Tutorial for Crackme 7 By tC
----------------------------



The Maker of this crackme writes:
---------------------------------

Hi Crackers.  				      
Today you have to patch the CrackMe that it         
cannot expire.        			      
Little challenge: Try to change only ONE BYTE!      
						      
Send your solutions (only offset & byte please) to: 
      bombasticx@gmx.net                      
						      
If you are at least the third one who send me his   
solution or maybe a tutorial, your name (& tutorial)
will be appear on my site.			      
						      
Thanx for tryin' my CrackMez.			      
tC...'99	



Ok, if you run the Crackme you can read (and notice) that this crackme only runs for 20 seconds.
Ofcourse we don`t want this and also don`t want to pay 450 dollar to register :)
Most of the programs that only run a certain time (like 30 mins) use the Settimer function.
To find out if this crackme is using this function we set a breakpoint on it in Softice.
And we break in softice at this location:

:0043D3EF E8648FFCFF              Call 00406358    ; Settimer
:0043D3F4 85C0                    test eax, eax
:0043D3F6 7521                    jne 0043D419
:0043D3F8 8D55FC                  lea edx, dword ptr [ebp-04]
:0043D3FB A104ED4300              mov eax, dword ptr [0043ED04]
:0043D400 E8E779FCFF              call 00404DEC
:0043D405 8B4DFC                  mov ecx, dword ptr [ebp-04]
:0043D408 B201                    mov dl, 01
:0043D40A A1ACB34000              mov eax, dword ptr [0040B3AC]
:0043D40F E810B4FCFF              call 00408824
:0043D414 E8835EFCFF              call 0040329C

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0043D3D7(C), :0043D3DD(C), :0043D3E4(C), :0043D3F6(C)
|
:0043D419 33C0                    xor eax, eax


Hmm, we must find some way to let the program never execute/set that (Set)Timer at 0043D3EF.
If you look at 0043D419 you see that that line is referenced by 4 jumps. If we could let the 
program jump there, the Call 00406358 (settimer) will never be executed and the timer won`t get
set, so the program keeps running forever.

Let`s look at the jumps, they are just above the call.


:0043D3CD E8668EFCFF              Call 00406238
:0043D3D2 8B7324                  mov esi, dword ptr [ebx+24]
:0043D3D5 85F6                    test esi, esi
:0043D3D7 7440                    je 0043D419		; Jump 1
:0043D3D9 807B3400                cmp byte ptr [ebx+34], 00
:0043D3DD 743A                    je 0043D419		; Jump 2
:0043D3DF 66837B2E00              cmp word ptr [ebx+2E], 0000
:0043D3E4 7433                    je 0043D419		; Jump 3
:0043D3E6 6A00                    push 00000000
:0043D3E8 56                      push esi
:0043D3E9 6A01                    push 00000001
:0043D3EB 8B4328                  mov eax, dword ptr [ebx+28]
:0043D3EE 50                      push eax


If we look at line 0043D3D7 we see the first jump, if we reverse it (make it jne) the jump is taken and the call to Settimer at 0043D3EF is skipped. Normally there is no jump and the program
proceeds to line 0043D3EF (Settimer). And our goal is to change only 1 byte so we can change


je 0043D419

to

jne 0043D419


And if we run the program it keeps running forever :)


Dracs '99