Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   CRC CheckSum Problem ( maybe ) (https://forum.exetools.com/showthread.php?t=983)

How2Crack 06-29-2002 03:52

CRC CheckSum Problem ( maybe )
 
Hi everybody,
this is my first writing , so I hope that it will be usefull to us ...

I'm still learning How2Crack , and I have a program that popup a message if I change any bit in the Exe File .. of cource when I run it after saving the changes ...

I have search for the text that appears in the message and I don't find it ( maybe encrypted ) ..

I use W32Dasm 8.93 + Ollydbg 1.7

Is their any one can help how to solve this problem ??? :confused:

Thanks to you all

Your Freind

JMI 06-29-2002 04:58

Further work needed.
 
How2Crack:

Giving you the answer will not teach you anything. What you are most likely dealing with is code that does a checksum on all the bytes in the program and, if you change a single byte, you change the sum that it is checked against.

What you need to do is read up on how CRC is checked. In broad strokes, the program needs to access and read the file, probably in memory. Frequestly, after the code checks the sum of the bytes, it is compared against a number that is hard coded somewhere in the file. When you can locate that "target number" the checksum becomes meaningless, because you can change what total the files is compared against and reset it to equal the actual total given after your changes.

So you need to learn about CRC and the API's that are used to perform such a check. This gives you the breakpoint to intercept so you can be in the middle of the check.

Go here:

hxxp://www.anticrack.de/modules.php?op=modload&name=Topics&file=index

and read some of the articles in the section titled:

RCE - CRC (Cyclic Redundancy Code)

and you'll be on your way. After you'd done your homework, come back and ask specific questions.

Regards.

jsteed 06-29-2002 22:55

It is also quite possible that the program also reads the file from disk and then does the crc check. To find out which is the case, go back to the original program and run it in your debugger. Then make your changes from within your debugger. If the program continues to run then you know it is reading the file from disk. To find the general location of the crc check, set a breakpoint on messageboxa. You should be able to backtrace from there.
jsteed

How2Crack 06-30-2002 02:43

Thanks JMI & jsteed ..

You are right jsteed :D , I make changes within OllyDbg ( Debuger ) .. and the program continue working well ..

Now, I use FILEMON to watch the files that the program use .
How can I find the file from disk ?? :confused: :confused:

No file have the same size ??
Most of the files that the program use is DB files ??

Thanks

_Servil_ 06-30-2002 03:02

you must set some triggers used by openeing a file
eg
createfilea getmodulenamea or lopen (_lopen?)
take care about pointers at stack, it should contain app's name when crc starts

JMI 06-30-2002 03:16

How2Crack:

I don't know how to say it more clearly than to quote a passage by Clandestiny of 06-11-2001 on the RCE Message Board on this subject:

Quote:

Run an API monitor to log the file operation API's. CreateFileA, ReadFile, OpenFile, _lopen, _hread, _lcreat, MapViewOfFile... those are the main ones.
There is a good chance that one or more of these API's will be used to open the file / map it into memory so it can be read and the CRC calcuation can be performed. Once you've found the when and where from the monitor, set a bpx on the suspicious function. SICE should "hopefully" break close to the CRC routine.

If not, a backtrace between CreateFile (or whatever API it uses) and the error MessageBox could be another useful tatic.

End Quote.

Regards.

jsteed 06-30-2002 23:42

The CRC check does not use the size of the file. It sums each byte of the file in some manner. There are many different techniques that are used.
JMI has given you very good advice on how to locate the place where the check is occuring. If there is a message box that pops up and tells you that the file is corrupt or has been tampered with, then set a breakpoint on MessageBoxA. The crc check is probably near the place where the message box is displayed.

jsteed


All times are GMT +8. The time now is 23:34.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX