Page 1 of 3 123 LastLast
Results 1 to 15 of 40

Thread: Challenge

  1. #1
    Jak
    Guest

    Challenge

    The protection on Popcap games is very difficult. I have been ReEngineering for a year but i still think this can give you bigshots a run for your money. I'm not asking for spoon-feeding, just give me a few tips if you can (try mummy maze, rocket mania, seven seas or heavy weapon).
    Jak
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Jak, Jak, Jak..... I am not all too impressed by your challenge.
    Without mentioning names, I downloaded and installed one of your programs.
    The program was neither packed nor encrypted. After spending about 1/2 hour fooling around, I keyed on the area of the program that YOU should have noticed where the program calls a procedure that reads a registry key and goes through a rather lengthy and laborious algorithm to determine if you have a valid key, then lower order byte of EAX is set:

    MOV AL,BYTE PTR SS:[ESP+13]

    You can modify this instruction to:
    MOV AL,1
    NOP
    NOP

    The procedure returns and the program moves the value in AL to an area
    in the .data section:

    MOV BYTE PTR SS:[EBP+2F0],AL.

    Further down in the program, the value is checked to determine if
    you are registered.

    I have not interest in this program, so it is still possible that there might be
    another condition set. The main point is that with a little digging you can
    find the solution. I assume you are using a debugger and that you have some knowledge on how to use it.

    So my answer is an emphatic NO. I don't believe their protection is that great.
    As an aside, if you find the same game elsewhere, and it is (protected) by a version of software that you can crack, go there.

    Good Luck!

  3. #3
    Howdy,

    A very good reply from condzero.
    This is not difficult and, if you dont understand it,
    go get a patch from somewhere out there and study it.

    Woodmann

    (Did ya'll want me to bash the shit out of him ??? )

  4. #4
    Jak
    Guest
    To try and save myself a bit of dignity:
    I did work out how it is done - i was looking in the wrong direction entirely (at the error message and not the protection - well that was what i was taught. I think i'll use my own methods from now on.). Oh well, these things happen. Thanks for the replies - don't think i deserved the shit bashed out of me, though.
    Jak
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Jak. you would really have to do something very shitty to get the bashing wrath of Woodmann going!

    In a little more serious tone (as if I ever can be taken seriusly) It is not unusual even for experienced crackers to bark in the wrong tree for a while and overlook the obvious. Tell me about it.
    It is also not at all sinful to cheat a little bit and download already made cracks in order to compare the before and after files and see the solution someone else already figure out. Then try to understand why or how you had not found the critical code of the protection

  6. #6
    Hi Jak,

    You have lost no dignity here.
    I had the desire to look around inside some of those games
    to see how they worked. I got close to figuring it out but my old
    brain just couldnt figure out the last step.

    So I cheated and looked at someone elses work.
    It was just one of those things that when you see how it is done,
    you think "son of a bitch" how could I not see that.

    You did it yourself. Good job

    Woodmann

  7. #7
    curVV
    Guest
    hey jak,

    how bout writing a tutorial on how you RE'd one of those titles for the not so advanced n00bs like meself??
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Jak
    Guest
    Alright my friend, it's coming soon.
    I have to tell ya you'll be disappointed with it, because evrytime you start it up it'll ask you to register again, but to get around that i'd have to research a it more about those two-letter registers like ax and al, which i know very little about.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    google for 'helppc21', download it, it'll explain those little registers and the asm commands
    ax = 16 bit counterpart of eax (eax being 32 bit)
    ah = high 8 bit part of ax
    al = low 8 bit part of ax

  10. #10
    Allright, a question I can actually answer.

    Jak the EAX, AX, AH, and AL registers are all part of Register A

    Register A is 32 bits (8 hexadecimal Bytes)

    The whole Register A is called EAX, the one you see in the regsiters window of Olly.

    However Register A can be divided into AX which is the lower 4 bytes of EAX.
    So if EAX is 1111FF00 then AX is just FF00

    Now AX can be divided as well. Into HIGH and LOW BYTES. This is AH and AL. AH is the High byte and AL is the LOW byte.
    So if AX is FF00 then AH is FF and AL is 00

    This can be applied to most of the other registers as well. So if you see BL you know that it is the last Byte of the EBX register.

  11. #11
    Jak
    Guest
    Cheers, man. Hey, i'm so glad i found this messageboard - i'm learning more now than i have been for a good few months. Far be it from me to suggest it, but perhaps a messageboard with fundamental tips for newbies might be prudent - golden rules.
    I think it would help me and people like me.
    Anyway...think about it.
    Cheers,
    Jak
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    register A ? thats a new one on me heh, as for fundamental tips.. FAQ and Search.. just like it says in your signature when you sign up, do like it says and you'll make jmi a happy chappie

  13. #13
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Be aware: The fact that Those AX and BX registers are old, legacy code, does not mean that Debugging and RCE 16 bit code is any easier. Quite the contrary, the use of segmented memory and other wrinkles make tracing 16 bit code a fucking maze.
    If you are doing it on a XP OS, the code often goes to a 16 bit VM subsytem, and you have to use a different debugger to be able to trace.

    Do not underestimate the complexity of 16 bit code

  14. #14
    Jak
    Guest

    The requested tutorial

    You asked for it, you got it. This is my tutorial for three popcap games (hell, it’ll probably work with more). It doesn’t work with heavy weapon, my limited knowledge tells me it’s packed, and I don’t know shit about that kind of thing. Anyway, read on and learn about how untutored pikies crack things. *Note: This tutorial is written for seven seas*

    As with all good crackers, I will start my crack with w32dasm. As you all should know, we are looking for the error message in “string references”, the error message being “The registration number you have entered blablabla”. So - load up either seven seas, mummy maze or rocket mania into w32dasm (it doesn’t matter which one, they all work with this technique). Click on string references, and look for our string. Found it? Double click on it. And again. It appears in two places. It seems to my uneducated mind as if the writer is attempting to confuse crackers, or simply it is loading the string into a register for further use. Anyway…
    * Possible StringData Ref from Data Obj ->"The registration number you entered " =>instance one
    ->"is not valid for that name."
    |
    :00420EDF BFF0644A00 mov edi, 004A64F0 => at address 004a64f0 is your string, “the registration…” this procedures moves it to edi (for future reference?)
    :00420EE4 83C9FF or ecx, FFFFFFFF
    :00420EE7 33C0 xor eax, eax
    :00420EE9 6A01 push 00000001
    :00420EEB F2 repnz
    :00420EEC AE scasb
    :00420EED F7D1 not ecx
    :00420EEF 49 dec ecx
    :00420EF0 8BD9 mov ebx, ecx
    :00420EF2 8D4C2420 lea ecx, dword ptr [esp+20]
    :00420EF6 53 push ebx
    :00420EF7 E814B4FEFF call 0040C310
    :00420EFC 84C0 test al, al
    :00420EFE 7427 je 00420F27
    :00420F00 8B7C2420 mov edi, dword ptr [esp+20]
    :00420F04 8BCB mov ecx, ebx
    :00420F06 8BC1 mov eax, ecx

    * Possible StringData Ref from Data Obj ->"The registration number you entered " =>instance two
    ->"is not valid for that name."
    |
    :00420F08 BEF0644A00 mov esi, 004A64F0
    :00420F0D C1E902 shr ecx, 02
    This was where I made my mistake and went crying to this message board. Usually I would scroll up and find a J* (JMP, JZ, JNZ etc) that jumps over these two strings. Like…this one-
    :00420E82 3BC6 cmp eax, esi
    :00420E84 89742474 mov dword ptr [esp+74], esi
    :00420E88 0F843F010000 je 00420FCD =>this one here
    Then, invert it like so:
    :00420E82 3BC6 cmp eax, esi
    :00420E84 89742474 mov dword ptr [esp+74], esi
    :00420E88 0F843F010000 jne 00420FCD
    Go ahead, try it……….

    Bugger. All it did was to cut that text out of the bad boy msgbox.

    >explanation time
    >this msgbox is made up of three “pieces”
    >1: The title – string “invalid”
    >2: The text – string “the registration…”
    >3: The go-away button – string “ok”
    >If you wanna have a little fun, get rid of each of these strings in turn by >inverting the J* above them. What happens? You get a new messagebox >saying you have registered, but you don’t actually get regged. This is >because the program keeps plodding along the code until it reaches a string >that it can put in because you have killed the other strings. (Hmmmm…>maybe I’m not that crap after all)
    >explanation time over

    So I got pissed off and ate a pizza. I tried again. Go to The String (I can’t be arsed to type it out every time. It’s called The String from here on in) in w32dasm. Scroll up until you find where it’s referenced from *note: on mummy maze and rocket mania, it is referenced from two Calls – don’t worry. Either set breakpoints on them and find which one breaks when you press ok after typing in your dummy reg details, or find the one with code that looks like this*

    * Referenced by a CALL at Address:
    |:00421CC6 => looky here!
    |
    :00420E40 6AFF push FFFFFFFF
    :00420E42 68D0F34800 push 0048F3D0
    :00420E47 64A100000000 mov eax, dword ptr fs:[00000000]
    :00420E4D 50 push eax

    See that – go there

    :00421CC6 E875F1FFFF call 00420E40 => here’s yer call
    :00421CCB 33FF xor edi, edi
    :00421CCD E9E7010000 jmp 00421EB9 => oh dear, an unconditional jump – it can’t reference our registration, that would mean we either always would or always wouldn’t get regged.

    So that ain’t it. Hold on – look higher! Is that the hacker’s threesome? Call, Test, J*? It is!

    :00421CBD FF5040 call [eax+40] => I
    :00421CC0 84C0 test al, al =>Love
    :00421CC2 750E jne 00421CD2 =>You
    :00421CC4 8BCD mov ecx, ebp
    :00421CC6 E875F1FFFF call 00420E40
    :00421CCB 33FF xor edi, edi
    :00421CCD E9E7010000 jmp 00421EB9

    Yes indeed, the hacker’s threesome. We’re onto something. Just for a laugh, nop the call (in ollydbg, press space, and replace call [eax+40] with NOP). Try and get regged. Nothing happens. That means that this call references the procedure to get regged. You now have two choices:
    1. Do like me: change the jne 00421CD2 to je 00421CD2 and deal with having to register every time you start up (it’s not that bad.). Or…
    2. Step into the Call (F7), and be a proper hacker and find the valid code using keygens and mathematics and whatnot.
    Well, that’s about it. I could try and “be a proper hacker” right now, but it’s late, and frankly staring at a computer screen for too long depresses me somehow. Until next time, my friends.
    Jak

    P.S. This was my first tutorial – if it’s shit, let me know.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    Jak
    Guest
    it seems that my tutorial has been "squished" as i forgot to preview it. Text beginning with "=>" is commentary and will not appear in w32dasm. (Obvious, yes, but this stuff confused me when i first started)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Challenge
    By Kayaker in forum Off Topic
    Replies: 5
    Last Post: February 18th, 2013, 12:28
  2. Trebuchet Challenge
    By Kayaker in forum Off Topic
    Replies: 2
    Last Post: July 31st, 2006, 16:45
  3. Mind Challenge...(or not?!)
    By xfze in forum RCE Cryptographics
    Replies: 7
    Last Post: December 5th, 2003, 00:13
  4. My Challenge To You
    By KSR0x2b in forum Mini Project Area
    Replies: 25
    Last Post: February 21st, 2002, 22:33
  5. Rsa Challenge
    By int21hex in forum RCE Cryptographics
    Replies: 10
    Last Post: January 29th, 2002, 12:07

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •