Reverse Engineering Basics (CrackMe v3.0 by Cruehead/ MiB)

On this post, i will show you how I've reversed engineer the CrackMe v3.0 file written by Cruehead.

I will not elaborate much the use of OllyDbg and Hiew, just refer to my previous posts if you want a detailed explanation.

To start with, lets fire up the crackme03 file. You will see that the file was Uncracked.

The author wants us to change the main window from "Uncracked" to "Cracked" and make the "Good work cracker" dialog box appear with the name of the cracker.

  

The first pass to be reverse is on memory address "00401035".

Second pass at memory address "0040106D"

Third pass at memory address 0040109F

Fourth pass at memory address "0040118A"

 Fifth pass at memory address "0040132C"

Sixth pass at memory address "00402176" and "00401362 to 00401387" <<< the memory address range should be filled with "90 or NOP".

Now fire up again the crackme file.

To summarize, here are the memory addresses that i have modified.

Reverse Engineering Basics (CrackMe v2.0 by Cruehead/ MiB)

This one is simple "CrackMe v2.0" file written by Cruehead . We only have to change one operation.  

We fire up crackme02 file and put some text.

Fire up Olly and open the crackme02 file. Starting at memory address "0040123F", analyzing the result of TEST Cl,CL. If the result is equal, the flow will jump to "0040124A"

Memory address 0040124A will call memory address "00401334" which is the right path going to "Good Work" dialog box.

If the Test Cl,CL result is not equal, then the next execution will be at memory address "00401243" where the call to "00401349" was made.

What we will do is to reverse the jmp operation at memory address "00401241" from "JE" to "JNE". So whatever password we try, the program will accept it.

Now, fire up Heiw and select decode.

Go to memory address "00401241". Change the "74" to "75". Press F9 to update and F10 to quit.