Log in

View Full Version : Krobars crackme2 tut

Saber
August 30th, 2004, 15:51
Hi guys (and girls)!

I'm kinda new to this cracking scene.
Been learning from Krobar's great tuts
But now i'm encounting problems with non-working hmemcpy in WinXP.

Quote from krobar's tut:
bpx hmemcpy and push enter. Now F5 out of softice and click Check it Baby!
:
:
:
After about the 6th RET, we'll land here:


xxxx:0042F4CA 8B45F0 MOV EAX,[EBP-10]
xxxx:0042F4CD 8B55F4 MOV EDX,[EBP-0C]
xxxx:0042F4D0 E82745FDFF CALL 004039FC
xxxx:0042F4D5 751A JNZ 0042F4F1

We see a CALL just before a jump. Well we gonna trace INTO this call. F8 traces INTO a call (push F8 when we on the call line) and we end up here:


xxxx:004039FC 53 PUSH EBX<--we land here
xxxx:004039FD 56 PUSH ESI
xxxx:004039FE 57 PUSH EDI
xxxx:004039FF 89C6 MOV ESI,EAX
xxxx:00403A01 89D7 MOV EDI,EDX
xxxx:00403A03 39D0 CMP EAX,EDX
xxxx:00403A05 0F848F000000 JZ 00403A9A
:end of quote

So, how can I break into this same place of the code:
xxxx:0042F4CA 8B45F0 MOV EAX,[EBP-10]
I've already tried different breakpoints, just doesn't break in any near this.
Is it possible to break like this: "BPX 0042F4CA"? At least it seems not, cos I've tried it several times with different options.
And i've already read some help-files for breakpoints...

Thanks in advance, help noob.
Harding
August 31st, 2004, 05:51
There is no such thing as hmemcpy in W2K/XP/2003. You'll have to get some newer tuts or install W9X.
bilbo
August 31st, 2004, 07:07
Quote:
[Originally Posted by http://www.woodmann.net/fravia/rce-faq.htm]
I am not able to set a breakpoint over hmemcpy function, it's strange because I saw it in many tutorials... why?
Hmemcpy works only under Windows98 and WindowsME. If you have something else (2k/NT/XP) you need to change your approach to the target.



Hint for Google: +hmemcpy +"point h"

Regards, bilbo
naides
August 31st, 2004, 08:20
To Bilbo: Has the "point h" that Ricardo described in his tuts worked for you?
So far I have not had any luck, or I am missing something. . .
bilbo
August 31st, 2004, 11:03
Sorry, naides,
I'm not currently involved in this kind of stuff.

In case you missed it, this thread seems very exhaustive
http://www.exetools.com/forum/showthread.php?t=4323

I can find the sequence of bytes mentioned in the thread above inside the internal function USER32!ECGetText(), in my XP box, which is called from EditWndProc(), so - on a theoretical point of view - it should work!

Regards, bilbo
JMI
August 31st, 2004, 11:44
And Ricardo posted the tools in that thread this morning. For those challenged by the 3 post rule there, I am attaching those tools here.

Regards,
JMI
August 31st, 2004, 11:49
Here's the other one, as only one attachment is allowed per post.

Regards,
esther
August 31st, 2004, 12:43
Don't forget there are point.h tutorials in here

http://biw.rult.at/tuts/ollyguide2.rar
http://biw.rult.at/tuts/Searching.rar
Saber
August 31st, 2004, 15:12
Thanks for help, guys
From now on i'm trying to manage on my own.
JMI
August 31st, 2004, 17:05
That's the attitude.

Regards,