Zi_Crakme
Zi _Crackme (Download crackme)
 Zi_Crackme
=========
This is a simple crackme, and it took only 5 minutes to crack fom a noobe like me. Here comes the solution:
Target Study
=========
Run the target. You see something like the below:
We need to change the registration routine, so that whatever the input we give, it accepts it.
Fire the olly. Now, the problem is how do we reach the routine where this serial registration is shown. I tried looking at call stack, but of no help. What to do now ?
Lets use the “animate” feature of the olly to reach near this registration routine. Do “animate over”, and whenever you get the serial registration screen, there should be a call which lead to the screen. So, breakpoint the call, do F9, step in(F7), and “Animate over” again. Doing this again and again will take you closer to the registration routine.
When we follow the above strategy, we see something like:
Stepping over the code, we see the following:
If the EAX is 0, then CMP EAX,0 will set the zero flag, and the JNZ will lead to the wrong serial. So, we need to patch the code somewhere here. There can be many possibilities, and for that brain usage is strictly recommended I will simply NOP the JNZ instruction, and check if it runs es, it fine. Yes, I can see the message “Well Done”.
But But But ……. OOPS !! Address A50183 is allocated at runtime, so we cannt directly change the instruction to nop. We need to write a loader for it.
So, here is the script for loader(I am using RISC Loader creater)
O=risc_Zi _Crackme.exe: ;Output filename
F=Zi _Crackme.exe: ;File to patch
T=50000: ;Patching times
P=00A50183/0F,85,20,00,00,00/90,90,90,90,90,90: ;Patch the JNZ
$
However, the loader this script will create doesnt work. So, I tried out some more reversing and found the reason. The address A50000h gets populated with instructions after you have entered the serial. In the meantime you enter the serial, the loader has already finished.
By reversing in depth(again using animate over and F7 trick), I found the following instruction to be responsible for copying the code.
10099FE3 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
He He…. so everything is clear now. The code from the location specified by ESI gets copied to the location specified by EDI. Think… think .. think.. !! You only need to change the corresponding instruction from ESI.
EDI = 0A50000
ESI = 1016cb5c
A50183-A50000=183h
So, adding 183h to ESI
1016cb5c+183h=1016CCDF
You will notice that it is the same JNZ instruction at address 1016CCDF. Its your wish now whether to directly patch it, or change the address in RISC loader creator script.
The new RISC loader script is:
O=risc_Zi _Crackme.exe: ;Output filename
F=Zi _Crackme.exe: ;File to patch
P=1016ccdf/0F,85,FC,FF,FF,FF/90,90,90,90,90,90: ;Patch the JNZ
$
Yippie !!!! it works beautifully.
CHEERS !!!!