Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


CRC32 disassembly help

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
stefkeh
Cheater
Reputation: 0

Joined: 29 Mar 2006
Posts: 39
PostPosted: Mon Feb 28, 2011 10:26 am    Post subject: CRC32 disassembly help Reply with quote
Hi everyone,

i am trying to bypass a crc function so i unpacked the exe ,
scanned it with ANALyzer and it returned me 1 CRC32 function
with the following addresses:

Code:

CRC32 :: 0047DE18 :: 0087DE18
   Referenced at 0080A942
   Referenced at 0080A955
   Referenced at 0080A968
   Referenced at 0080A97B
   Referenced at 0080A98E
   Referenced at 0080A9A1
   Referenced at 0080A9B4
   Referenced at 0080A9C7


so i took a look at the addresses where it gets referenced and this code is located there :
Code:

 0080A902                           SUB_L0080A902:
 0080A902  8B542408                        mov   edx,[esp+08h]
 0080A906  85D2                            test   edx,edx
 0080A908  7507                            jnz   L0080A911
 0080A90A  33C0                            xor   eax,eax
 0080A90C  E9E3000000                      jmp   L0080A9F4
 0080A911                           L0080A911:
 0080A911  8B44240C                        mov   eax,[esp+0Ch]
 0080A915  83F808                          cmp   eax,00000008h
 0080A918  53                              push   ebx
 0080A919  56                              push   esi
 0080A91A  8B74240C                        mov   esi,[esp+0Ch]
 0080A91E  F7D6                            not   esi
 0080A920  B9FF000000                      mov   ecx,000000FFh
 0080A925  0F82A9000000                    jc    L0080A9D4
 0080A92B  57                              push   edi
 0080A92C  8BF8                            mov   edi,eax
 0080A92E  C1EF03                          shr   edi,03h
 0080A931                           L0080A931:
 0080A931  33DB                            xor   ebx,ebx
 0080A933  8A1A                            mov   bl,[edx]
 0080A935  83E808                          sub   eax,00000008h
 0080A938  33DE                            xor   ebx,esi
 0080A93A  23D9                            and   ebx,ecx
 0080A93C  C1EE08                          shr   esi,08h
 0080A93F  33349D18DE8700                  xor   esi,[L0087DE18+ebx*4]
 0080A946  33DB                            xor   ebx,ebx
 0080A948  42                              inc   edx
 0080A949  8A1A                            mov   bl,[edx]
 0080A94B  33DE                            xor   ebx,esi
 0080A94D  23D9                            and   ebx,ecx
 0080A94F  C1EE08                          shr   esi,08h
 0080A952  33349D18DE8700                  xor   esi,[L0087DE18+ebx*4]
 0080A959  33DB                            xor   ebx,ebx
 0080A95B  42                              inc   edx
 0080A95C  8A1A                            mov   bl,[edx]
 0080A95E  33DE                            xor   ebx,esi
 0080A960  23D9                            and   ebx,ecx
 0080A962  C1EE08                          shr   esi,08h
 0080A965  33349D18DE8700                  xor   esi,[L0087DE18+ebx*4]
 0080A96C  33DB                            xor   ebx,ebx
 0080A96E  42                              inc   edx
 0080A96F  8A1A                            mov   bl,[edx]
 0080A971  33DE                            xor   ebx,esi
 0080A973  23D9                            and   ebx,ecx
 0080A975  C1EE08                          shr   esi,08h
 0080A978  33349D18DE8700                  xor   esi,[L0087DE18+ebx*4]
 0080A97F  33DB                            xor   ebx,ebx
 0080A981  42                              inc   edx
 0080A982  8A1A                            mov   bl,[edx]
 0080A984  33DE                            xor   ebx,esi
 0080A986  23D9                            and   ebx,ecx
 0080A988  C1EE08                          shr   esi,08h
 0080A98B  33349D18DE8700                  xor   esi,[L0087DE18+ebx*4]
 0080A992  33DB                            xor   ebx,ebx
 0080A994  42                              inc   edx
 0080A995  8A1A                            mov   bl,[edx]
 0080A997  33DE                            xor   ebx,esi
 0080A999  23D9                            and   ebx,ecx
 0080A99B  C1EE08                          shr   esi,08h
 0080A99E  33349D18DE8700                  xor   esi,[L0087DE18+ebx*4]
 0080A9A5  33DB                            xor   ebx,ebx
 0080A9A7  42                              inc   edx
 0080A9A8  8A1A                            mov   bl,[edx]
 0080A9AA  33DE                            xor   ebx,esi
 0080A9AC  23D9                            and   ebx,ecx
 0080A9AE  C1EE08                          shr   esi,08h
 0080A9B1  33349D18DE8700                  xor   esi,[L0087DE18+ebx*4]
 0080A9B8  33DB                            xor   ebx,ebx
 0080A9BA  42                              inc   edx
 0080A9BB  8A1A                            mov   bl,[edx]
 0080A9BD  33DE                            xor   ebx,esi
 0080A9BF  23D9                            and   ebx,ecx
 0080A9C1  C1EE08                          shr   esi,08h
 0080A9C4  33349D18DE8700                  xor   esi,[L0087DE18+ebx*4]
 0080A9CB  42                              inc   edx
 0080A9CC  4F                              dec   edi
 0080A9CD  0F855EFFFFFF                    jnz   L0080A931
 0080A9D3  5F                              pop   edi
 0080A9D4                           L0080A9D4:
 0080A9D4  85C0                            test   eax,eax
 0080A9D6  7416                            jz    L0080A9EE
 0080A9D8                           L0080A9D8:
 0080A9D8  33DB                            xor   ebx,ebx
 0080A9DA  8A1A                            mov   bl,[edx]
 0080A9DC  33DE                            xor   ebx,esi
 0080A9DE  23D9                            and   ebx,ecx
 0080A9E0  C1EE08                          shr   esi,08h
 0080A9E3  33349D18DE8700                  xor   esi,[L0087DE18+ebx*4]
 0080A9EA  42                              inc   edx
 0080A9EB  48                              dec   eax
 0080A9EC  75EA                            jnz   L0080A9D8
 0080A9EE                           L0080A9EE:
 0080A9EE  8BC6                            mov   eax,esi
 0080A9F0  5E                              pop   esi
 0080A9F1  F7D0                            not   eax
 0080A9F3  5B                              pop   ebx
 0080A9F4                           L0080A9F4:
 0080A9F4  C20C00                          retn   000Ch


so i was thinking i needed to hook 0080A911 and make it read a copy of the untouched memory. is this correct or am i totally thinking wrong ?
anyone could help me out on this ?


thanks
Back to top
View user's profile Send private message MSN Messenger
atom0s
Moderator
Reputation: 205

Joined: 25 Jan 2006
Posts: 8586
Location: 127.0.0.1
PostPosted: Mon Feb 28, 2011 12:56 pm    Post subject: Reply with quote
Keep in mind that ANALYZER doesn't always give true results and will assume things based on patterns. A chunk of code that has nothing to do with encryption or hashing could be detected as one just because of the pattern etc.

Your theory is one of a few possible methods to handle bypassing the check. You could also fake the return of the function and ignore the check all together depending on how the function is written. Or you could just force the game to compare against the memory it wants to scan against itself so it will never be different.
_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Geri
Moderator
Reputation: 111

Joined: 05 Feb 2010
Posts: 5636
PostPosted: Mon Feb 28, 2011 3:56 pm    Post subject: Reply with quote
This is not exactly like what You are looking for but it may help in finding a working method:

http://www.szemelyesintegracio.hu/cheats/41-game-hacking-articles/243-xlive
_________________
My trainers can be found here: http://www.szemelyesintegracio.hu/cheats

If you are interested in any of my crappy articles/tutorials about CE and game hacking, you can find them here:
http://www.szemelyesintegracio.hu/cheats/41-game-hacking-articles

Don't request cheats or updates.
Back to top
View user's profile Send private message
stefkeh
Cheater
Reputation: 0

Joined: 29 Mar 2006
Posts: 39
PostPosted: Tue Mar 01, 2011 3:34 pm    Post subject: Reply with quote
ok will have a look Smile

thanks everyone !

oh and if someone has a nice explanation on how to bypass crc i would be more then happy to hear it Wink


thanks !
Back to top
View user's profile Send private message MSN Messenger
Geri
Moderator
Reputation: 111

Joined: 05 Feb 2010
Posts: 5636
PostPosted: Tue Mar 01, 2011 8:29 pm    Post subject: Reply with quote
My article is basically about this in short.

1. Find the function which is reading the memory by setting a breakpoint.
2. Disable the function.

The solution can be different in every case but the idea can be used to bypass more programs. Actually it is not even an idea, it is just simple debugging.
_________________
My trainers can be found here: http://www.szemelyesintegracio.hu/cheats

If you are interested in any of my crappy articles/tutorials about CE and game hacking, you can find them here:
http://www.szemelyesintegracio.hu/cheats/41-game-hacking-articles

Don't request cheats or updates.
Back to top
View user's profile Send private message
stefkeh
Cheater
Reputation: 0

Joined: 29 Mar 2006
Posts: 39
PostPosted: Thu Mar 03, 2011 4:18 am    Post subject: Reply with quote
ok thanks alot Geri,
now i'll just have to find out how to attach the debugger without beeing detected.

thanks !
Back to top
View user's profile Send private message MSN Messenger
Geri
Moderator
Reputation: 111

Joined: 05 Feb 2010
Posts: 5636
PostPosted: Thu Mar 03, 2011 8:33 am    Post subject: Reply with quote
If you use 32-bit OS, CE's kernelmode debugger will be most likely undetected, which is a very easy solution. VEHdebugger is also undetected by most protections and it is working on 64-bit too.

If you plan to use another debugger, you need to be creative a bit but Olly for example also has some plugins to hide the debugger.

Still, as you can see, the memory scanning can be disabled in a few minutes using CE only, as in my article. It isn't difficult at all.
_________________
My trainers can be found here: http://www.szemelyesintegracio.hu/cheats

If you are interested in any of my crappy articles/tutorials about CE and game hacking, you can find them here:
http://www.szemelyesintegracio.hu/cheats/41-game-hacking-articles

Don't request cheats or updates.
Back to top
View user's profile Send private message
stefkeh
Cheater
Reputation: 0

Joined: 29 Mar 2006
Posts: 39
PostPosted: Thu Mar 03, 2011 1:18 pm    Post subject: Reply with quote
yea i am using a 64 bit sys, i'll see if i can manage to find the crc check with the VEHDebugger, otherwise i'll setup a vm to checkout the CE Kernel.

oh and i love your tutorials ! really a piece of art ! Smile
good job on those mate !


grtz
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites