Hello again to my 18's tut..i am very proud of it.
Ok first this CrackMe is very cool..since it combine several protection inside of it.
So let's go to work.
First try on your own to crack it...ok u cant crack it regulary..why??
first we will Dissasmble the crack me...Opps..what do we see??...we see only little stuff dissasmbled, where is all of the asm code gone???...hahaha this is nice, now since it's my first tutorial using ProcDump i can't really explain every thing..i my self didn't knew about how to use procdump in crackme..so i suggest u guy to grasp code_inside's tut13 about unpacking, this will give u a rough idea how it works.
ok...so we will need to use procdump...open the program (procdump)..press the PE editor..chose your crackme, in our case crackme 16 by code_inside ;)
now after openning the program..press the SECTIONS button (under structores editor)..u will see alittle box with offsets and raw numbers, now u can see in the last name (under .rsrc) a blank name (without name) and have a offsets of 0000000 for all raw/virtual/sizes..ok that's mean like a small protection..u avoid us to use 32dasm..right click on mouse (on the blank name) and choose "kill task", haha now click ok, then again ok, and exit program.
now u cab able to dissasmble the crackme using 32dasm....wee we have finished the unpacking part.
now after dissasmblination choose "strn-ref" button, u will see this: "Great !!! now write a KeyGen...", click on that and we will be here:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040121D(C)
|
:00401230 33C0 xor eax, eax ; eax = 0
:00401232 8BC2 mov eax, edx ; eax holds edx
:00401234 43 inc ebx ; ebx + 1
:00401235 4B dec ebx ; ebx - 1
:00401236 85DB test ebx, ebx ; is ebx = ebx?
:00401238 7418 je 00401252 ; yes?? jump
:0040123A 55 push ebp ; no?? save ebp
:0040123B 8BEC mov ebp, esp ; ebp now holds esp
* Possible StringData Ref from Data Obj ->"Great !!! now write a KeyGen..." ; we are here
|
:0040123D 68BE1E4000 push 00401EBE ;call api
ok now that we know where we are it's more easy to find the adress where the right serial is.
now scroll up untill here:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004011CF(C)
|
:004011EF C1C904 ror ecx, 04 ; rotate 04 in ecx
:004011F2 0FC9 bswap ecx ; swap bytes in ecx
:004011F4 F7D1 not ecx ; NOT operation on ecx
:004011F6 51 push ecx ; save ecx
:004011F7 33C9 xor ecx, ecx ; if ecx = 0 then:
:004011F9 8B05FC1B4000 mov eax, dword ptr [00401BFC] ; 00401BFC move to eax (name we entered)
:004011FF B9FC1A4000 mov ecx, 00401AFC ; serial move to ecx
:00401204 81E9FC000000 sub ecx, 000000FC ; ecx - FC
ok so we got the stuff we wanted right?? yeah..once u look at the code above the crackme began to be very logical.
ok next we need to figure out the algo scheme, so here we go:
[ALGO SCHEME]:
--------------
:004011F2 0FC9 bswap ecx ; swap bytes in ecx
:004011F4 F7D1 not ecx ; NOT operation on ecx
:004011F6 51 push ecx ; save ecx
:004011F7 33C9 xor ecx, ecx ; if ecx = 0 then:
:004011F9 8B05FC1B4000 mov eax, dword ptr [00401BFC] ; 00401BFC move to eax (name we entered)
:004011FF B9FC1A4000 mov ecx, 00401AFC ; serial move to ecx
[ALGO EXPLANATION]:
-------------------
so after our serial (fake) is enteres, it is not being compare to a real serial or something, by looking in the code we ca see that first our serial get's a: bswap .
a bswap meaning swaping bytes of our serial.
Example:
our entered serial is: 912E59DC (mostly it will use leters to in sice..u will see that later)
so we will swap the numbers (like a mirror, we actually if u will write those numbers in a paper and look at them in the mirror it will be swaped ;) ).
so swap serial is: DC592E91...go it??..i hope so..;D
on to the second operation..after fake serial is now swaped we get a " NOT " operation..(it's like in c/c++ ther is a not operation..)..so how to use he NOT operation in our swaped numbers??
we will do that:
1.open calculator.exe ( like in any windows OS) ;)
2.switch to view->sientific mode
3.chose HEX mode (in te left side)
4. new we will take ever 2 numbers and make a NOT operation on it
Example:
DC 59 2E 91
type DC in calculator..choose not button it will be calculated to this: FFFFFF23 ignore the FFFFFFF then the calculated number is : 23 ;)
got it?? i hope so
now we get in the Sice part:
open the crackme and inset any name/serial, open SoftIce by press ctrl+d..enter a bpx (u can use either hmemcpy or getdlgitemtextA) i will prefer getdlgitemtextA since it's much faster to debug ;), Ctrl+d again..press "CHECK" button..sICE pop-up press f5 to read the seria text field, f12, now trace with f10..(do u remember that we need to trace untill where our serial is generated right??..so the adress was 004011FF)..keep tracing..WHATTT!!!! we jumped to 4012XX (xx mark any adress point)..why??..i will tell u why..when u look at the disasmbled file, look more up to see this code:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004011ED(U)
|
:004011CA 0FBE07 movsx eax, byte ptr [edi] ; move 1 byte from edi to eax
:004011CD 85C0 test eax, eax ; test eax : ?
:004011CF 741E je 004011EF ; no test jump
:004011D1 3C30 cmp al, 30 ; compare with 0
:004011D3 7CE9 jl 004011BE ; lower then 0? jump out
:004011D5 3C39 cmp al, 39 ; compare with 9
:004011D7 7F04 jg 004011DD ; greater then 9? jump
:004011D9 240F and al, 0F ; compare with 0F
:004011DB EB0A jmp 004011E7 ; jump good boy (algo)
what does it mean?? it means that if u enter a serial with less then 0 chars or more then 9 chars then the ouput will always be "Too Bad, please try again !!!"
so..in order ot get to the right road we need to enter 8 chars for the serial to be correct (after finding it of course).
so now after entered a 8 chars serial with your name ..we can debug from the start,
bpx getdlgitemtexta->f5->f12->trace with f10..not we wont jump out cuz we entered a 8 chars fpr our name..so keep tracing..u will find your self in a loop of the compares and nonnecery stuff..keep pressing f10 7 more time, at the 8's time u will be at the algo part:
xxxx:004011FF mov ecx, 00401AFC ; <= be on this adress.
if u type: d 00401AFC u will see your name in swaped bytes (ie: YLAGNEB)
and if u will type: ? eax u will see your fake swaped file in sice (be sure to look the the hex code number, since we are talking about a hex code stuff (not operations) and since your fake serial that has been made by the algo will probly use chars as well, so it's in hex mode ;)
Example:
i got this when i typed ? eax :
"912E59DC" - 2435733980 - (blah blah)
^
|
hex number we need to write
so let's swap and not and find the right serial for our name.
1.swapping: 912E59DC => DC592E91
2.using NOT opperation in calculator.exe (hex mode) we get: DC592E91 => 23A6D16E
