KeyGen Studio 2002

home *** CD-ROM | disk | FTP | other *** search

/ KeyGen Studio 2002 / KeyGen_Studio_2002.iso / Tutorials / Code Inside / Tut8.txt < prev next >

Wrap

Text File | 2001-09-21 | 7.5 KB | 162 lines

******************************************************************************************************************************************************************** cyT0m!c's CrackMe #1 ******************************************************************************************************************************************************************** Author: cyT0m!c Protection: Name / Serial URL: http://www.blubb.at/sweety/cracking/crackmez/Cytomic.zip Tools: SoftICE 4.05 W32Dasm V8.93 Hex-Editor ---> Intro... Hi welcome to my next CrackMe Tutorial !!! This CrackMe has a very simple Algo and is meant for Newbies :) First i'm going to "Sniff the Serial" then i'll patch it. ---> Let's Begin... *** Serial Sniffing *** Open the CrackMe and you'll see two edit boxes, one for your Name and one for your Serial. Just fill in some Name and Serial, i've used: Name: CoDe_InSiDe Serial: 1234567890 Ok, now were going to set a breakpoint. Get into SoftICE (CTRL+D) and type "bpx hmemcpy" then press enter, and out of SoftICE (CTRL+D). then press "Try It..." and SoftICE will popup. Ok, now type "BC *" to disable the breakpoint and press (F12) 12 times and we're in the CrackMe code. Now you'll see this: -------------------------------------------------------------------------------------------------------------------------------------------------------------------- :0042506A 8D55F4 lea edx, dword ptr [ebp-0C] <--- HERE WE LAND AFTER THE BREAK !!! :0042506D 8B83BC010000 mov eax, dword ptr [ebx+000001BC] :00425073 E888C9FEFF call 00411A00 :00425078 8B45F4 mov eax, dword ptr [ebp-0C] :0042507B 8D55F8 lea edx, dword ptr [ebp-08] :0042507E E871D7FDFF call 004027F4 <--- Here it puts the "Fake" Serial in a Register in Decimal format :00425083 8BF0 mov esi, eax <--- Move EAX in ESI :00425085 8B45FC mov eax, dword ptr [ebp-04] :00425088 E813010000 call 004251A0 <--- Here's the Algo !!! :0042508D 8BF8 mov edi, eax <--- Move EAX in EDI :0042508F 3BFE cmp edi, esi <--- Compare ESI with EDI :00425091 7418 je 004250AB <--- If equal jump to Good Guy, else continue to Bad Guy (Remember this spot for Patching :) -------------------------------------------------------------------------------------------------------------------------------------------------------------------- Ok, once you land here you can skip the first CALL so trace to the CALL 004027F4. It's not necessary to look in this CALL, but maybe its interesting :) I won't explain it too much, but your "Fake" Serial will be put in Decimal format in Register EAX. When your out of the CALL you can do a "? EAX" to see your "Fake" Serial in Decimal format :) Ok, now step into the CALL 004251A0 <--- This is the Algo :) And you'll see this: -------------------------------------------------------------------------------------------------------------------------------------------------------------------- :004251A0 53 push ebx :004251A1 89C3 mov ebx, eax <--- Move EAX in EBX (EBX now holds the offset to our Name) :004251A3 83FB00 cmp ebx, 00000000 <--- Compare EBX with 00000000 :004251A6 7413 je 004251BB <--- If equal jump to the end, else continue :004251A8 B801000000 mov eax, 00000001 <--- Move 00000001 in EAX :004251AD 31C9 xor ecx, ecx <--- XOR ECX which is now 00 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004251B9(U) | :004251AF 8A0B mov cl, byte ptr [ebx] <--- Move first Char in CL :004251B1 80F900 cmp cl, 00 <--- Compare CL with 00 (Are we at the end of our Name ?) :004251B4 7405 je 004251BB <--- If equal we jump to the end, else continue to make the Serial :004251B6 F7E1 mul ecx <--- You can see this as "Multiply ECX with EAX" :004251B8 43 inc ebx <--- EBX +1 :004251B9 EBF4 jmp 004251AF <--- Repeat loop * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004251A6(C), :004251B4(C) | :004251BB 25FFFFFF0F and eax, 0FFFFFFF <--- Logical AND between 0FFFFFFF and EAX :004251C0 5B pop ebx :004251C1 C3 ret -------------------------------------------------------------------------------------------------------------------------------------------------------------------- Ok, so here we got the Algo very small :) Well it goes like this: "CoDe_InSiDe" Move 00000001 in EAX Move first char in CL Which is "C" (Hex = 43) Compare CL with 00 Are we at the end of our Name ? Multiply ECX (43) with EAX (01) EAX now holds 00000043 (43*1=43) Increase EBX Points to the next Char Move Second Char in CL Which is "o" (Hex = 6F) Compare CL with 00 Are we at the end of our Name ? Multiply ECX (6F) with EAX (43) EAX now holds 00001D0D (6F*43=1D0D) Increase EBX Points to the next Char And so on... At the end it also does "and eax, 0FFFFFFF" this is to make the last Character a "0" so that the Serial won't be negative :) Ok, now the final result is within EAX , now when you get out of this CALL you'll see that it moves EAX to EDI. And then it compares ESI ("Fake" Serial) with EDI ("Real" Serial) very easy huh? :) Now to know our "Real" Serial (In Readable Characters) we just do a "? EDI" and you'll notice a decimal value in SoftICE, my Serial was: Name: CoDe_InSiDe Serial: 156742880 Ok, that's it for the "Serial Sniffing" now on to the Patching :) ---> Let's Begin *** Patching *** Ok, fire up W32Dasm and disassemble the file "CrackMe.exe", now we can get to the Patching place in 2 ways. 1. In W32Dasm go to "String Data References" and search for "That isn't it, keep on trying..." or the Good Guy message and double click on it, then trace a few lines up till you see "je 004250AB". 2. Did you remembered where i said (in this file) "Remember this spot for Patching :)", well in W32Dasm you can go to the same offset by pressing (SHIFT+F12) and then typing "00425091" and click OK. When your there notice the line at the bottom of W32Dasm, it says: Line:86494 Pg 1730 and 1731 of 1738 Code Data @:00425091 @Offset 00024491h in File:CrackMe.exe The only important part for us is "@Offset 00024491h". Now open up an Hex-Editor and go to that offset "00024491". We know that it needs to jump to make us succeed :) so we're going to put an "EB" into it, change it into this (Don't forget to close W32Dasm): 7418 ---> EB18 That's it save the file (or make a backup) and run it, now every Serial will work :) You can also change this, notice the two bytes in front of the JE it's: 3BFE ---> (cmp edi, esi) You can change this into: 3BFF ---> (cmp edi, edi) Now it checks the "Real" Serial with the "Real" Serial so it's always correct :) Or you can change it into: 3BF6 ---> (cmp esi, esi) Now it checks the "Fake" Serial with the "Fake" Serial so that's also always correct :), have fun with it... ---> Greetings... Everybody at TrickSoft (www.TrickSoft.net) Everybody at Cracking4Newbies (www.Cracking4Newbies.com) And You... Don't trust the Outside, trust the InSiDe !!! Cya... CoDe_InSiDe Email: code.inside@home.nl