CoDe_InSiDe's crackmes are always very interesting, so lets check this one out...no pun intended. Rather than solving only for the proper serial we are also going to find the SoftICE detection (a simple, classic use of it, no problem at all) and write our own decryptor for the EXE. It is a simple algorithm and will be very easy to understand, but we'll learn something from it for sure. The crackme is attached. I would rate this project as somewhat low newbie level.

rmlobvx
rmlobvx@reverse-engineering.info

Hi rmlobvx,

>CoDe_InSiDe's crackmes are always very interesting
i agree with you

i'm working on this target and i'm only using ida because this crackme offers the possibility to learn something new: idc language .
this is a language similar to C (you have to know a little about C ) and is included in ida. take a look in the ida help to see a little guide on this *new* language.

i have used idc to decrypt the two areas.

- first of all, you have to create a .idc file. call it as you prefer...
- after that, you have to write the decryption procedure:


- save the file; go to ida and press F2 to load the file
- it's time to execute the script. press Shift+F2 and type the name of the procedure to execute: decrypt();
- hit ok. if you have not made some error, the script will be executed and the area will be decrypted
- game over!

as you can see, idc he is much simple one to use, very amusing, and if it is used well it is also much powerful.

now, the code is all in front of us and to find the right sequence is not very hard...

good luck and have fun!!!

ZaiRoN

Very cool Zairon! I will be making much more use of IDC scripts from now on

thx Kayaker

I have found the sequence but there is a little problem: the crackme crash -due to the 'inc edi' instructions located in the range 0x400FF8/0x400FFFF.
The problem is easily solvable changing a value in the pe-header; which will be this value?

regards,
ZaiRoN

Hi Zairon

Yes, I've definitely just become a real fan of IDC scripts, lol. Made very good use of Toteu's Icedump-to-IDA script for a start, pretty sweet. I see there's a few interesting script examples at the Datarescue site as well, particulary the Bit Fields tutorial. For a long time I've been wanting to come up with an app/technique to identify the MSG parameter of SendMessage/SendDlgItemMessage calls, a suitable script just might be the ticket and I think I'll play with the idea...


Back to the topic at hand, it's hard to tell what Code Inside had in mind there, those calls to the end of the PE header seem to have no purpose except to confuse the issue. What I did was to bypass them entirely after the first check (401f00 = 01 = "A" to what looked like the continuation of the proper check sequence at 401304. To determine what was a valid s/n I selected *every* letter, (filling every byte in the buffer at 401f00 with 01), then followed the pattern of checks and changed the buffer to match. What was left were 7 bytes still filled with 01 which when converted to their letter equivalents would anagram to a "word" that was at least pronouncable, and would solve the puzzle.

Cheers,
Kayaker

Hi Kayaker!

>it's hard to tell what Code Inside had in mind there...

at first, i thought like you...i was wrong.
there's a value in the pe-header that specify the length of all headers - and so the offset to the first section's raw data...
you should have the answer now

bye,
ZaiRoN

I don't know if someone is working on this crackme or if it's just dead, anyway rmlobvx asks us to write a specific decryptor for the target.
Attached you will find my decryptor; nothing special, it's written in c and maybe badly coded but someone can learn how to write a simple decryptor from it

regards,
ZaiRoN

So I did:
Change byte at D5h: 04>10, so header become 1000h size & includes in memory
code at FF0
then analyze &.. I get this word:

AHMNOPT

what it means!?

BTW, Zairon!
Can you force IDA to analyze that code in PE-header!?

good job evaluator! Too easy for you

>AHMNOPT
>what it means!?
I have found the meaning of this strange string by shuffling the letters (my english vocabulary is very limited)
Finally, PHANTOM is the word we were looking for

>Can you force IDA to analyze that code in PE-header!?
I never thought about that and I don't know if there is an IDA's features to perform the operation.

Anyway, if you want to see which are the instructions in range 400FF8/401000, you can use this simple way:
1. click on: File/Load File/Additional binary file...
2. open the crackme file (Check it!!!)
3. you'll see a box with:
- Loading segment: where ida puts the new bytes. The default value points to the end of the ida's output (if the last instruction processed by ida is at 402FFF, the value will be 403000). You can leave it therefore.
- Loading offset: you can ignore this value.
- File Offset in bytes: we want to view instructions starting from 0x400FF8 so, put 0xFF8 here
- Number of bytes: 8
- 'Create segments' and 'Code segment': check both item...
4. I don't know why but ida creates a new 16bit-segment; we need to convert it to 32bit-segment. CTRL-S to view the segment; edit the new segment and change:
- check '32-bit segment'
5. Go over the first 'db 47h ; G' and type 'c'. You will see the hidden 'inc edi' instructions

If someone else knows a better way to do the job he's the welcome

regards,
ZaiRoN

An alternative way of doing so.. when you open a new file, you are prompted for several options..

Put a check next to "Manual Load"

You will be prompted for several things, one of them being "Load the file header".

the pe header will then be loaded, and u can do whatever u want.

Thx doug!
This is the correct way to analyze the code

ZaiRoN