KeyGen Studio 2002

home *** CD-ROM | disk | FTP | other *** search

/ KeyGen Studio 2002 / KeyGen_Studio_2002.iso / Tutorials / Code Inside / Tut17.txt < prev next >

Wrap

Text File | 2001-09-21 | 14.6 KB | 321 lines

************************************************************************************************************************************************************************ Crackme #1 bY Sarnaik ************************************************************************************************************************************************************************ Author: Sarnaik Protection: Name / Serial URL: Tools: SoftICE V4.05 W32Dasm V8.93 Hex-Editor ---> Intro... Welcome to my next Tutorial !!! This is a easy CrackMe from Sarnaik but maybe a bit tricky for the Newbie :) The Algo is very simple but the Compare is a bit harder. First I'll sniff the Serial and then i'll patch it :) ---> Let's Begin... Ok, open up the CrackMe and it asks you for a Name and Serial, fill something in i've used: Name: CoDe_InSiDe Serial: 1234567890 Then get into SoftICE (CTRL+D) and type "bpx hmemcpy" followed by "enter" , why hmemcpy? Because it almost always breaks ;) Then get out of SoftICE (CTRL+D) and press "Check" and SoftICE popups. Now first type "BC *" to disable the breakpoint and now press (F12) 9 times till you reach the CrackMe code and you should see this: ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ :00401068 83F800 cmp eax, 00000000 <--- Compare EAX with 00 (Have we entered a Name?) :0040106B 0F84A6000000 je 00401117 <--- If equal (No Name entered) we jump and fail, else continue :00401071 33C0 xor eax, eax <--- XOR EAX which is now 00 :00401073 33DB xor ebx, ebx <--- XOR EBX which is now 00 :00401075 33C9 xor ecx, ecx <--- XOR ECX which is now 00 :00401077 BF60204000 mov edi, 00402060 <--- EDI now points to our Name * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401089(U) | :0040107C 8A07 mov al, byte ptr [edi] <--- Move first Char in AL :0040107E 84C0 test al, al <--- Test if AL is 00 (Are we at the end of our Name?) :00401080 7409 je 0040108B <--- If so we jump and continue with the Crackme, else continue with the Algo :00401082 03C8 add ecx, eax <--- ADD EAX to ECX :00401084 C1E008 shl eax, 08 <--- Shift EAX to the left with 08 :00401087 43 inc ebx <--- EBX +1 :00401088 47 inc edi <--- EDI +1 :00401089 EBF1 jmp 0040107C <--- Repeat loop ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ This is the small Algo :) It takes the first Char of our Name and checks if it's 00. If so we jump and continue with the CrackMe, else continue with the Algo. Then it ADDs EAX to ECX. Then we get "shl eax, 08" let me show you what this instruction does for my Name (First Char is C=43 hex). EAX = 00000043 shl eax, 08 EAX = 00004300 Then increase EBX with 1 <--- counts the length of our Name Increase EDI with 1 <--- Points to the next Char Repeat loop Ok, i think this is not so difficult :) now let's see what's next: ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ :0040108B 0FAFCB imul ecx, ebx <--- Multiply EBX with ECX :0040108E 81F16E61696B xor ecx, 6B69616E <--- XOR ECX with 6B69616E (naik) :00401094 8BD9 mov ebx, ecx <--- Move ECX in EBX :00401096 53 push ebx <--- Save EBX in the Stackdump :00401097 6A08 push 00000008 <--- Push 08 = the maximum Chars to be copied from our "Fake" Serial :00401099 686C204000 push 0040206C <--- Offset where our "Fake" Serial will be stored * Possible Reference to Dialog: DialogID_0001, CONTROL_ID:006B, "" | :0040109E 6A6B push 0000006B :004010A0 FF7508 push [ebp+08] * Reference To: USER32.GetDlgItemTextA, Ord:0000h | :004010A3 E81D010000 Call 004011C5 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Notice the two instructions on top. First it Multiplies EBX with ECX (Multiply Length of our Name with the New Value created with the Algo). And then it XORs ECX with 6B69616E (naik). And then it get's the "Fake" Serial we entered by using "GetDlgItemTextA" and puts it at offset 0040206C. Let's see what's next: ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ :004010A8 BF6C204000 mov edi, 0040206C <--- EDI now points to our "Fake" Serial :004010AD BB40000000 mov ebx, 00000040 <--- Move 00000040 in EBX :004010B2 33C9 xor ecx, ecx <--- XOR ECX which is now 00 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004010C4(U) | :004010B4 8A07 mov al, byte ptr [edi] <--- Move first Char in AL (Are we at the end of our "Fake" Serial?) :004010B6 84C0 test al, al <--- Test if AL is 00 :004010B8 740C je 004010C6 <--- If so we jump and continue with the CrackMe, else continue with this "Algo"? :004010BA 32C3 xor al, bl <--- XOR BL with AL :004010BC 8AC8 mov cl, al <--- Move AL in CL :004010BE C1C108 rol ecx, 08 <--- Rotate ECX to the left with 08 :004010C1 FEC3 inc bl <--- BL +1 :004010C3 47 inc edi <--- EDI +1 :004010C4 EBEE jmp 004010B4 <--- Repeat loop ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Another Algo ? Hehe, this is the tricky part :) It "Encrypts" the Serial a bit. So first it takes the first Char of our "Fake" Serial. Then it XORs BL (00000040) with AL (First Char). And then it moves AL to CL. Then we get the instruction "rol ecx, 08" it's almost the same as "shl ecx, 08", let me show you the difference: ECX = 00000043 ECX = 00000043 --- | shl ecx, 08 rol ecx, 08 |-- The Same !!! | ECX = 00004300 ECX = 00004300 --- ECX = 43000000 ECX = 43000000 --- | shl ecx, 08 rol ecx, 08 |-- Different !!! | ECX = 00000000 ECX = 00000043 --- Ok, I think you can understand this ;) Then increase BL with 1 (Our XOR number) increase EDI with 1 (Points to the next Char) repeat loop And so on till all "Fake" Serial Chars are done. After this it Compares our "Magic Value" created with the first Algo, to this new "Fake" Serial. How are we going to find the "Real" Serial ? Just reverse the process :) But there's one thing if you've payed close attention to this "Fake" Serial Algo. In fact it only uses 4 Chars. Let me explain... As I mentioned above, there were copied 08 chars from our "Fake" Serial (not including the last Char because that must be 00). So we have then 7 Chars from our "Fake" Serial for me it was: Entered "Fake" Serial = 1234567890 New "Fake" Serial = 1234567 Then comes the "Fake" Serial Algo and we've seen this "Move AL to CL". A Register contains "4 Bytes = 4 Chars" (00 00 00 00) So it takes the last 4 Chars before it reaches the end (00). I hope this isn't confusing or something :) Let me show you some Table: ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Entered Char Hex XOR with BL Result Move in CL rol ecx, 08 1 31 40 71 00 00 00 71 00 00 71 00 2 32 41 73 00 00 71 73 00 71 73 00 3 33 42 71 00 71 73 71 71 73 71 00 4 34 43 77 71 73 71 77 73 71 77 71 5 35 44 71 73 71 77 71 71 77 71 73 6 36 45 73 71 77 71 73 77 71 73 71 7 37 46 71 77 71 73 71 71 73 71 77 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Take some time to have a good look at this :) So it actually only counts (in my case now) "4567". which is "Encrypted" in the Register ECX = 73717771. "Man your weird, i see just above 71737177, why now 73717771 ???" ;) Take another look again at the "Fake" Serial Algo, when it has reached the last Char it does "rol ecx, 08" one more time, so that's why :) So to get the "Real" Serial we need to XOR the values with 40, 41, 42, 43. Now you may think: "He, i see just above (XOR with BL) 43, 44, 45, 46 ? why now with 40, 41, 42, 43 ?." Hehe, that's because as i said it only takes 4 Chars no matter if their at the beginning or the end (till it reaches 00), otherwise we need to know the first 3 Chars, but that's not necessary because a Register can only hold 4 Chars :) I'll hope this explains ;) Anyway my created "Magic Value" for my Name = E47C645C But one more problem because of the "rol ecx, 08" we got the new "Fake" Serial = 73717771 which is actually = 6547 Let me show you a Table ones again ;) 73 71 77 71 ---> 6547 (XOR with BL) ---> 42 41 40 43 71 73 71 77 ---> 7654 (XOR with BL) ---> 43 42 41 40 (It's always in reverse, learn that principle ;) So we need to use this "Magic Value" for my Name = 5CE47C64 (and then XOR with 40 41 42 43 "Reverse" to get Real Serial) Magic Value 5C E4 7C 64 XOR with BL 40 41 42 43 ----------- Result 1C A5 3E 27 Now we have our "Real" Serial so one more time my complete Serial: Name: CoDe_InSiDe Serial: Ñ>' That's it CrackMe Cracked... I hope it wasn't too confusing i tried my best to explain it very well :) I think you can Keygen it now ;) Now the patching part... ---> Let's Patch... Stay in SoftICE and examine the following. remember the spot just above in this file where the "Fake" Serial Algo lies, go there again with SoftICE (if you quited it) and you'll see this after (offset 004010C4): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ :004010C6 5B pop ebx <--- Pop EBX which is our "Magic Value" :004010C7 E81E000000 call 004010EA <--- Call the Compare :004010CC 85C0 test eax, eax <--- Test if EAX is 00 (Bad thing) :004010CE 7447 je 00401117 <--- If equal we jump and fail and the program just continue and shows nothing, else continue :004010D0 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"Good job" | :004010D2 6817204000 push 00402017 * Possible StringData Ref from Data Obj ->"You cracked this lame crackme " | :004010D7 6820204000 push 00402020 :004010DC 6A00 push 00000000 * Reference To: USER32.MessageBoxA, Ord:0000h | :004010DE E8EE000000 Call 004011D1 * Possible Reference to Dialog: DialogID_0001 | :004010E3 B801000000 mov eax, 00000001 <--- Move 01 in EAX :004010E8 EB2D jmp 00401117 <--- Jump to the end ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Ok, now we can just patch this "je 00401117" or we can check the "CALL 004010EA" we do that :) get in the CALL and you see this: ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ :004010EA 3BD9 cmp ebx, ecx <--- Compare "Magic Value" with new "Fake" Serial :004010EC 7403 je 004010F1 <--- If equal we jump and move 01 in EAX, else continue and move 00 in EAX :004010EE 33C0 xor eax, eax <--- XOR EAX which is now 00 :004010F0 C3 ret <--- Return to that "test eax, eax" * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004010EC(C) | :004010F1 B001 mov al, 01 <--- Move 01 in AL :004010F3 C3 ret <--- Return to that "test eax, eax" ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Well we can patch this CrackMe in several ways, here are some: 1. Change "cmp ebx, ecx" ---> "cmp ebx, ebx" or "cmp ecx, ecx" 2. Change "je 004010F1" ---> "jmp 004010F1" 3. Change "xor eax, eax" ---> "mov al, 01" 4. Or we can change the "je 00401117" into "jmp 004010D0 (EB00)" or "NOP it (9090)" when we're back from this CALL. We're going to do "3" :) Write down the offset of "xor eax, eax" or keep in mind and close SoftICE (CTRL+D). Then open the CrackMe in W32Dasm. Then click on "Goto/Goto Code Location" or simply press "SHIFT + F12" :) Then enter that offset "004010EE" followed by "enter". Now check the line below in W32Dasm it says: Line:193 Pg 4 and 5 10 Code Data @:004010EE @Offset 000006EEh in File:crackme1.EXE The only important part for us is "@Offset 000006EEh" write down that offset and open the CrackMe in a Hex-Editor. Then get to that offset (000006EE) and change this: 33C0 - xor eax, eax in B001 - mov al, 01 Now don't forget to close W32Dasm otherwise we can't save :) And save the file (make backup if you want) and run it, now every Serial works :P Play with all the Patch options if you want it's nice to do ;) Ok, this is it The End, damn big Tutorial i hope you learned something ;) ---> Greetings... Everybody from TrickSoft (www.TrickSoft.net) Everybody from Cracking4Newbies (www.Cracking4Newbies.com) Everybody from Keygenning4Newbies (Keygenning4Newbies.cjb.net) Everybody from ReverseMes (ReverseMes.cjb.net) And You... Don't trust the Outside, trust the InSiDe !!! Cya... CoDe_InSiDe Email: code.inside@home.nl