Re: Task# 3; written for new Newbys; boring for 'oldies' :) Sunday, 07-Feb-99 17:20:12
Hi; Having gathered together all the info from other tasks we have a working knowledge of what we want to do and Where we want to go in this program from studying Windasm. So now fire up the program, Memo95. Note: I always make a "Copy" of the original exe and work with the Copy so that I do not change this original... Click on the menu option "Game" and then on "register" In our exercises we always use "Pirate Copy" as the username; in this way we are always on the "same page" and producing the same results. So fill in the name box with "Pirate Copy" and fill in any serial code you wish; It is a good idea at this point to go ahead and use a group of numbers that are 16 characters in lenght so that the loop that 'checks' each number...letter...you inputed...will not throw you out of the loop before you can see the entire routine that checks (compares) your input against the real number...Its not neccessary to have a 16 char lenght in order to manipulate ice to register however; I have had it register me with any name and any lenght of numbers so long as you know which registers to change...as we learned in task #2... Now we get a number of posts asking HOW do I know which api to use to set a breakpoint...? There are a number of ways to see this; If you have QuickView installed you can right click on the program and click QuickView and scroll to imports...somtimes you will find aips listed here... I like a little program called ShowDep from download.com...it shows so many things about the program I get lost... And then there is Dasm itself...If you click on the "IMPORTS" box in the menu area...this will give you an entire list of all the 'dudes' that you can set a bpx upon... I search for the familiar ones: getdlgitemtexta getwindowtexta messageboxa I find in the "imports" 'getwindowtexta' so this is what I will try to use to bpx on... So, now, our Name and serial are filled in: Lets open ice by pressing together the 'd' and the 'ctrl' keys together; and ice will pop. Now type in: bpx getwindowtexta then type: x (enter key) to leave ice Windows will pop; Now click on the Registration box "OKAY" button. Ice pops back to: ........User32!GetclassnameA+0002....... User32!Getwindowtexta 014f:bff61718.........mov cl,A7 Now this is not where we want to stay: here we use our f-11 key one time to go BACK to where this section of code was called from... So f-11 once: We land here INSIDE the code: 014f:0041da56......call[user32!Getwindowtexta] <<--where we just came from 014f:0041da5c......mov ecx, [esp+08]<<--we land here returning from that call Now we already know from researching in dasm where we want to go in this code So we can now type: u 0040b73a enter key and this will take us to here: Now we must disable the bpx getwindowtexta breakpoint that we had set: If you have only set the one breakpoint then you can now type: bd 0; or bd 00 to clear that breakpoint. If you have been doing other work and have many breakpoints set then "bpx getwindowtexta" may not have the line # assignment of "00" So; type bl and this will give you a list of all of your breakpoints and the number they have been assigned... In my case here it is assigned the number "00" So i type; bd 00...bd=disable breakpoint Now you will see at the top of the command window the line: 0040b73a..... place your mouse cursor on this line and double click on it. It will highlight; you have now just set a breakpoint on this line; or you can now type in: bpx 0040b73a and this will set the break for you; Now type 'x' to leave ice; windows pops back into ice to this line #. Now you can use your F-8 key to step into this CALL; this is where the routine check will be performed...before returning to do the 'test'...jump if not equal...Good GUY--GAL or Bad GUy--Gal Now that you have arrived here we can attempt to answer the Sandmans Task #3 questions... Task 3 - Understanding The Serial Routine.. If you've read a number of tutorials on cracking then you should by now, be aware of certain patterns of code that seems to get repeated with increasing regularity. Going back to my Task 2 I directed everyone to the area of code where a conditional jump decides on which of the following 'Good Cracker', 'Bad Cracker' messages are displayed to the User when they enter their serial code. Lets take another look at this section of code: :0040B73A call 0040CCC0 :0040B73F add esp, 00000008 :0040B742 test eax, eax :0040B744 jne 0040B9BC Question 1. Explain as best you can, what the above code fragment does. Comment all four lines. I'm looking for your comments that:- a. Show what values of importance are returned in the PC's internal registers after the CALL 0040CCC0 has been executed. b. What is the reason for the ADD ESP, 00000008 instruction? BTW, register ESP is a STACK Register. c. The instruction TEST EAX,EAX is checking the eax register for two possible values, what are they and what do they signify? d. Where does the instruction JNE 0040B9BC take us to? :0040B73A call 0040CCC0<<--f-8 takes into the routine that checks our inputted serial against the acutal calculated serial. :0040B73F add esp, 00000008 <<---I don't know :0040B742 test eax, eax<<--after running thru call at 0040CCC0 with our fake number we see that eax is loaded with "ffffffff" We know here that our serial was not correct so "ffffffff" must mean bad number in eax register... :0040B744 jne 0040B9BC <<--we know our serial is NOT equal so we know that this jump will take us to bad guy location... Question 2. Explain how this program compares our *fake* serial number against the *real* one. (hint, check the code between :0040CCC0 to :0040CCF9 ) Okay we have stepped into the call and land here: 0040CCC0 83EC04 sub esp, 00000004 <<---land here (don't know) :0040CCC3 833D24F1420000 cmp dword ptr [0042F124], 00000000 (don't know) :0040CCCA 53 push ebx (d ebx; revealed nothing) :0040CCCB 56 push esi (d esi revealed not much either) :0040CCCC 7537 jne 0040CD05 (must have been a test at :0040CCC3?) :0040CCCE 8B4C2410 mov ecx, dword ptr [esp+10] (d ecx=false #)(esp+10 holds false # and puts it into ecx) :0040CCD2 8B542414 mov edx, dword ptr [esp+14] (d edx=Real #)(esp+14 holds the Real serial and puts this into edx) * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040CCF0(C) | :0040CCD6 8A01 mov al, byte ptr [ecx] (Compare first Char# of ecx fake # with value in al) :0040CCD8 3A02 cmp al, byte ptr [edx] (Compare first Char# of edx Real # with value in al. :0040CCDA 751E jne 0040CCFA (are they the same? NO! then jump)(YES?...move to next line 0040ccdc) :0040CCDC 0AC0 or al, al <<--don't know :0040CCDE 7412 je 0040CCF2 <<-- don't know :0040CCE0 8A4101 mov al, byte ptr [ecx+01] (add next Char# of ecx string into al(?)) :0040CCE3 3A4201 cmp al, byte ptr [edx+01](add next char# of edx string into al (?) :0040CCE6 7512 jne 0040CCFA (equal or not...jump or no jump) :0040CCE8 83C102 add ecx, 00000002 (add 2 to ecx????) :0040CCEB 83C202 add edx, 00000002 (add 2 to edx????) :0040CCEE 0AC0 or al, al <<-- don't know :0040CCF0 75E4 jne 0040CCD6 <<--another check * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040CCDE(C) | :0040CCF2 33C0 xor eax, eax <<--if Okay eax=0; if NOT; eax=ffffffff :0040CCF4 5E pop esi <<- don't know :0040CCF5 5B pop ebx <<--don't know :0040CCF6 83C404 add esp, 00000004 <<--don't know :0040CCF9 C3 ret <<--done check; return for test... here is another reason why it is important that we learn to de-bone the many different ways to understand what happens inside the checks: What would be our alternative if line at: :0040CCD2 8B542414 mov edx, dword ptr [esp+14] (d edx=Real #)(esp+14 holds the Real serial and puts this into edx) ...OUR REAL SERIAL was NOT there; or; the value of REAL was NOT revealed??? Then knowing and following the LOOP that checks each character against each other would have been our next visual step to reveal the actual Real code. AND It is important to note here why doing our homework first is impotant: Without having read the Help file and seeing that the author would be using a 16 character code then we who use just any code lenght would be KICKED out before the entire per character compare was completed and we would never SEE the rest of the real serial; in this scenerio that the Real serial was Not revealed as it was to us: example: The character loop check will compare the real to our fake: ABCDEFG123456789 Real code 7777767.........My fake input; not enough character lenghtto reveal balance of real code; The loop check would stop checking and kick me out to be tested having only revealed to me '7' figures of the real code: "ABCDEFG" as IT checked within this loop. BOOM gone to return and test...and I do not now have the FULL real serial to write into code box... Also we must bear in mind that we KNOW our number IS incorrect; so in a check of this sort there will be 'stops' (jumpchecks) installed to check: Does "A" = userinput "7" ? No! then jump; So we also will never complete this check and see each letter...number being revealed to completion...unless we change those jumpchecks... If our serial had NOT been revealed here at :0040CCD2 8B542414 mov edx, dword ptr [esp+14] (THEN what would we have done???) Then we could have gotten it here... in this loop as it checked each char: 0040CCC0 83EC04 sub esp, 00000004 <<---land here :0040CCC3 833D24F1420000 cmp dword ptr [0042F124], 00000000 :0040CCCA 53 push ebx :0040CCCB 56 push esi :0040CCCC 7537 jne 0040CD05 (no jump) :0040CCCE 8B4C2410 mov ecx, dword ptr [esp+10] (d ecx=false #)(esp+10 holds false # and puts it into ecx) Now we are sitting on this line 0040ccce; Now look up to your register area to: SS:0068f420=007a0ddc Once we hit our f-10 key this value will be put into the ecx register; do a 'd ecx' we get our fake # in data area... Now f-10 to next line: :0040CCD2 8B542414 mov edx, dword ptr [esp+14] Now look in the register area and see: SS:068f424=006a0f10 (if you did a 'd 006a0f10' right now it would tell you what this value is that is to be loaded) Once we hit f-10 to move to next line this value is put into edx... do a 'd edx' we get our REAL # in the data area... BUT WHAT IF THIS # WAS NOT VISUALLY shown and was HIDDEN; Then what? We move to the next line! We land here: :0040CCD6 8A01 mov al, byte ptr [ecx] (Compare first Char# of ecx fake # with value in al) And now look at the DS: register DS:007a0ddc=37 37 equals the hex value of my first false serial #; 37h= "7" Hit your f-10 key and 37h (7) is put into the eax register and now the DS: register has loaded: DS:006a0f10=44 To see what the value '44' is type: ? 44 (enter key) Ice tells us: 00000044...00000068..."D" :0040CCD8 3A02 cmp al, byte ptr [edx] (Compare first Char# of edx Real # with value of ecx in al. :0040CCDA 751E jne 0040CCFA (are they the same? NO! then jump)(YES?...move to next line 0040ccdc) If we allow this jump then we will never see the rest of this character check being performed; because "7" and "D" are not equal it will kick us out. So we must change this jnz to a je (jz) so type: e 0040ccda (enter key) the data box changes; in the data window change the "75" to a "74" now as it moves thru each char check in the loop it will not jump out and your line will now look like this: :0040CCDA 741E je 0040CCFA (no jump) :0040CCDC 0AC0 or al, al <<--don't know :0040CCDE 7412 je 0040CCF2 <<-- don't know f-10 to here: :0040CCE0 8A4101 mov al, byte ptr [ecx+01] (add next Char# of ecx string into al(?)) we now see here that register DS: is loading another # from our fake serial inputed # DS:007a0ddd=37 (37h="7") F-10 to the next line at :0040CCE3 and we see that "37" has been put into eax register; and now DS: holds DS:006a0f11=30 (30h="0") :0040CCE3 3A4201 cmp al, byte ptr [edx+01](add next char# of edx string into al (?) Ah; so here it is checking: Is "7" not equal to "0" ? :0040CCE6 7512 jne 0040CCFA (equal or not...jump or no jump) yes not equal; jump out of loop... We once again can not let this happen: type: e 0040cce6; change the "75" to a "74" in the data window; hit enter key; now your line looks like this: :0040CCE6 7412 je 0040CCFA Now we can once again prceed thru the loop check without being kicked out. :0040CCE8 83C102 add ecx, 00000002 (add 2 to ecx????) :0040CCEB 83C202 add edx, 00000002 (add 2 to edx????) :0040CCEE 0AC0 or al, al <<-- don't know :0040CCF0 75E4 jne 0040CCD6 <<--another check; Loop completed? NO? then jump back up to line 0040CCD6 and begin next character check: AT: :0040CCD6 8A01 mov al, byte ptr [ecx] puts ecx into al; DS: register holds our next fake #; 37="7"; puts this value into eax once again... f-10: :0040CCD8 3A02 cmp al, byte ptr [edx] DS: register holds 006a0f12=36 type: ? 36 equals "6" So far we have checked and seen that: 777=our partial fake number D06=our partial correct number Okay; Long story short; continue thru this loop checking each value and making a note of the values; by the end of this 16 character loop you will KNOW what your true serial number is suppossed to be... At the end of the loop the conditional jump at: :0040CCF0 75E4 jne 0040CCD6 will see that the last character has been checked and will pass us thru to: :0040CCF2 33C0 xor eax, eax <<--if Okay eax=0; if NOT; eax=ffffffff; or 01 :0040CCF4 5E pop esi <<- don't know :0040CCF5 5B pop ebx <<--don't know :0040CCF6 83C404 add esp, 00000004 <<--don't know :0040CCF9 C3 ret <<--done check; return for test... Land here from return: :0040B73A call 0040CCC0 <<--call that took us INTO this routine :0040B73F add esp, 00000008 <<-returns here after routine check. :0040B742 test eax, eax <<--tests here to see if eax is 01 or 00; or ffffffff; or 00 :0040B744 jne 0040B9BC <<--jump if not equal If this don't explain it then I'm never writting one of these again! :) Hope this helped SOMEONE! Question 3. Explain how our User Name: Pirate Copy is converted into a 16 character hex code. Question #3; even after reading The Princess's great work on the actual serial generation...I still don't have a clue...come with experience I hope... Good luck, The Sandman THATS MY STORY, AND I"M STICKIN' TO IT! Greetings regards cheers Jeff Jeff(jas) |
Jeff: jas's Thread for NEW newbys (05-Feb-99 21:20:24) |
|
Copyright © InsideTheWeb, Inc. 1997-1999
All rights reserved.