also pages and pages of search references to CRC available. One such provides:

cyclic redundancy check
(algorithm)

Definition: (1) A method to detect and correct errors by adding bits derived from a block or string of bits to the block. (2) An algorithm to compute bits characteristic of a block based on the algebra of polynomials over the integers, modulo 2. (3) The characteristic bits of a block.

Now if you had read several of these articles on CRC you would understand that there has got to be a routine which "reads" (hint, hint, hint) the bits (or bytes) of the code to check against a "sum" which is generally hard coded in the software "somewere." So..... in order to "read" the bits/bytes there must be code which is reading all, or some significant part of your target's code. Hence the use of BPM <address> (R/W).

Now IF you had SEARCHED and READ any articles on REVERSING CRC (now there's an interesting search criteria) you would already know most of this and what to do if your BPM breaks on a read of the code you previously changed.

The main problem is that you appear to lack some of the most basic level skills of reversing. That, in and of itself, is where we all started and no reason for criticism. You, however, seem not to want to do this basic home work before you venture into the dark codewoods and then you scream for help when you get lost, instead of SEARCHING for the correct path with any forethought or significant effort on your own, or, at the very least, with NO demonstration you have done so. You certainly appear to be trying to fly, before you actually learn how to crawl.

Regards,

2. Setting a BPM on the address I changed, does nothing. Any ideas ?

3. Did you set BPM <address> or BPM <address> R/W ? Details ARE important.

The first one will NOT work. The second one should.

And you NEVER actually confirmed that you were, or were not using Win95.
If not what OS are you using?

Regards,

4. I am using Win95

Using BPM address R, still does not work !

Do you think the prog could be using kernel32.readfile, to check the CRC of it self ? but it has to have the original CRC value to compare it against, so it must be coded in to the prog ?

5. I set a BPX on the readfile and found a interesting piece of code, which the prog seems to loop inside of for a while, can you take a quick look and see what you think:

* Referenced by a CALL at Address:
|:00402F54
|
:00402EB4 55 push ebp
:00402EB5 8BEC mov ebp, esp
:00402EB7 51 push ecx
:00402EB8 53 push ebx
:00402EB9 56 push esi
:00402EBA 57 push edi
:00402EBB 8BF1 mov esi, ecx
:00402EBD 8BFA mov edi, edx
:00402EBF 8BD8 mov ebx, eax
:00402EC1 8B4510 mov eax, dword ptr [ebp+10]
:00402EC4 0FB75304 movzx edx, word ptr [ebx+04]
:00402EC8 23D0 and edx, eax
:00402ECA 3BC2 cmp eax, edx
:00402ECC 7558 jne 00402F26
:00402ECE 6A00 push 00000000
:00402ED0 8D45FC lea eax, dword ptr [ebp-04]
:00402ED3 50 push eax
:00402ED4 8B4308 mov eax, dword ptr [ebx+08]
:00402ED7 F7EE imul esi
:00402ED9 50 push eax
:00402EDA 57 push edi
:00402EDB 8B03 mov eax, dword ptr [ebx]
:00402EDD 50 push eax
:00402EDE FF550C call [ebp+0C]
:00402EE1 85C0 test eax, eax
:00402EE3 7511 jne 00402EF6

* Reference To: kernel32.GetLastError, Ord:0000h
|
:00402EE5 E8BAE3FFFF Call 004012A4
:00402EEA E8B5F9FFFF call 004028A4
:00402EEF 33C0 xor eax, eax
:00402EF1 8945FC mov dword ptr [ebp-04], eax
:00402EF4 EB3F jmp 00402F35

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402EE3(C)
|
:00402EF6 8B45FC mov eax, dword ptr [ebp-04]
:00402EF9 33D2 xor edx, edx
:00402EFB F77308 div [ebx+08]
:00402EFE 8945FC mov dword ptr [ebp-04], eax
:00402F01 8B4514 mov eax, dword ptr [ebp+14]
:00402F04 85C0 test eax, eax
:00402F06 740A je 00402F12
:00402F08 8B4514 mov eax, dword ptr [ebp+14]
:00402F0B 8B55FC mov edx, dword ptr [ebp-04]
:00402F0E 8910 mov dword ptr [eax], edx
:00402F10 EB23 jmp 00402F35

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402F06(C)
|
:00402F12 3B75FC cmp esi, dword ptr [ebp-04]
:00402F15 741E je 00402F35
:00402F17 8B4508 mov eax, dword ptr [ebp+08]
:00402F1A E885F9FFFF call 004028A4
:00402F1F 33C0 xor eax, eax
:00402F21 8945FC mov dword ptr [ebp-04], eax
:00402F24 EB0F jmp 00402F35

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402ECC(C)
|
:00402F26 B867000000 mov eax, 00000067
:00402F2B E874F9FFFF call 004028A4
:00402F30 33C0 xor eax, eax
:00402F32 8945FC mov dword ptr [ebp-04], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402EF4(U), :00402F10(U), :00402F15(C), :00402F24(U)
|
:00402F35 8B45FC mov eax, dword ptr [ebp-04]
:00402F38 5F pop edi
:00402F39 5E pop esi
:00402F3A 5B pop ebx
:00402F3B 59 pop ecx
:00402F3C 5D pop ebp
:00402F3D C21000 ret 0010

6. Sure, I just took a look at it and it's a very fine piece of code indeed.

Now for the love of god will you stop posting pages of completely uncommented code here, not to mention start following the posting guidelines which people have been trying to get you to understand for the last week or so!?!

7. The reason why it is un-commented is because I don't know what it is, so I was asking if you could tell me whether or not it looked like the CRC checking routine, as placing a BPM over the changed code does not work.

8. Hi, Markh51,
a snippet of code with external function calls is really tough to attach.
Here is anyway an hypothesis...

Code:
```        ; function name:
; get_elements_from_file(arg0, arg1, arg2, arg3)
; passed arguments and registers:
;	arg0 error on read bytes mismatch
;	arg2 sort of flags, the bits inside [EAX+4] must be set here
;	arg3 out address, to put-in the number of elements read, or NULL
;	EAX must be the pointer to a structure describing one element:
;       +00 field: file handle
;       +04 field: sort of flags (16 bits)
;       +08 field: element size
;	ECX number of elements
;	EDX buffer to be filled inside this function
; return 0 if ko, else the number of elements retrieved

; function prolog
402EB4 push ebp
mov ebp, esp
push ecx
push ebx
push esi
push edi
mov esi, ecx  ; number of elements
mov edi, edx  ; buffer

mov ebx, eax  ; passed struct pointer

; check: arg2 flags(?) must have set the bits inside [struct+4] flags
mov eax, dword ptr [ebp+10]   ; arg2
movzx edx, word ptr [ebx+04]
and edx, eax
cmp eax, edx
jne 402F26  ; return ko

push 00000000  ; lpOverlapped
lea eax, dword ptr [ebp-04]
mov eax, dword ptr [ebx+08]  ; elements size
imul esi
push edi  ; lpBuffer
mov eax, dword ptr [ebx]
push eax  ; hFile
; check the result
test eax, eax
jne 402EF6  ; ok
call 4012A4  ; GetLastError()
call 4028A4  ; acknowledge_return_code(passed in EAX)
; return 0
xor eax, eax
mov dword ptr [ebp-04], eax  ; retval
jmp 402F35  ; return 0 (ko)

402EF6 mov eax, dword ptr [ebp-04]  ; number of bytes read
xor edx, edx
div [ebx+08]  ; divide by number of bytes per element
mov dword ptr [ebp-04], eax  ; retval: number of elements read

; store the number of elements read if passed address is not null
mov eax, dword ptr [ebp+14]  ; arg3
test eax, eax
je 402F12  ; skip storing result
; do the storing
mov eax, dword ptr [ebp+14]  ; arg3
mov edx, dword ptr [ebp-04]  ; number of elements
mov dword ptr [eax], edx
jmp 402F35  ; return number of elements

; check if we have got the requested number of elements
402F12 cmp esi, dword ptr [ebp-04]  ; retval
je 00402F35  ; return ok (number of elements read)

; on failure
mov eax, dword ptr [ebp+08]   ; arg0: error on read bytes mismatch
call 4028A4  ; acknowledge_return_code(passed in EAX)
; return 0(ko)
xor eax, eax
mov dword ptr [ebp-04], eax  ; retval
jmp 00402F35  ; return 0

; return ko
mov eax, 00000067
call 4028A4  ; acknowledge_error_code()
; return 0(ko)
xor eax, eax
mov dword ptr [ebp-04], eax  ; retval

; return EBP-4
402F35 mov eax, dword ptr [ebp-04]  ; retval

; function epilog
pop edi
pop esi
pop ebx
pop ecx
pop ebp
ret 0010  ; clear the 4 arguments```
So, no CRC checking, as you see.
Regards, Bilbo.

9. Hi markh51

Could be part of a checksum code, but it could also be your grocery list for all the use it is ;-) We have absolutely no perspective on where this code lays or what it might be doing, and there are probably only 1 or 2 clairvoyants on the forum and they're busy guessing on the stock market. (EDIT: OK, Bilbo must be one of them )

This is where doing background research on all of the dozens of "CRC" threads, or on any of the subjects you've been trying to tackle lately, beforehand is useful - to give you a better perspective on what to look for. An app might use CreateFile/ReadFile to read a copy of itself in to check it, but it might also use OpenFile, _lopen, _hread, _lcreat, MapViewOfFile, maybe others, so you should also rule these API's out.

Let's say the app uses ReadFile to copy sections of itself into memory and perform some check on it. The bytes it's checking are in memory somewhere (i.e. the lpBuffer address of ReadFile), NOT on the bytes in the running image file that you tried to set a BPM(R) on. Two different addresses, not surprising it doesn't break.

Again, you need to approach this slowly and logically. Is ReadFile called only once (reads the whole file), or several times (reads it in sections)? How many bytes does it read in? At what starting address(es) is the file read? And where does it store it?

If you can you find your patched bytes in the read-in memory, THEN maybe you can set a BPM(R) on that address and see where it takes you. Can't find your patched bytes? How about setting a "tag" you can search for. Assuming your patched code isn't actually run until after the crc check passes (check with BPX/BPM(X)), you might be able to make your "patch" a distinctive character tag you can search for. Say "EMKCUF". Since it's going to fail the check anyway, who cares?

Keep trying, but remember, engage mind before keyboard...

Cheers,
Kayaker

10. Bilbo:

I am VERY greatful for you going through that piece of code for me even though it was not the routine I was looking for.

EDITED: Due to the post above being posted as I was typing this one

Thanks for that Kayaker

11. Kayaker:

Ok, what I done was modified the NTICE string to unique string. I ran the file an sure enough it crashed. So I seached for my string in memory using the S command, and I found a pattern match, so I noted down the memory location and set a "BPM address R" and ran the file again... It did not break, Any ideas why ?

Cheers.

12. Somewhere around the hundredth time you ignore people's tips about what do do, when to post, what to post and how to post, maybe people will start getting really annoyed with you...

Tha answer to your last question is already explicitly in Kayaker's post above, not to mention the tip of trying to think before you post, not just step-by-step following any detailed instruction you might find anywhere (including misunderstanding it first in half of the cases), and then posting again as soon as it didn't produce a crack for you. Aaargh!

13. Originally Posted by markh51
Ok, what I done was modified the NTICE string to unique string.

I am using Win95
HuH?? Just out of curiousity why are you patching the string 'NTICE'?

14. It doesn't matter now, I've found the code which does the CRC check, easily bypassed

15. JMI: Offtopic, appologies. Throughout all my years on the net, from usenet to forums, I've only encountered one admin, on the Mailtraq mailing lists, from whom I dreaded a reply. You have knocked him from that spot. Salute.

#### Posting Permissions

• You may not post new threads
• You may not post replies
• You may not post attachments
• You may not edit your posts
•