KeyGen Studio 2002

home *** CD-ROM | disk | FTP | other *** search

/ KeyGen Studio 2002 / KeyGen_Studio_2002.iso / Tutorials / CrackMesCbjNet / bloodbath-praetorian.txt < prev next >

Wrap

Text File | 2001-09-21 | 15.5 KB | 284 lines

.-------------------------------------------------------------------------------------------------. |Date : June 26, 2001 | |Target : Praetorian's CrackMe #1 (http://www.mesa-sys.com/~eternal/m-p/praetoriancm.zip) | |Author : Praetorian (praetorian@nameplanet.com) | |Cracker: Bl00dBaTH [pGC/2001] (Bl00dBaTH@pgc-force.com) | |Tools : IDA + SoftICE | |Viewer : Notepad/Fullscreen/Wordwrap | ;_________________________________________________________________________________________________; INTRODUCTION xxxxxxxxxxxxxx If you read the readme file which comes with this crackme, you'll find out that there are 3 checks. Since its a keyfile protection, its pretty safe to assume that the 3 things we need to do are: 1. Find out the name of the keyfile. 2. Find out the size of the keyfile. 3. Find out what the keyfile checks. Ok, well thats pretty straight forward. But before we do anything, lets run our target and see what happens. Boom, the program throws an error right in our face. Ok, no problem. We could bpx MessageBoxA and check out what caused this, or we could load it up in a deadlister to get a good view of whats going on. I chose the deadlisting since we're only going to analyze the target right now and its a good way to get a clear look at the code. Alright, lets get down to business. ANALYSIS OF THE TARGET xxxxxxxxxxxxxxxxxxxxxxxx A good place to start examining our target, as usual, is to check out the String References. If you look here, you'll see the following strings. 1. Xnt.L`cd.Hs-.. 2. Fqd`s.Vnqj-..Mns.sg`s.g`qc.h.ftdrr-. 3. DQQNQ 4. Dqqnq.hm.sdrs.$kt 5. sdrs-sws What the hell is this?? Don't worry, we'll get to that in the next section... CRACKING THE TARGET: STEP 1/3 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx The following is the first snippet of code we should look at in order to find out whats going on. Its the main code of the program and I'll reference it several times throughout this essay... Main Code: --------------------------------------------------------------------------------------------------- 00401002 call j_GetModuleHandleA 00401007 mov dword_40309C, eax 0040100C add byte_403050, 1 00401013 call sub_40109D ;Lets see whats in this call... 00401018 jz short loc_40104C --------------------------------------------------------------------------------------------------- Inside Call 40109D: --------------------------------------------------------------------------------------------------- 0040109D lea edi, ds:40303Bh ;edi points to "sdrs-sws". 004010A3 call sub_40113D ;Another call here. Lets check it first. --------------------------------------------------------------------------------------------------- Inside Call 40113D: --------------------------------------------------------------------------------------------------- 0040113D mov al, [edi] ;Copy a byte from edi into al. 0040113F cmp al, 0 ;All done? 00401141 jz short loc_401150 ;If so then jump to 401150. 00401143 cmp al, 2Eh ;al equal to "."? 00401145 jnz short loc_401149 ;If not jump to 401149. 00401147 mov al, 1Fh ;Otherwise put 1F into al. 00401149 add al, 1 ;Add 1 to al. 0040114B mov [edi], al ;Put al back into edi. 0040114D inc edi ;Increase edi to get the next byte. 0040114E jmp short sub_40113D ;Jump to 40113D 00401150 mov [edi], al ;0 Terminate the string edi points to. (al ;will equal 0 when it gets here). 00401152 retn ;Return To Call 40109D. --------------------------------------------------------------------------------------------------- Ok, so what the above call does, is add 1 to each character pointed to by edi, and then 0 terminate it. (Strings must be 0 terminated, that is, end with a 0). Now that we know this little bit of info, lets go back to what we were looking at before. Back To Call 40109D: --------------------------------------------------------------------------------------------------- 0040109D lea edi, ds:40303Bh ;edi points to "sdrs-sws". 004010A3 call sub_40113D ;The above routine that decodes the string ;pointed to by edi. 004010A8 push 0 004010AA push 80h 004010AF push 3 004010B1 push 0 004010B3 push 1 004010B5 push 80000000h ;Read access. 004010BA push 40303Bh ;Keyfile: test.txt (sdrs-sws = test.txt) 004010BF call j_CreateFileA ;Open the file. 004010C4 cmp eax, 0FFFFFFFFh ;Was the open successful? 004010C7 retn ;Return to Main Code. --------------------------------------------------------------------------------------------------- Alright now that we're done having a look at the first check, we know that the name of our keyfile is test.txt. Lets go back to our main piece of code and apply our new knowledge. Main Code: --------------------------------------------------------------------------------------------------- 00401002 call j_GetModuleHandleA 00401007 mov dword_40309C, eax 0040100C add byte_403050, 1 00401013 call sub_40109D ;Try to open test.txt 00401018 jz short loc_40104C ;If it couldn't be opened, jump to badguy. --------------------------------------------------------------------------------------------------- We now know how to get past the first check, we must have a keyfile names test.txt. Now lets move on to the second check... CRACKING THE TARGET: STEP 2/3 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Now we'll continue on from where we left off and move on to the second check. Main Code: --------------------------------------------------------------------------------------------------- 00401002 call j_GetModuleHandleA 00401007 mov dword_40309C, eax 0040100C add byte_403050, 1 00401013 call sub_40109D ;Try to open test.txt 00401018 jz short loc_40104C ;If it couldn't be opened, jump to badguy. 0040101A mov dword_403044, eax 0040101F add byte_403050, 1 00401026 call sub_4010C8 ;Lets see whats in this call... 0040102B jnz short loc_40104C --------------------------------------------------------------------------------------------------- Inside Call 4010C8: --------------------------------------------------------------------------------------------------- 004010C8 push 0 004010CA push dword_403044 ;Handle of test.txt. 004010D0 call j_GetFileSize ;Get size of test.txt. 004010D5 cmp eax, 0Ah ;Is test.txt equal to 10 bytes? 004010D8 retn ;Return to Main Code. --------------------------------------------------------------------------------------------------- Oh yeah, that call was short and sweet. No jumping around. =] Well, we know now that our keyfiles name is test.txt and that it should be 10 bytes long. We'll reference our main code once more to fill in the blanks and then move right on to the third and final check. Main Code: --------------------------------------------------------------------------------------------------- 00401002 call j_GetModuleHandleA 00401007 mov dword_40309C, eax 0040100C add byte_403050, 1 00401013 call sub_40109D ;Try to open test.txt 00401018 jz short loc_40104C ;If it couldn't be opened, jump to badguy. 0040101A mov dword_403044, eax 0040101F add byte_403050, 1 00401026 call sub_4010C8 ;Get size of test.txt. 0040102B jnz short loc_40104C ;If its not 10 bytes, jump to badguy. --------------------------------------------------------------------------------------------------- We're almost done. Now to finish this up... CRACKING THE TARGET: STEP 3/3 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx This is the last check we need to pass and we'll have this crackme defeated. Lets get to it... Main Code: --------------------------------------------------------------------------------------------------- 00401002 call j_GetModuleHandleA 00401007 mov dword_40309C, eax 0040100C add byte_403050, 1 00401013 call sub_40109D ;Try to open test.txt 00401018 jz short loc_40104C ;If it couldn't be opened, jump to badguy. 0040101A mov dword_403044, eax 0040101F add byte_403050, 1 00401026 call sub_4010C8 ;Get size of test.txt. 0040102B jnz short loc_40104C ;If its not 10 bytes, jump to badguy. 0040102D mov dword_403072, eax 00401032 call sub_4010D9 ;Lets see whats in this call... 00401037 cmp eax, 1 0040103A jz short loc_401045 0040103C add byte_403050, 1 00401043 jmp short loc_40104C --------------------------------------------------------------------------------------------------- Inside Call 4010D9: --------------------------------------------------------------------------------------------------- 004010D9 push 0 004010DB push offset unk_403088 004010E0 push 4 ;Read 4 bytes. 004010E2 push offset byte_40307E ;Buffer to hold read data. 004010E7 push dword_403044 ;Handle of test.txt. 004010ED call j_ReadFile ;Read test.txt. 004010F2 cmp byte_40307E, 2Dh ;Is the first byte equal to "-"? 004010F9 jz short loc_4010FF ;If so jump to 4010FF. 004010FB xor eax, eax ;Clear eax. 004010FD jmp short locret_401112 ;Otherwise jump to badguy. 004010FF cmp byte_40307F, 30h ;Is the second byte equal to "0"? 00401106 jz short loc_40110C ;If so jump to 40110C. 00401108 xor eax, eax ;Clear eax. 0040110A jmp short locret_401112 ;Otherwise jump to badguy. 0040110C mov eax, 1 ;Set the good flag. 00401111 retn ;Return To Main Code. --------------------------------------------------------------------------------------------------- Now we have all the information we need about the format of the keyfile: 1. It must be named test.txt. 2. It must be 10 bytes long. 3. The first 2 bytes must be -0. An example key would be: -0123456. Lets have a look at our main code now... Main Code: --------------------------------------------------------------------------------------------------- 00401002 call j_GetModuleHandleA 00401007 mov dword_40309C, eax 0040100C add byte_403050, 1 00401013 call sub_40109D ;Try to open test.txt 00401018 jz short loc_40104C ;If it couldn't be opened, jump to badguy. 0040101A mov dword_403044, eax 0040101F add byte_403050, 1 00401026 call sub_4010C8 ;Get size of test.txt. 0040102B jnz short loc_40104C ;If its not 10 bytes, jump to badguy. 0040102D mov dword_403072, eax 00401032 call sub_4010D9 ;Check to see if the first 2 bytes are -0. 00401037 cmp eax, 1 ;eax equal to 1? 0040103A jz short loc_401045 ;If so, jump to 401045. 0040103C add byte_403050, 1 00401043 jmp short loc_40104C ;Otherwise jump to the badguy message. 00401045 call sub_401113 ;Lets see whats in this call... 0040104A jmp short loc_401096 --------------------------------------------------------------------------------------------------- Inside Call 401113: --------------------------------------------------------------------------------------------------- 00401113 lea edi, ds:403000h ;edi points to "Xnt.L`cd.Hs-.." 00401119 call sub_40113D ;Call to decode the above string. 0040111E lea edi, ds:40300Fh ;edi points to ;"Fqd`s.Vnqj-..Mns.sg`s.g`qc.h.ftdrr-." 00401124 call sub_40113D ;Call to decode the above string. 00401129 push 0 0040112B push 403000h ;"You Made It." 00401130 push 40300Fh ;"Great Work. Not That Hard I Guess." 00401135 push 0 00401137 call j_MessageBoxA ;Goodguy Message. 0040113C retn ;Return To Main Code. --------------------------------------------------------------------------------------------------- Thats all there is to it, crackme solved. The program uses the same kind of routine to show the badguy message as well. It decodes the 2 strings and then displays them in a messagebox. Our strings are: 1. Xnt.L`cd.Hs-.. -- "You Made It." 2. Fqd`s.Vnqj-..Mns.sg`s.g`qc.h.ftdrr-. -- "Great Work. Not That Hard I Guess." 3. DQQNQ -- "ERROR" 4. Dqqnq.hm.sdrs.$kt -- "Error in test x" (Where x is 1, 2 or 3) 5. sdrs-sws -- "test,txt" FINAL WORDS xxxxxxxxxxxxx Well I hope this essay wasn't too hard to follow, and hopefully you got something out of it. Its a pretty long essay for such a simple crackme, but I wanted to try to explain as much as possible. =] Any comments/flames/etc can be sent to me at Bl00dBaTH@pgc-force.com. Greets go out to all my friends, Muad'dib and The+Q for the awesome crackme site, and of course, Praetorian for the crackme. Thats it for now. Peace. Bl00dBaTH [pGC/2001]