Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 06-29-2002, 03:52
How2Crack
 
Posts: n/a
CRC CheckSum Problem ( maybe )

Hi everybody,
this is my first writing , so I hope that it will be usefull to us ...

I'm still learning How2Crack , and I have a program that popup a message if I change any bit in the Exe File .. of cource when I run it after saving the changes ...

I have search for the text that appears in the message and I don't find it ( maybe encrypted ) ..

I use W32Dasm 8.93 + Ollydbg 1.7

Is their any one can help how to solve this problem ???

Thanks to you all

Your Freind
Reply With Quote
  #2  
Old 06-29-2002, 04:58
JMI JMI is offline
Leader
 
Join Date: Jan 2002
Posts: 1,627
Rept. Given: 5
Rept. Rcvd 199 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 96 Times in 94 Posts
JMI Reputation: 100-199 JMI Reputation: 100-199
Further work needed.

How2Crack:

Giving you the answer will not teach you anything. What you are most likely dealing with is code that does a checksum on all the bytes in the program and, if you change a single byte, you change the sum that it is checked against.

What you need to do is read up on how CRC is checked. In broad strokes, the program needs to access and read the file, probably in memory. Frequestly, after the code checks the sum of the bytes, it is compared against a number that is hard coded somewhere in the file. When you can locate that "target number" the checksum becomes meaningless, because you can change what total the files is compared against and reset it to equal the actual total given after your changes.

So you need to learn about CRC and the API's that are used to perform such a check. This gives you the breakpoint to intercept so you can be in the middle of the check.

Go here:

hxxp://www.anticrack.de/modules.php?op=modload&name=Topics&file=index

and read some of the articles in the section titled:

RCE - CRC (Cyclic Redundancy Code)

and you'll be on your way. After you'd done your homework, come back and ask specific questions.

Regards.
__________________
JMI
Reply With Quote
The Following User Says Thank You to JMI For This Useful Post:
abhi93696 (03-09-2017)
  #3  
Old 06-29-2002, 22:55
jsteed
 
Posts: n/a
It is also quite possible that the program also reads the file from disk and then does the crc check. To find out which is the case, go back to the original program and run it in your debugger. Then make your changes from within your debugger. If the program continues to run then you know it is reading the file from disk. To find the general location of the crc check, set a breakpoint on messageboxa. You should be able to backtrace from there.
jsteed
Reply With Quote
  #4  
Old 06-30-2002, 02:43
How2Crack
 
Posts: n/a
Thanks JMI & jsteed ..

You are right jsteed , I make changes within OllyDbg ( Debuger ) .. and the program continue working well ..

Now, I use FILEMON to watch the files that the program use .
How can I find the file from disk ??

No file have the same size ??
Most of the files that the program use is DB files ??

Thanks
Reply With Quote
  #5  
Old 06-30-2002, 03:02
_Servil_ _Servil_ is offline
VIP
 
Join Date: Jan 2002
Posts: 171
Rept. Given: 58
Rept. Rcvd 12 Times in 2 Posts
Thanks Given: 79
Thanks Rcvd at 27 Times in 13 Posts
_Servil_ Reputation: 12
you must set some triggers used by openeing a file
eg
createfilea getmodulenamea or lopen (_lopen?)
take care about pointers at stack, it should contain app's name when crc starts
__________________
_Servil_
SemtekSoft Corporation, Inc.
Reply With Quote
  #6  
Old 06-30-2002, 03:16
JMI JMI is offline
Leader
 
Join Date: Jan 2002
Posts: 1,627
Rept. Given: 5
Rept. Rcvd 199 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 96 Times in 94 Posts
JMI Reputation: 100-199 JMI Reputation: 100-199
How2Crack:

I don't know how to say it more clearly than to quote a passage by Clandestiny of 06-11-2001 on the RCE Message Board on this subject:

Quote:

Run an API monitor to log the file operation API's. CreateFileA, ReadFile, OpenFile, _lopen, _hread, _lcreat, MapViewOfFile... those are the main ones.
There is a good chance that one or more of these API's will be used to open the file / map it into memory so it can be read and the CRC calcuation can be performed. Once you've found the when and where from the monitor, set a bpx on the suspicious function. SICE should "hopefully" break close to the CRC routine.

If not, a backtrace between CreateFile (or whatever API it uses) and the error MessageBox could be another useful tatic.

End Quote.

Regards.
__________________
JMI
Reply With Quote
  #7  
Old 06-30-2002, 23:42
jsteed
 
Posts: n/a
The CRC check does not use the size of the file. It sums each byte of the file in some manner. There are many different techniques that are used.
JMI has given you very good advice on how to locate the place where the check is occuring. If there is a message box that pops up and tells you that the file is corrupt or has been tampered with, then set a breakpoint on MessageBoxA. The crc check is probably near the place where the message box is displayed.

jsteed
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Checksum of WinLicnese 2.1.0.10 ZeNiX General Discussion 1 01-11-2010 22:32
checksum question/help chad1111 General Discussion 0 01-27-2004 16:56
HEX and checksum email2 General Discussion 3 01-05-2004 18:47


All times are GMT +8. The time now is 15:21.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )