CD-check  【习题】

1、习题一 chap6-1-6-01 15K ( 需要cw3220.dll ) 易

2、习题二 chap6-1-6-02 5K 易

3、习题三 chap6-1-6-03 6K ( 需要cw3220.dll ) 中

4、习题四 chap6-1-6-04 4K 中

用W32DASM装载程序,反汇编,在串式数据参考查找"This program isn't being run from ",如下:

* Reference To: KERNEL32.GetDriveTypeA, Ord:0000h
:00401087 E884040000              Call 00401510
:0040108C 8BC8                    mov ecx, eax
:0040108E BBAE3E0F00              mov ebx, 000F3EAE
:00401093 90                      nop
:00401094 40                      inc eax
:00401095 42                      inc edx
:00401096 47                      inc edi
:00401097 90                      nop
:00401098 48                      dec eax
:00401099 4A                      dec edx
:0040109A 4F                      dec edi
:0040109B 90                      nop
:0040109C 3BD9                    cmp ebx, ecx
:0040109E 7525                    jne 004010C5<----如没CD则跳走出错
:004010A0 6800100000              push 00001000

* Possible StringData Ref from Data Obj ->"Well Done"
:004010A5 6898204000              push 00402098

* Possible StringData Ref from Data Obj ->"This program is being run from "
                                        ->"a CD"
:004010AA 6874204000              push 00402074
:004010AF 6A00                    push 00000000

* Reference To: USER32.MessageBoxA, Ord:0000h
:004010B1 E86C040000              Call 00401522

* Possible StringData Ref from Data Obj ->"Correct CD In Drive"
:004010B6 68A2204000              push 004020A2

* Possible Reference to Dialog: DialogID_0001, CONTROL_ID:0065, ""
:004010BB 6A65                    push 00000065
:004010BD 56                      push esi

* Reference To: USER32.SetDlgItemTextA, Ord:0000h
:004010BE E859040000              Call 0040151C
:004010C3 EB23                    jmp 004010E8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:004010C5 6800100000              push 00001000

* Possible StringData Ref from Data Obj ->"Bad Luck"
:004010CA 68F3204000              push 004020F3

* Possible StringData Ref from Data Obj ->"This program isn't being run from "
                                        ->"a CD, Please insert the CD"
:004010CF 68B6204000              push 004020B6
:004010D4 6A00                    push 00000000

* Reference To: USER32.MessageBoxA, Ord:0000h
:004010D6 E847040000              Call 00401522

* Possible StringData Ref from Data Obj ->"Invalid CD In Drive"
:004010DB 68FC204000              push 004020FC


0040109E 7525                    jne 004010C5 to
0040109E 7425              je  004010C5

0040109E 90                      nop
0040109F 90                      nop
首先用W32DASM装载程序,用串式参考查找"You lost",来到:

* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h
:00401349 FF1504204000            Call dword ptr [00402004]
:0040134F 83F803                  cmp eax, 00000003................如EAX是3则是硬盘
:00401352 743E                    je 00401392 -----------------------改成两个NOP,
:00401354 8D45E8                  lea eax, dword ptr [ebp-18]

* Possible StringData Ref from Data Obj ->"CD_CHECK.DAT"
:00401357 6858304000              push 00403058
:0040135C 50                      push eax
:0040135D 8D45E0                  lea eax, dword ptr [ebp-20]
:00401360 50                      push eax

* Reference To: MFC42.Ordinal:039C, Ord:039Ch
:00401361 E822030000              Call 00401688
:00401366 8B00                    mov eax, dword ptr [eax]
:00401368 53                      push ebx
:00401369 53                      push ebx
:0040136A 53                      push ebx
:0040136B 53                      push ebx
:0040136C 6A01                    push 00000001
:0040136E 6800000080              push 80000000
:00401373 50                      push eax

* Reference To: KERNEL32.CreateFileA, Ord:0034h
:00401374 FF1500204000            Call dword ptr [00402000]
:0040137A 83F8FF                  cmp eax, FFFFFFFF................eax=-1打开文件失败
:0040137D 8D4DE0                  lea ecx, dword ptr [ebp-20]
:00401380 0F9445F3                sete byte ptr [ebp-0D]

* Reference To: MFC42.Ordinal:0320, Ord:0320h
:00401384 E811030000              Call 0040169A
:00401389 385DF3                  cmp byte ptr [ebp-0D], bl
:0040138C 0F84F3000000            je 00401485 ......如打开文件成功则跳转,改成:jmp 00401485

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00401392 FF45EC                  inc [ebp-14]
:00401395 83C704                  add edi, 00000004
:00401398 837DEC07                cmp dword ptr [ebp-14], 00000007
:0040139C 759F                    jne 0040133D
:0040139E 53                      push ebx

* Possible StringData Ref from Data Obj ->"Try again"
:0040139F 684C304000              push 0040304C

* Possible StringData Ref from Data Obj ->"You lost"
:004013A4 6840304000              push 00403040
reversing a lame cd-check, pay attention boy! by R!SC --

starting from the top, cd-checks normally use kernel32!getdrivetypea to find out what sort of
drive they are looking at, you simply push a pointer to a drive letter, then after getdrivetypea
eax=03 for hard disk or eax=05 for a cd-rom.

so load crackcd.exe, enter softice, and type in 'bpx getdrivetypea'. Click on the CheckCD
button, and bingo! we have located the code to check the CD.. now pay close attention to the
comments in dead listing...

015F:004011B3  68EB234000          PUSH    004023EB    ; pointer to 'kernel32.dll',0
015F:004011B8  E861070000          CALL    KERNEL32!LoadLibraryA
015F:004011BD  8BF0                MOV    ESI,EAX    ; save address of kernel32 in esi
015F:004011BF  8D85E8FBFFFF        LEA    EAX,[EBP+FFFFFBE8]
015F:004011C5  50                  PUSH    EAX        ; pointer to some free space
015F:004011C6  68F8234000          PUSH    004023F8    ; pointer to getdrivetypea (wide char...)
015F:004011CB  E8C3020000          CALL    00401493    ; convert it to normal, pasting it into the free space
015F:004011D0  83C408              ADD    ESP,08
015F:004011D3  8D95E8FBFFFF        LEA    EDX,[EBP+FFFFFBE8]
015F:004011D9  52                  PUSH    EDX        ; points to the converted 'getdrivetypea'
015F:004011DA  56                  PUSH    ESI        ; kernel32
015F:004011DB  E820070000          CALL    KERNEL32!GetProcAddress    ; returns the address of 'getdrivetypea' in eax
015F:004011E0  6A00                PUSH    00        ; null, return the drivetype of the current drive
015F:004011E2  FFD0                CALL    EAX        ; call getdrivetypea (where softice will break)
015F:004011E4  8BF8                MOV    EDI,EAX    ; eax will == 3 if the program is run from harddisk
015F:004011E6  56                  PUSH    ESI
015F:004011E7  E820070000          CALL    KERNEL32!FreeLibrary    ; free the kernel :) he didnt do it..
015F:004011EC  682C010000          PUSH    0000012C        ; size of buffer to store windows directory
015F:004011F1  8D85BCFAFFFF        LEA    EAX,[EBP+FFFFFABC]
015F:004011F7  50                  PUSH    EAX            ; pointer to buffer
015F:004011F8  E8EB060000          CALL    KERNEL32!GetWindowsDirectoryA
015F:004011FD  6880000000          PUSH    00000080        ; size of buffer for modulefilename
015F:00401202  8D95E8FBFFFF        LEA    EDX,[EBP+FFFFFBE8]
015F:00401208  52                  PUSH    EDX            ; pointer to buffer
015F:00401209  FF35B0254000        PUSH    DWORD PTR [004025B0]    ; 00400000, this module...
015F:0040120F  E8DA060000          CALL    KERNEL32!GetModuleFileNameA
015F:00401214  8A8DBCFAFFFF        MOV    CL,[EBP+FFFFFABC]    ; [c:\windows]    ;WindowsDirectoryA
015F:0040121A  3A8DE8FBFFFF        CMP    CL,[EBP+FFFFFBE8]    ; [c:\checkcd1\checkcd.exe]    ;ModuleFileNameA
015F:00401220  7518                JNZ    0040123A    ; check the drive letters...jump if not equal

yah, all the above code does is get the windows path/directory, get its own path/directory,
compare the drive letters, so it cant be run from the same drive that windows is installed on.
it also get's the drivetype of the current drive, and stores this in EDI...

015F:00401220  7518                JNZ    0040123A  ; has to be taken, so change it to a JMP
on with the reversing...

015F:00401222  6A00                PUSH    00
015F:00401224  6A00                PUSH    00
015F:00401226  8D45B0              LEA    EAX,[EBP-50]
015F:00401229  50                  PUSH    EAX        ; pointer to wide char 'HeHe! Try again'
015F:0040122A  53                  PUSH    EBX
015F:0040122B  E81C020000          CALL    0040144C    ; convert wide char, display messagebox
015F:00401230  83C410              ADD    ESP,10
015F:00401233  33C0                XOR    EAX,EAX
015F:00401235  E909020000          JMP    00401443    ; jump to exit (failed cd-check)

015F:0040123A  83EF05              SUB    EDI,05    ; where we end up if we take the first good-check jump
015F:0040123D  0F8596010000        JNZ    004013D9    ; 05=cd-rom, 05-05=0, so edi must be 0 to carry on.
015F:00401243  8D9574FCFFFF        LEA    EDX,[EBP-038C]    ; total number of clusters
015F:00401249  52                  PUSH    EDX        ; pointers
015F:0040124A  8D8D78FCFFFF        LEA    ECX,[EBP-0388]    ; how many free clusters
015F:00401250  51                  PUSH    ECX        ; to
015F:00401251  8D857CFCFFFF        LEA    EAX,[EBP-0384]    ;  bytes per sector
015F:00401257  50                  PUSH    EAX        ; various
015F:00401258  8D9580FCFFFF        LEA    EDX,[EBP-0380]    ; sectors per cluster
015F:0040125E  52                  PUSH    EDX        ; buffers
015F:0040125F  6A00                PUSH    00        ; pRootPathName, null = current drive
015F:00401261  E8BE060000          CALL    KERNEL32!GetDiskFreeSpaceA
015F:00401266  83BD78FCFFFF00      CMP    DWORD PTR [EBP-0388],00    ; compare the amount of free clusters with '0'
015F:0040126D  7418                JZ      00401287    ; again, if it was run from CD, the freespace is always '0'

okay, still simple enough, subtracts 5 from the returned value for this drive, if its not equal,
i.e. not zero, jumps to the 'hehe try again' messagebox, if it passed this part, it checks for
free space, and there should be none on a CD, so ...

015F:0040123D  0F8596010000        JNZ    004013D9 ; this jump has to be killed to carry on with the check
015F:0040126D  7418                JZ      00401287 ; this jump has to be taken to carry on...
on with the reversing...

015F:0040126F  6A00                PUSH    00
015F:00401271  6A00                PUSH    00
015F:00401273  8D4DB0              LEA    ECX,[EBP-50]    ; de-ja-vu
015F:00401276  51                  PUSH    ECX        ; pointer to wide char 'HeHe! Try again'
015F:00401277  53                  PUSH    EBX
015F:00401278  E8CF010000          CALL    0040144C    ; our message box friend again
015F:0040127D  83C410              ADD    ESP,10
015F:00401280  33C0                XOR    EAX,EAX
015F:00401282  E9BC010000          JMP    00401443    ; jump to exit (failed cd-check)

015F:00401287  6880000000          PUSH    00000080
015F:0040128C  8D95BCF9FFFF        LEA    EDX,[EBP+FFFFF9BC]
015F:00401292  52                  PUSH    EDX
015F:00401293  8D8D68FCFFFF        LEA    ECX,[EBP-0398]
015F:00401299  51                  PUSH    ECX
015F:0040129A  8D856CFCFFFF        LEA    EAX,[EBP-0394]
015F:004012A0  50                  PUSH    EAX
015F:004012A1  8D9570FCFFFF        LEA    EDX,[EBP-0390]
015F:004012A7  52                  PUSH    EDX
015F:004012A8  6880000000          PUSH    00000080
015F:004012AD  8D8D3CFAFFFF        LEA    ECX,[EBP+FFFFFA3C]
015F:004012B3  51                  PUSH    ECX
015F:004012B4  6A00                PUSH    00
015F:004012B6  E839060000          CALL    KERNEL32!GetVolumeInformationA
015F:004012BB  81BD70FCFFFF21787573CMP    DWORD PTR [EBP-0390],73757821    ; compare read label with 'sux!'
015F:004012C5  0F85F9000000        JNZ    004013C4    ; jump if not equal to failed check...
015F:004012CB  F68568FCFFFF10      TEST    BYTE PTR [EBP-0398],10    ; i dont know, but it has to be equal :)
015F:004012D2  7418                JZ      004012EC    ; jump passed horrid message if above test is true
015F:004012D4  6A00                PUSH    00
015F:004012D6  6A00                PUSH    00
015F:004012D8  8D45B0              LEA    EAX,[EBP-50]    ;de-ja-vu again
015F:004012DB  50                  PUSH    EAX            ; see the pattern, ebp-50, call 40144c?
015F:004012DC  53                  PUSH    EBX
015F:004012DD  E86A010000          CALL    0040144C
015F:004012E2  83C410              ADD    ESP,10
015F:004012E5  33C0                XOR    EAX,EAX
015F:004012E7  E957010000          JMP    00401443

015F:004012EC  F68569FCFFFF80      TEST    BYTE PTR [EBP-0397],80    ; i dont know, but it has to be equal :)
015F:004012F3  7418                JZ      0040130D    ; jump passed horrid message if above test is true
015F:004012F5  6A00                PUSH    00
015F:004012F7  6A00                PUSH    00
015F:004012F9  8D55B0              LEA    EDX,[EBP-50]    ; we know this is the bad cracker bit
015F:004012FC  52                  PUSH    EDX            ; so we take the above jump...
015F:004012FD  53                  PUSH    EBX
015F:004012FE  E849010000          CALL    0040144C
015F:00401303  83C410              ADD    ESP,10
015F:00401306  33C0                XOR    EAX,EAX
015F:00401308  E936010000          JMP    00401443

right, i have been a very naughty boy, and admit that two parts of this code i dont understand,
but from the bad-cracker code being duped everywhere, i know to take the jumps.. basicaly, this
is a label check, chacks the disk label against 'sux!', and if they are the same, does these
other two tests, which have to pass to skip the 'hehe! try again' message..

015F:004012C5  0F85F9000000        JNZ    004013C4    ; label check, we want to skip this jump...
015F:004012D2  7418                JZ      004012EC    ; dont know, but it needs taking (JMP)
015F:004012F3  7418                JZ      0040130D    ; still dont know, but take it (JMP)
on with the reversing...

015F:0040130D  6814244000          PUSH    00402414    ; some bullshit 'stack overflow'
015F:00401312  8D953CFAFFFF        LEA    EDX,[EBP+FFFFFA3C]    ;[ebp+fffffa3c] is from getvolumeinformationa routine
015F:00401318  52                  PUSH    EDX        ; some more bullshit 'OVERFLOW'
015F:00401319  E888050000          CALL    004018A6    ; dont care :(
015F:0040131E  83C408              ADD    ESP,08
015F:00401321  85C0                TEST    EAX,EAX    ; fuckit, change this to xor eax,eax
015F:00401323  0F8586000000        JNZ    004013AF    ; so this jump wont be taken cause at 4013af, is the bad check code
015F:00401329  681A244000          PUSH    0040241A    ; pointer to a new label
015F:0040132E  6A00                PUSH    00        ; what drive to change
015F:00401330  E8DD050000          CALL    KERNEL32!SetVolumeLabelA
015F:00401335  48                  DEC    EAX        ; eax = 1 if function succeed
015F:00401336  7526                JNZ    0040135E    ; you cant change a CD's label, so eax should be 0 or -1
                                                    ; but after the dec eax, if it failed, this jump would be taken..
015F:00401338  8D8D3CFAFFFF        LEA    ECX,[EBP+FFFFFA3C]    ; waste
015F:0040133E  51                  PUSH    ECX                    ; of
015F:0040133F  6A00                PUSH    00                    ; time
015F:00401341  E8CC050000          CALL    KERNEL32!SetVolumeLabelA
015F:00401346  6A00                PUSH    00
015F:00401348  6A00                PUSH    00
015F:0040134A  8D45B0              LEA    EAX,[EBP-50]    ; bad cracker routine
015F:0040134D  50                  PUSH    EAX
015F:0040134E  53                  PUSH    EBX
015F:0040134F  E8F8000000          CALL    0040144C        ; again :)
015F:00401354  83C410              ADD    ESP,10
015F:00401357  33C0                XOR    EAX,EAX
015F:00401359  E9E5000000          JMP    00401443

015F:0040135E  6A00                PUSH    00
015F:00401360  8D55A8              LEA    EDX,[EBP-58]
015F:00401363  52                  PUSH    EDX        ;pointer to a filename
015F:00401364  E891050000          CALL    KERNEL32!_lcreat    ;try to create a file
015F:00401369  83F8FF              CMP    EAX,-01    ; would fail, if it tried to create a file on a CD
015F:0040136C  7428                JZ      00401396    ; as they are read-only, so force this jump...

015F:0040136E  50                  PUSH    EAX
015F:0040136F  E892050000          CALL    KERNEL32!_lclose    ; whoops, we succeeded, so close the newly created file-handle
015F:00401374  8D4DA8              LEA    ECX,[EBP-58]
015F:00401377  51                  PUSH    ECX
015F:00401378  E835050000          CALL    004018B2
015F:0040137D  59                  POP    ECX
015F:0040137E  6A00                PUSH    00
015F:00401380  6A00                PUSH    00
015F:00401382  8D45B0              LEA    EAX,[EBP-50]    ;DEJAVU again :0
015F:00401385  50                  PUSH    EAX
015F:00401386  53                  PUSH    EBX
015F:00401387  E8C0000000          CALL    0040144C        ; messagebox
015F:0040138C  83C410              ADD    ESP,10
015F:0040138F  33C0                XOR    EAX,EAX
015F:00401391  E9AD000000          JMP    00401443

015F:00401396  6A00                PUSH    00        ; if we couldnt create the file, we end up here
015F:00401398  6823244000          PUSH    00402423    ; pointer to 'y.e.p.'
015F:0040139D  8D55D4              LEA    EDX,[EBP-2C]
015F:004013A0  52                  PUSH    EDX        ; pointer to 'y.a.y.!. .y.o.u. .c.r.a.c.k.e.d. .i.t.!.'
015F:004013A1  53                  PUSH    EBX
015F:004013A2  E8A5000000          CALL    0040144C    ; messagebox...
015F:004013A7  83C410              ADD    ESP,10
015F:004013AA  E992000000          JMP    00401441

hmm, the bit at the start, stack overflow, dont understand what or why, but kill this jump

015F:00401323  0F8586000000        JNZ    004013AF
you cant change the label of a CD, so this jump needs forcing

015F:00401336  7526                JNZ    0040135E
last but not least, you cant create a file on a CD, so this jump needs forcing aswell..

015F:0040136C  7428                JZ      00401396

wayhey, then we finally reach the good boy message box!! yippee!!!

after studying the code, and realising what has been done, it just does some simple checks,
then compares the return codes against what they should be, we dont want it re-labeling our
hard disk drive to 'overflow', or creating a file called '', basically, we can skip the
whole routine, and just end up at the goodboy message bpx at the first instruction

015F:004011B3  68EB234000          PUSH    004023EB    ; pointer to 'kernel32.dll',0

and re-assemble it to jump to the good-boy message box..

a 4011b3 <ret>
jmp 401396 <ret>
x <ret>

015F:004011B3  E9DE010000          JMP    00401396    ; skip whole of check, go straight to jail
                                                    ; do not pass go, do not collect 200..

then you have a almost cracked checkcd.exe... just gotta patch it, but i cant be bothered, so
i used my process patcher to create a loader for it..(availble from :)

no plugz.. :)

happy reversing / cracking / whatever..

R!SC 6/6/99
How to crack R!SC's Play The Game CD-Check Crackme by Killer_3K [DSi/Shock]

Tools: Sice&a mempatcher (i use R!SC's process patcher ;p)

hey there, in this tut i'll teach u how to crack risc's PTG (play the game)
CD-Check crackme. This Crackme is pretty nice, it detects sice (via int68),
sorta hidden crc-check, packed, fake conditional jumps that leads to crash
and more interesting stuff ;p
btw, don't bather unpacking it (it's packed w/ upx), as the readme says that
ur not allowed to unpack in order to patch, it doesn't really matter anywayz,
cause the way he fucked around w/ it about 96% of the code u'll get after dasm
will be garbadge :P

ok lets get started :)
fireup the crackme.. Doh, we get a msgbox saying "Kill Softice Mr. Cracker"
ok lets get rid of it :) since the first time i got that crackme i didn't
know how it detected it, so i'll tell u how i figured out how to kill the sice
w/o knowing it uses int68 :)

1) bpx on GetModuleHandleA and run the crackme, sice pops, but we see Explorer
in the down-right corner, we don't want Explorer now do we :) Press F5 again
till u see 'Play the' in the down-left corner, ok, press F11 and start tracing :)
u should see this:

0177:00401143  68F0104000          PUSH      004010F0
0177:00401148  50                  PUSH      EAX
0177:00401149  E818060000          CALL      KERNEL32!GetProcAddress
0177:0040114E  A3B2204000          MOV      [004020B2],EAX
0177:00401153  33C0                XOR      EAX,EAX
0177:00401155  7533                JNZ      0040118A
0177:00401157  3BF6                CMP      ESI,ESI
0177:00401159  68E7104000          PUSH      004010E7
0177:0040115E  E80F060000          CALL      KERNEL32!GetModuleHandleA
0177:00401163  68FE104000          PUSH      004010FE
0177:00401168  50                  PUSH      EAX
0177:00401169  3BF6                CMP      ESI,ESI
0177:0040116B  E8F6050000          CALL      KERNEL32!GetProcAddress
0177:00401170  A3B2204000          MOV      [004020B2],EAX

ok, lets trace abit till we pass

0177:00401168  50                  PUSH      EAX
0177:00401169  3BF6                CMP      ESI,ESI
0177:0040116B  E8F6050000          CALL      KERNEL32!GetProcAddress
0177:00401170  A3B2204000          MOV      [KERNEL32!AddAtomW],EAX
0177:00401175  C70530204000433A2F00MOV      DWORD PTR [00402030],002F3A43

0177:0040117F  688A114000          PUSH      0040118A
0177:00401184  FF2507214000        JMP      [00402107] <<---

ok, lets trace and pass the jmp
u should now see this:

0177:00401442  33D2                XOR      EDX,EDX
0177:00401444  3BF6                CMP      ESI,ESI
0177:00401446  7401                JZ        00401449
0177:00401448  BD686C1440          MOV      EBP,40146C68
. and some junk code after it
the jz is gonna jump, let it jump, or else the proggi will crash :]

after the jz is taken, the code changed abit, and will change abit after
couple of lines u trace.. u should now see this (maybe it will change abit
during tracing :)):

0177:00401449  686C144000          PUSH      0040146C <-- will change to Add [edx], BH after we traced it
0177:0040144E  3AC0                CMP      AL,AL <-- will change to INVALID after we traced it
0177:00401450  7401                JZ        00401453

ok this jz must be taken as well, or proggi will crash :)
after it comes an interesting piece of code (which change after u trace):

0177:00401453  64FF32              PUSH      DWORD PTR FS:[EDX]
0177:00401456  8925A9204000        MOV      [004020A9],ESP
0177:0040145C  892DAD204000        MOV      [004020AD],EBP
0177:00401462  648922              MOV      FS:[EDX],ESP
0177:00401465  3ADB                CMP      BL,BL
0177:00401467  7401                JZ        0040146A                (JUMP )

hmm the jz wants to jump here too (i wonder why ;) (note the cmp bl,bl))
this time we don't have to make it jump, nop it or patch it to 7400 and the anti-sice
is gone (btw u gotta patch it, as the crackme executes that piece of code over and over..)
ok, ur prolly wondering why it doesn't detect sice now.. welp that jz leads us to the
is_sice_there routine..
lets take a look at that routine
after u'll take the jz u'll reach
0177:0040146A  EB20                JMP      0040148C

which will lead us to a VERY interesting piece of code (will keep changing during tracing):

0177:0040148C  663BF6              CMP      SI,SI
0177:0040148F  7401                JZ        00401492 (jump)  <<
0177:00401492  B443                MOV      AH,43 ; move 0x43 to AH
0177:00401494  CD68                INT      68 ; int68 (no shit ;))
0177:00401496  5A                  POP      EDX
0177:00401497  3BD2                CMP      EDX,EDX
0177:00401499  7401                JZ        0040149C  (jump) <<
0177:0040149C  646789160000        MOV      FS:[0000],EDX
0177:004014A2  3BF6                CMP      ESI,ESI
0177:004014A4  7401                JZ        004014A7  (jump) <<
0177:004014A7  5A                  POP      EDX
0177:004014A8  3BD2                CMP      EDX,EDX
0177:004014AA  7401                JZ        004014AD  (jump) <<
0177:004014AD  663D86F3            CMP      AX,F386 !!!
0177:004014B1  58                  POP      EAX
0177:004014B2  7402                JZ        004014B6  (jump) <<<

now, this is the anti-ice part :) u can nop ANY jz from 40148F until 4014B2, and it will kill
the anti-ice, another way to kill it will be nopping the INT 68, anyway will fit here :)

if u'll keep tracing after 4014B2 w/o touching the jumps/int68 u'll reach this piece of code:

0177:004014B8  7401                JZ        004014BB  (JUMP)
0177:004014B6  3BF6                CMP      ESI,ESI
0177:004014BB  68A5104000          PUSH      004010A5
0177:004014C0  C3                  RET
which will lead u to:
0177:004014C1  E85F020000          CALL      00401725
0177:004010A5  6A00                PUSH      00
0177:004010A7  6897104000          PUSH      00401097 ; title (type d 401097 in sice and u'll see doh! in widechar)
0177:004010AC  6863104000          PUSH      00401063 ; msg (type d 401063 in sice an u'll see Load anti-ice.. in widechar)
0177:004010B1  6A00                PUSH      00
0177:004010B3  E8A8060000          CALL      USER32!MessageBoxW ; msgbox
0177:004010B8  6A00                PUSH      00
0177:004010BA  E8B9060000          CALL      KERNEL32!ExitProcess ; exit proggi

anywayz if u'll patch like i showed u above we'll never reach that place :)
ok, to make it ez on urself, make a mempatcher to patch the anti-ice (i used R!SC's Process Patcher :))

2) ok, now we can get to the real part of the protection, run ur loader (which will load&patch the exe :))
u'll see:
'No Disk inserted' (if ur cd-drive is empty) or 'Wrong disk inserted' (if u got a cd in ur drive)
ok, lets kill that lovely cdcheck :)
put a bpx on getdrivetypea and run the proggi, u should see this:

0177:004011A5  FF15B2204000        CALL      [KERNEL32!GetDriveTypeA]
0177:004011AB  83F805              CMP      EAX,05 <-- !!
0177:004011AE  75DA                JNZ      0040118A

ok, this part checks to see if a drive is a cddrive (if it is, eax=5),
change it to CMP EAX,03 so it will think HDD=cddrive
type bc* and bpx on GetVolumeInformationA, sice will break, press F11, u'll see:

0177:004011F7  3BDB                CMP      EBX,EBX  ; compare ebx w/ ebx heh
0177:004011F9  7401                JZ        004011FC ; obviously a fake coditional jump
0177:004011FC  FE05B1204000        INC      BYTE PTR [004020B1]
0177:00401202  85C0                TEST      EAX,EAX
0177:00401204  0F847D000000        JZ        00401287  (won't jump)
0177:0040120B  BE59204000          MOV      ESI,00402059
0177:00401210  BF2F114000          MOV      EDI,0040112F
0177:00401215  B907000000          MOV      ECX,00000007
0177:0040121A  F3A6                REPZ CMPSB ; compare labels (good label on edi, label from hdd on esi)
0177:0040121C  755D                JNZ      0040127B ; label's rn't the same, goto badboy (will push the Wrong disk text)
0177:0040121E  E9B8000000          JMP      004012DB ; this will leads to the 'goodboy' part, and then creates the dialog

3) ok, we patched CMP EAX,05 to CMP EAX,03, and nopped JNZ 40127B (or just patched it to 7500 which will make it jump to the next byte)
ok, type bc* and press F5.. WTF?! 'Try harder!! You WILL crackme!'
checksum.. hmm, ok update the mempatcher w/ the cdcheck, and lets get ready to kill that checksum
put back that bpx on GetDriveTypeA, ok sice breaks, the CMP EAX,05 should be patched, if not the patch it w/ sice
type BC* and then type BPM 004011AB R, this will make sice break when the crackme will try to read that addi
press F5.. Boom, sice breaks, the proggi is trying the read the part, i wonder why ;)
u should see this piece of code:

0177:004014F9  3AC0                CMP      AL,AL
0177:004014FB  7401                JZ        004014FE ; fake conditional jump
0177:004014FE  03040E              ADD      EAX,[ECX+ESI] <-- add the byte located in Current Location+Counter to EAX
0177:00401501  663BF6              CMP      SI,SI <<--- u start here
0177:00401504  7401                JZ        00401507  ; fake conditinal jump
0177:00401507  49                  DEC      ECX ; decrease counter
0177:00401508  75EF                JNZ      004014F9 ; are we done? if no then do the whole thing again
as u can see this basicly reads a byte located 4014FE + Counter, adds it to eax
and does it till counter = 0

ok, to make it abit faster, type bc*, and bpx on 40150A, and press F5
u'll reach this VERY interesting piece of code:

0177:0040150A  59                  POP      ECX
0177:0040150B  5E                  POP      ESI
0177:0040150C  663BFF              CMP      DI,DI
0177:0040150F  7401                JZ        00401512  (jump) ; fake conditional
0177:00401512  3D31B88FE0          CMP      EAX,E08FB831 ; compare result of the checksum w/ a hardcoded result (which is correct one)
0177:00401517  7543                JNZ      0040155C ; << results rn't the same, BADBOY ;p
0177:00401519  3AD2                CMP      DL,DL
0177:0040151B  7401                JZ        0040151E ; fake conditonal (which will change the code below to RET)
0177:0040151E  C3                  RET  ; we're done, no harm was been done ;)

just np the JNZ at 401517 (or patch it to 7500)
and we're doneeeeeeeeeeeeeeeeeeeeeeeeeeeeeee! :)

i hope u enjoyed reading this tut and that u learned something new :)
heres my mempatch script (compile w/ R!SC's process patcher ;p)

----------------------cut here-------------------
f=Playth~1.exe:         ; filename
o=PTG_loader.exe:     ; loader to create
p=401467/74,01/74,00:    ;da anti-ice
p=4011AB/83,F8,05/83,F8,03:  ; make the crackme think hdd=cdrom
p=40121C/75,5D/75,00:  ; DriveVolume Check
p=401517/75,43/75,00:  ; did i fuck around w/ the cd check? sure i didn't ;)
----------------------cut here-------------------

Greetings to (no specific order): R!SC, Acid_Burn, AB4DS, Kathras, Whizkid, Ordoc,
Aerosmith, primevil, Senat0r, Cyclonex, Coffee, TORN@DO.

Also a SPECIAL-u-r-a-piece-of-shit-lamer goes to: Wekeke (aka Loko-Man)
thx for all the funny logs *g*

Welp, thats about it ;p if i forgot ur name then don't get pissed, i sorta wrote
that part in a hurry ;p
Cya all :)

                                  -Killer_3K [DSi/Shock]