Hi this is my first ever tutorial. I've been reversing (attempting) for the last 2 years. I still consider myself a beginner as I don't put much time in reversing or programming. But I thought it time to step out and add to the knowledge of others.
Crack:
Artemis crackme by WiLSE from genocidecrew
Tools:
Spy & Capture Version 2.70 not necessary but very handy)
Softice
Hex editor
(WDasm)
When running the prog all that happens is a window with a URL and two buttons. Hmmm, kinda fishy. What's the deal??!! Using the little spy program on the main window, I looked for childprocesses. Hey, two textboxes, yet only one is visible. Using spy set visibility to true. Wow, you did it! So that's the deal; make the textbox visible. Sounds easy.
Trying to disassemble only shows that it's PE encrypted with Neolite, too bad. Remember start point of program 411110 (see later).
So I tried to play around with so decryptors I downloaded but had no luck. (I don't really know how to use them) So it's time for good old Softice.
Hmmm, program does not break into softice with the loader. In the spy prog we find the handle of the textboxes. So I put a BMSG Handle and rerun the Artemis program. I break into Softice, F12 (many times) till in Artemis code. Interresting, calls to CreateWindowExA.This is what it looks like:
mov [00402167],eax ;<-- Handle of textbox "wow, you did it!"
A quick check in the Win32 API reference shows the following
HWND CreateWindowEx(
DWORD dwExStyle, // extended window style
LPCTSTR lpClassName, // pointer to registered class name
LPCTSTR lpWindowName, // pointer to window name
DWORD dwStyle, // window style <<---- :) :) :)
int x, // horizontal position of window
int y, // vertical position of window
int nWidth, // window width
int nHeight, // window height
HWND hWndParent, // handle to parent or owner window
HMENU hMenu, // handle to menu, or child-window identifier
HINSTANCE hInstance, // handle to application instance
LPVOID lpParam // pointer to window-creation data
);
Set breakpoint at 40117D -> run prog again.
Now change the push from 'push 40001101' to 'push 50001101' (Softice command "a").Continue to run the program. Yes, this is the spot. The textbox is now visible. Now how to change the exe file that we don't need Softice anymore.
As it's PE encrypted my first thought was in memory patching yet whatever I tried I just ended up wih page faults. Not the way to go. So this meant going into the decrypt routine. Ahhhh, hatefull. So I set a breakpoint on the beginning of the prog bpx 411110. After a few minutes I found it too hard so remembered many of the tuts I've read and put a bpm on location 40117D as this is the code that the decryptor generates.
Run Artemis again, and check what's happening. We break at 41267D: do a 'd 40117d'
41267D repz movsb ;<-- F10 and you see 01 11 move into place
41267F pop esi ;<-- address above 80000000 :)
keep pressing F10 till you come to the next code:
4128AF movsw
4128B1 movsb
Anyway this moves 00 40 into place from address stored in esi.?? :)
So do a 'd esi'. Hmmm, delicious. this is what you should see: 40 68 61 14 1A FA .....
After checking the routine a little more you'll see that it often comes back to this part of the code (data).
Now time for the 1 byte patch. Open your hex editor, search for the string '40 68 61 14'. There should only be one reference, change 40 into 50, save, disable your breakpoints and run the patched Artemis, voila. Bingo.
Thanks too all you great crackers out there spending time writing tuts that have helped me a lot. I hope to read more as there is always more to learn. Thanks to Fravia through his website I started my interrest in reversing.
