There's a new program out called RAM Cheat, which allows you to change a value(ie: score in a game). The name is pretty self explanatory. It requires 2 codes(1 window) to register.

I'm a newbie, and would like to see the steps necessary to ~debug~ a prog similar to this one.

I'm not asking for a crack or anything, but maybe some hints. I want to learn this myself and I think this would be a good way....(along with reading tuts).
Let me know how long it takes for you experienced guys

You can get it here ===>> h**p://xmapper.tripod.com/ramcheat.zip

using softice and doing some serial fishing doesn't take long... if you know what api break on =)

Chead

All right, I'm sure we can do better than that. This is supposed to be an instructional forum after all. I started to write last night that this might make a good beginner target to learn to follow the reading of a .cfg file, but that it had a wicked floating point register keygen routine. Easy to patch, more difficult to keygen. The true scheme seems to be buried a little deeper than what first appears.

It doesn't matter what level you're at, you always start with the basics. Virus check. Install monitoring (InCtrl5). Filemon and Regmon on first opening. Figure out where reg info is kept, limitatons, and devise an attack.

Read a registry entry:
RegCreateKeyEx do "dd esp.8"
RegOpenKeyEx do "dd esp.8"
RegQueryValueEx do "dd esp.xx"

Read a file:
CreateFileA do "dd esp.4"
ReadFile do "dd esp.xx"
_hread do "dd esp.xx"


Is the "apparent" reg routine really the real one?
Could the reg box be a crackers ruse and the real reg info is sent in another manner? (commonly with .reg files, could be any other email file as well)

Things to look for in this target:
Easy keygen - the first routine you come upon
Difficult keygen - any others ;-)

What is the //SICE check being used for? Does it do anything anti-sice?

Where is the info kept that calls up a nag box after several sessions? Can you patch it to *not* increment this 'counter'?
This nag routine opens up the .hlp file. Can you redirect the code so that it calls the registration box instead? (may be tricky)

There's a 2nd nag that pops up after a set amount of time (15 or 20 minutes). Where is the timer check for this one?


Cool Task:
Run APISpy32 on it with all the Kernel32 functions added for monitoring, but pause the trace until you select Manipulate Memory. View the output and get a succinct lesson on how to write to memory.
To do this successfully you need to specify a writeable memory address, such as the start of the .data section in notepad.
1. Setup and run APISpy paused until you're ready.
2. Create a new project in RamCheat and select the already running process notepad. In the bottom window select Edit/NewItem and specify the start address of the .data section (or elsewhere writeable) and a value in decimal.
3. Select Memory/Manipulate and start APISpy32 tracing just before you select Inject Preferred Value Now. Analyze the trace.

Now find a way to break into Softice on the *currently running* notepad process and confirm that your new memory value has been written.

Note that until registered you can only *decrease* a value not increase it, so you need to find a memory address that doesn't contain a zero. If you do try to increase the value you'll get another nice nag box. Perfect reversing target to search and destroy that nag routine and allow all values, without having to register of course ;-)


Cracking to find the serial, ho hum on to the next one, is NOT the final prize, it's only the beginning of a reversing session where you can rip apart the code to pieces and do anything you want. THAT is the Holy Grail imho :-)

Cheers,
Kayaker

Temicro,

You say you want to learn, that's cool. Detail a bit what you've tried and where you're having difficulties and we'll see if we can help. The first step would be to visually find where and how your registration details are kept in the .cfg file.

Regards,
Kayker

compared to an iceburg....i see the iceburg, but haven't touched it yet
...
i need to get familiar with common terms/strings etc.. used, like jump, call, and all those

sorry it took so long to reply, been quite busy with a new job, and i installed winxp, so i'll have to re-install stuff