Cracking 2

home *** CD-ROM | disk | FTP | other *** search

/ Cracking 2 / Cracking II..iso / Texty / crackme / MEX_CM4.TXT < prev next >

Wrap

Text File | 1998-05-26 | 11.2 KB | 221 lines

.---. .---. .----------. | \ / | .-. | | | |\ \ / /| | | | .--------. .-----------. .---------. .-------. | .-------' | | \ \ / / | | `-' | .------' `----. .----' | .-------' | ,---. | | | | | \ \/ / | | .-. | | | | | | | | | | | `----. | | \__/ | | | | \ \ | | | `----. | `---' | | ,----' | | | | | | \ `-----. | | | ,----' | .---' | | | | | | | | `----. | | | | | | , \ | | | | | | | | | | | | | | | |\ \ | | | | | | | | | | | | | | | | \ \ | '-------. | | | | | | .------' | | | | '------. | | \ \ | | `--' `--' `-' `--------' `-' `--------' `-' `-' `----------' .----------------------. .-----------| Proudly Presents |-----------. .--------------+----------------------------------------------+--------------. | A cracking tutor for: | | MexElite's Crackme V4.0 (231.424 bytes) coded by nIabI | `----------------------------------------------------------------------------' This Crackme is much harder than V1.0 In this tutor I assume you know the basics of SoftIce. Read my other tuts for a more basic description about how to crack. If you are a complete newbie on Softice I recommend reading SoftIce for beginners (www.fravia.org) or Mammals "Mankind comes into the Ice Age". CrackMe Rating: medium Programs I have used: - SoftIce V3.2 - W32dasm V8.9 - MexElite's Crackme (http://crackme.home.ml.org) .-----------------------------------------------------------------------------------------------. `-----------------------------------------------------------------------------------------------' 1st: start SoftIce and place a breakpoint on these APIs: getwindowtexta <= 32 bit getwindowtext <= 16 bit getdlgitemtexta <= 32 bit getdlgitemtext <= 16 bit Fire the Crackme and enter a name (MisterE) and a s/n (123454). When you press the Check button nothing happens. Wrong breakpoints. So clear them and put a new breakpoint on hmemcpy. When you press the Check button this time, you get kicked back into Softice. Press F12 a few times, until you get in protected mode 32bit code (prot32). Now do a search on the s/n you entered (123454) The address 802EE132 contained my s/n. You are likely to find other addresses, just continue my tutor using your addresses instead. You can disable the breakpoint on hmemcpy now. When you continue running the program (ctrl - d) you get kicked back into softice a few times, but you won't find anything important there. Like I said, this crackme is harder than V4.0 Hmm, what should we do now? Well, let's try w32dasm to see if we can come up with something. At w32dasm: open the crackme and go to Refs - string data references. When you look at the string you should notice these two: "Bad Name Or Serial Number !!!!!" "Good Serial, Thanks For trying " Doubleclick on "Good serial, Thanks For trying" and you'll end up here: :0042DCB2 A360F74200 mov dword ptr [0042F760], eax :0042DCB7 A158F74200 mov eax, dword ptr [0042F758] :0042DCBC 3B0560F74200 cmp eax, dword ptr [0042F760] <= compare s/n :0042DCC2 7517 jne 0042DCDB <= bad s/n, go to 42DCDB :0042DCC4 6A00 push 00000000 good s/n, continue running :0042DCC6 668B0D1CDD4200 mov cx, word ptr [0042DD1C] :0042DCCD B202 mov dl, 02 * Possible StringData Ref from Code Obj ->"Good Serial, Thanks For trying " ->"this Crackme bY nIabI !" | :0042DCCF B8A0DD4200 mov eax, 0042DDA0 :0042DCD4 E867F1FFFF call 0042CE40 :0042DCD9 EB15 jmp 0042DCF0 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0042DCC2(C) | :0042DCDB 6A00 push 00000000 :0042DCDD 668B0D1CDD4200 mov cx, word ptr [0042DD1C] :0042DCE4 B202 mov dl, 02 * Possible StringData Ref from Code Obj ->"Bad Name Or Serial Number !!!!!" | :0042DCE6 B8E0DD4200 mov eax, 0042DDE0 :0042DCEB E850F1FFFF call 0042CE40 Cool, we have found where the Crackme compares our s/n (123454) and the real s/n. We could patch the Crackme by changing: :0042DCC2 7517 jne 0042DCDB <= bad s/n? then go to 42DCDB to :0042DCC2 7417 je 0042DCDB <= good s/n? then go to 42DCDB But that isn't nice to nIabi. He wrote a very nice crypting routine for us. So at least we should get the real s/n. This is fairly easy to do. At 42DCBC both serials are compared, remember this address. Now you have to use SoftIce again. Place a breakpoint on hmemcpy, and press the check button. Press F12 a few times, until you get in protected mode 32bit code (prot32). NOW you place the breakpoint on 42DCBC and disable the breakpoint on hmemcpy. You CANNOT place the breakpoint on 42DCBC when you are NOT in prot32, because the breakpoint will end up nowhere (you aren't running the crackme in prot16). Go on running the program. You should get kicked back into Softice. You end up at the compare function. These two value's are compared (using MisterE as name): d 42F758 => BC CC 6E F3 07 (the 07 isn't important, we won't use it) d 42F760 => 3E E2 01 Remember: values get pushed in reverse order, so 3E E2 01 should be 01 E2 3E that is: 123454 decimal, thit is our s/n!!!!!! BC CC 6E F3 should be F3 6E CC BC, that is 4084124860 decimal. But when you enter this s/n, the crackme says it is not a valid integer value. Well, thats because the crackme can't handle values greater then 2147483647 (2^11 -1 ). A bug? Nope. When you try to type a s/n in the Crackme you'll find out that the Crackme accepts 0 to 9 !!AND!! the minus(-) When you type "? F36ECCBC" in softice, you get the value 4084124860 AND -210842436, I am not sure what this second value is, I think it is the negative value of F3 6E CC BC Anyway this is the right serial. Enter this s/n and YOU HAVE CRACKED THE CRACKME, but there is more........ This is a very nice chance to make a keygenerator. I am having problems with this because I am not very well at assembly. Right now I am studying "The Art of Assembly" You can get this book at: http://www.qzx.com It is obvious that the Crackme starts calculating the real s/n somewhere between 0042DBD0 and 0042DCB7. I have already found where the Crackme calculates the real s/n and I hope to write a tut about how to make a keygen for this very soon (when my assembly is better). So you could try to make a keygen. When you fail (but you won't) you can check my tut later. Some tips: The crackme uses the second character of your name to calculate the s/n. In my case it uses the "i". The Crackme stores this value as 105d or 69h You can find the ASCII codes in the table below. BTW: If you can write a good, well explained, keygen in assembly or Basic, mail me!! With your permission I could include it in the tutorial. .-----------------------------------------------------------------------------------------------. `-----------------------------------------------------------------------------------------------' ASCII CODES Control Characters 00(00) NUL null or time fill 10(16) DLE data line escape 01(01) SOH start of heading 11(17) DC1 device control 1 02(02) STX start of text 12(18) DC2 device control 2 03(03) ETX end of text 13(19) DC3 device control 3 04(04) EOT end of transmission 14(20) DC4 device control 4 05(05) ENQ enquiry 15(21) NAK negative acknowledge 06(06) ACK acknowledge 16(22) SYN synchronous idle 07(07) BEL bell 17(23) ETB end of transm blocks 08(08) BS backspace 18(24) CAN cancel 09(09) HT horizontal tab 19(25) EM end of medium 0A(10) LF line feed 1A(26) SUB substitute 0B(11) VT vertical tab 1B(27) ESC escape 0C(12) FF form feed 1C(28) FS file separator 0D(13) CR carriage return 1D(29) GS group selector 0E(14) SO shift out 1E(30) RS record separator 0F(15) SI shift in 1F(31) US unit separator Graphic Characters 20(32) 30(48) 0 40(64) @ 50(80) P 60(96) ` * 70(112) p 21(33) ! 31(49) 1 41(65) A 51(81) Q 61(97) a 71(113) q 22(34) " 32(50) 2 42(66) B 52(82) R 62(98) b 72(114) r 23(35) # 33(51) 3 43(67) C 53(83) S 63(99) c 73(115) s 24(36) $ 34(52) 4 44(68) D 54(84) T 64(100) d 74(116) t 25(37) % 35(53) 5 45(69) E 55(85) U 65(101) e 75(117) u 26(38) & 36(54) 6 46(70) F 56(86) V 66(102) f 76(118) v 27(39) ' 37(55) 7 47(71) G 57(87) W 67(103) g 77(119) w 28(40) ( 38(56) 8 48(72) H 58(88) X 68(104) h 78(120) x 29(41) ) 39(57) 9 49(73) I 59(89) Y 69(105) i 79(121) y 2A(42) * 3A(58) : 4A(74) J 5A(90) Z 6A(106) j 7A(122) z 2B(43) + 3B(59) ; 4B(75) K 5B(91) [ 6B(107) k 7B(123) { * 2C(44) , 3C(60) < 4C(76) L 5C(92) \ * 6C(108) l 7C(124) | * 2D(45) - 3D(61) = 4D(77) M 5D(93) ] 6D(109) m 7D(125) } * 2E(46) . 3E(62) > 4E(78) N 5E(94) ^ * 6E(110) n 7E(126) ~ * 2F(47) / 3F(63) ? 4F(79) O 5F(95) _ 6F(111) o 7F(127) DEL delete .-----------------------------------------------------------------------------------------------. `-----------------------------------------------------------------------------------------------' Well, I hope you learned SOMETHING from this tutor. If you have any comments, questions, or whatever, mail me at MisterE@freemail.nl OR look for me at EFNET => #cracking4newbies or #cracking .-----------------------------------------------------------------------------------------------. `-----------------------------------------------------------------------------------------------'