hi all!
the mini project area is very poor in this last days; i think many of us are working hard wih exams or maybe ... are always at the beach

btw, for those who are here and want to throw in a new little crackme-challenge, here is the link from which you can download the proggie: hzzp://www.lockless.com/products/L01_CM2.zip

the crackme is serial-based and you have to reverse a little algo.
the crackme has some anti-sice, anti-bpx, anti-disassemble trick, very easy indeed but a newbie (that had never seen it before) could have problems. this is the right place for learn something new so if you have problems don't hesitate to ask.

you can solve the crackme using only sice but i would like to suggest you another task.
you can't disassemble correctly the file using windasm. that's because Bishop has done some changes on the pe header.
your task is to make the file viewable correctly with windasm (you have to view correctly: references, imported functions, etccte).
it's not very difficult but you have to do some adjustments with pe header...expecially with sections!

if you don't know nothing about pe format, here is two refs that could help you:
- Iczelion's pe format tutorial
hzzp://win32asm.cjb.net/
- pe file formats offsets
hzzp://insel.heim.at/madeira/340943/Tuts/tut_pe.htm

ok, that's all.
good luck!

ZaiRoN

hi
I can't run the crackme !
Error message says that its not a valid win32 application , is it a part of cracking ??

HI
what about the solution, does serve for my purpose only?
maybe we could compete for some tour to beach

SilSaLaMaTa: the crackme has an anti-sice trick so if you run the crackme with sice runnig it will crash. try to trace from entry point and see what happen

_Servil_: you have just done it? if so, i think you can give to other people some time to work on it and try to help who has problem.
anyway, this is only my opinion...you are free to post your solution whenever you want

bye
ZaiRoN

But it's not crashing , I tried ollydbg too , but sais "unable to start" . I put a CC on PE OEP , and then bpint 3 in sice , but sice didn't break . I think windows didn't jump to OEP . (i'm using XP , did u test the crack me under XP/2K ?)

hi SilSaLaMaTa,
sorry but i can't help you because i'm only using w98 with this type of things and i can't try it on win2k or xp.
as i said before, Bishop as done some manipulations on the section header; could it be that
try to repair it...

ZaiRoN

I'm running on windows XP and it crashes... Havent ran any PE utilities on it and the structure on the crackmes from BiSHoP have been abit weird...

The crackme is coded in asm so it will be pure right on target, but how to get the crackme running is the first approach right now...

Any ideas ?

Does it run udner, Win95,98/WinNT 4/2000/XP ??

Acid

hi all, zairon/acid_cool..etc

the crackme runz fine under Win98SE.
about the imports not showen in w32dasm,
just load up LordPE and view them there, or just look in ur fav hex editor.
well win32dasm dissasemble from 00000C00 which is the variable's data pointed from the ".data" section.
i dont think we should dissasemble that.
apperantly it seems that the code it selfs starts at offset 00000400 (WinHex) till 0000067C.
mostly the code is pointed by the ".text" section, try play with it abit, (but prepare for massive currupts ;P )
trying to poiting to this from the section will make w32dasm dissasemble the place, but hey it doesn't run..weee , i think its either a metter of redirecting and size fixing of section or u should debug from there. [ no sice installed hee]...
cya all

here it is for your viewing pleasure... fixed up the sections and stuff so it should run on any windows system... but it will crash... just change the entry point to 1020 and it will run flawlessly... no tutorial on what is done 'cause it's pretty obvious stuff...

hi ,
I dumped the file and set the section flags , prog runs , but I don't know what to do in this level ,
w32dasm doesn't show string refs . I compared the PE with fixed one (NervGaz file), the PEs was same except Virtual
and Raw Offsets ... How to fix it ?

hi SilSaLaMaTa,
there's no need to dump the file...
why you have made it? (i'm just curious )
the only thing you have to change in each section is the characteristics_flag.
have you put *correctly* the section in the right order???

ZaiRoN

I dumped the prog and then fixed the sections order but u r right , no need to dump ! I thought that whole of file is crypted :P
and I didn't know that section names r important for w32dasm !
Learnt some thing , thanx .

but why w32dasm can't show the dumped file ? I renamed the sections , and fixed the order . but no resault ...

i don't know SilSa...i'm not in front of my pc and i can't try to dump the file.

there's only one more thing to do now: find the serial!
someone has tried!?!

ciao,
ZaiRoN

here I attached the dumped and fixed file . w32dasm can't show the string refs...

you could set a bpx at text + 010f

I rarely if ever try to set a Break on the first instruction of a sub or Program. A coder can be tricky, but a reverser even more so.

as far as the serial goes the only way i can figure out how to get it is bruteforcing it... but a patch would be really easy to do...

I didn't feel like reversing the algo completley when i just as well could write a simple app to generate the correct serial when i had figured the lgo out... anyways i uck at writing tutorials and stuff so here is the serial generator (not really a keygen but anyway) with source... i moight write something later on... btw the anti SICE stuff in the beginning crashes under win2k

hi NervGaz,
good work! i think (like you) that the only way to find the serial is the brute-way...
btw, your solution is incomplete
try to put those two serials and see what happen:
23876228, 2003587716
how could it be possible?

ciao,
ZaiRoN

ps. there are manymany valid serials...

i know ... my program just genrates the first valid... if you want all of them just comment the "invoke ExitProcess,NULL" inside the while loop and change the push pop saving ov eax to a register save instead kinda like save = mov edi,eax restore = mov eax,edi or whatever....i'll rewrite it to calculate all the valid serials nd display them when i get some time over

oh yeah, you are right but...there is an easy way to solve the problem.
try to take a deeper look at the algo. (hint: 401217)

ciao!

HI

the serie has an evenness
any valid sn should look like this
SN = 0x6C5284 + Cntr * 0x1000000;
and cntr is any integer to 256

think about the only way to get this is analyze the serie 'coz it's over my possibilities to parametrize the snchecking func )

Zairon, didn't quite figure out what you ment by your last post but in any case i've rewritten the generator so now it generates every valid serial ranging from 1 to -1 and writes them in a textfile... haven't bothered to check them all but they should work except fro the negative ones... and it takes about 4 minutes to calculate them all.. i wont post this one since it's pretty pointless... it's an easy rewrite to do your self... ignore that negative thing.... just me messing wspintf up...

the serial checking routine takes the serial in hex format and works only with the part of it.
an example may help you...(i hope)

004011FE MOV EBX,EAX <-- ebx = hex value of your serial
...
00401217 SHL EBX,8 <-- 8 bits shift on the left

the point is in the shl instruction.
look at this:
if you have ebx=00123456, after shl_8 you'll have ebx=12345600
if you have ebx=00FEDCBA, after shl_8 you'll have ebx=FEDCBA00
if you have ebx=00001234, after shl_8 you'll have ebx=00123400
everything is shifted by 2 position.
in our case, the first valid serial (in hex) is 0x006C5284. after the shift operation, ebx=6C528400.
so, if you have a serial like 0xZZ6C5284 (where ZZ is in 0-FF range) you'll have always ebx=0x6C528400 after the shift operation.
finally, ebx (after the last "xor, bl, sh" operation) is used in the loop but it's NEVER modified!
that's the point

ciao!!!

damn completly missed that.... heh... oh well