Cracking Tutorial
#83:
Reversing Files Protected with ExE-Blocker v2.00
[cracked bY:] sLeEpYż[FWA/NWA/FTPR8Z] iN 12/2002
[difficulty:] beginner
[where:] http://www.kickme.to/dbz2k
http://dbz2k.code-breaker.org/
[tOOLz:] DLSuperCBT (Binary File Compare Program), Hiew 6.0
KANAL23 Tutorial
Reversing Files Protected with ExE Blocker v2.00 |
|
---|---|
Download it from |
Written by |
sLeEpYż |
---|
Tools |
|
---|
Rating |
|
---|
Introduction |
---|
Taken from the nfo file and readme of ExE
Protector 2.00:
+======================================================+
| rELEASE : ExE-Blocker v2.00 [English] |
| uRL : http://www.kickme.to/dbz2k
|
| dATE : 2002- 6-25 |
| cRACKER : d0pesh0w / DiViDE BY ZERO |
+======================================================+
Created with the release manager (c) by Ghosthunter
What is ExE-Blocker 2.00 ?
-----------------------------------------------------------
Are you have some files on your
harddrive , they must be secret ?
No Problem here it comes
ExE-Blocker patches :
Exefiles *.exe
Comfiles *.com
It makes the Exe unable to start
-----------------------------------------------------------
It's Updated
-----------------------------------------------------------
I think it has some interesting changes :
- it's fully 32bit (Exeblocker 1.00 was an Qbasic compiled exe
- you don't need to rename the Exefile (Target)
- it has gfx'st backround
- Let suprise you :)
-----------------------------------------------------------
PS : i know this is they lame way to patch an file but an com file looks a
little difference , i cant go to the entrypoint and set an C3 or try other way's
So ... be lucky that you can patch two files :P
coded by d0pesh0w <[DiViDe by Zer0]>
dopeshow.1984@lycos.de
The Essay |
---|
Ok let's find a file to protect with exe
blocker, well notepad!
Run ExE-Blocker 2.00 and get a couple copies of notepad, patch notepad with this
util and
run it, you will find that the exe file does not run anymore (like intended).
So now it's time to use DLSuperCBT (Check
out tutorial 80 on how to crack it), run it and select the patched file then
select the unpatched original, set it for CHNG only and output it to C:\diff.doc.
Run the binary compare and open up the doc file on your C drive root, it should
read like so:
DLSuperCBT V2.1cByte Compare Chng Results Section 12/14/2002 12:38 PM
New File = c:\documents and settings\plug & play comps\desktop\new folder\notepad.exe
12/14/2002 12:35:40 PM
Old File = c:\documents and settings\plug & play comps\desktop\new folder\bak\notepad.exe
8/18/2001 12:00:00 PM
ID NEW-FILE/ HEX-FILE-DATA *
ASCII TEXT * LEFTMOST
OFFSET/0 - - - 4 - - - 8 - - - C - - - *0---4---8---C---* OLD-OFFSET/
000000/ 5A9000 03000000 04000000 FFFF0000 * Z.........˙˙..* 000001/
I - 000000/4E *N *
<-the difference
DR- /4D *M * 000002/
<-the difference
000010/B8000000 00000000 40000000 00000000 *¸.......@.......* 000010/
000020/00000000 00000000 00000000 00000000 *................* 000020/
000030/00000000 00000000 00000000 E8000000 *............č...* 000030/
DLSuperCBT V2.1cByte Compare Totals Section 12/14/2002 12:38 PM
New File = c:\documents and settings\plug & play comps\desktop\new folder\notepad.exe
12/14/2002 12:35:40 PM
Old File = c:\documents and settings\plug & play comps\desktop\new folder\bak\notepad.exe
8/18/2001 12:00:00 PM
66048 Number of Byte Matches 1 Total Changes (Paired+NonPaired Chg)
1 New File Byte Insertions 0 Non-Paired Inserts (Ins Paired-Chg)
1 Old File Byte Deletions 0 Non-Paired Deletes (Del Paired-Chg)
66048 New File Bytes Processed (10200 - Hex)
66048 Old File Bytes Processed (10200 - Hex)
LISTING-TYPE=Chng OPTIONS=Chgv PASSES=3 CHG#-BEFORE/AFTER-MATCHES=3.
INFORM: Done. Byte differences found. Files compare as different.
So the only difference between the files is one byte change at the beginning of
the program at offset 0. 4D is the original byte, and it gets changed to 4F, so
to reverse this protection if you run across a program with it, just open the
file in HIEW, no need to goto an offset as it is 0, select F3, change 4F back to
4D and F9, then F10.
Change this:
00000000: 4F
dec ebi
To this:
00000000: 4D
dec ebp
File is able to be run again! Exe Blocker 2.00 Reversed.
Final thoughts |
---|
"WALK WHEN YOU WALK, TALK WHEN YOU TALK, AND DIE WHEN YOU DIE."
-Zen Saying
Greetings |
---|
Groups:
FWA, NWA, FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals:
MiNioN,
GreycZ & his cuppy, KlutCh, KiNgEr, MidNight, Edogg, Neoman, movax4c00int21, Acid_Cool_178, All those tuts I read
from everyone who writes them.
CopyLeft:
sLeEpYż
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy &
http://www.bright.net/~testsubject001
Mail sleepy@linuxwaves.com
This Document is copyrighted by kanal23 and it's members. Please mail the
author of this document for complaints and those things.
Kanal23
is signing out for now.