HELLFORGE 2000 |
| Author | Falcon |
| Target | Borna Janes Crackme 1 |
| Public Release | Saturday,May 06,2000 |
| Author Contact | falcon_geno@mail.ru |
| Dedication | Shakespeare |
| Difficulty Level (1..7) | 3 (MEDIUM) |
| Tools Required | SorfIce 3.xx, Hexworkshop. |
Disclaimer: Please note, the information
herein is copyright to Hellforge. No portion of this text may be duplicated. Furthermore,
damage or problems arising after reading this text is left to the users disposal. Neither
Hellforge, nor its members can be held responsible for any direct or indirect result of
following this text. The full liability of following this text is on the reader (YOU). The
information is provided for educational purposes, misuse of this information is strictly
prohibited. If you do not agree with this agreement, then please hit the "back"
button on your browser, and go to hell. - Mercution.
Introduction |
Today we will examine another crackme
that will require from us a little bit of thinking, One formula to reverse this program
will be enough. Certainly, the protection is good, so we will have to concentrate our
attention on commands like ROL, ROR, and XOR;
We have to find the right serial to get
good message box; the whole protection consist of couple of small loops. For those people
who are new ones, I recommend to print this tutorial.
Tutorial |
Let’s begin….
1:-Execute the program and type 8
numbers in the edit box. { Why 8? The reason will be explained after we reach the first
loop. As serial you can type 11115432, type the same numbers…}
2:-Activate SoftIce and type bpx
getdlgitemtexta { On this breakpoint SoftIce reacts…}
3:- Press Enter and then F5 and you again
in Windows.
4:- Press ‘Check it’ button and
you will be in SoftIce immediately.
5:- Press F11 and you should to the
following position…
0040119F CALL 004011D7
What goes after this call does not matter at this moment, so Pressing F8 you should enter in this Call. Press and you will see the following code…
004011D7
MOV ESI, ESP
{ The value od ESP is MOVed to ESI…}
004011D9
XOR EAX, EAX
{ Xor EAX and EAX =>EAX=0..}
004011DB
XOR EBX, EBX
{ Xor EBX and EBX =>EBX=0..}
004011DD
XOR ECX, ECX
{ Xor ECX and ECX =>ECX=0..}
004011DF
XOR EDX, EDX
{ Xor EDX and EDX =>EDX=0..}
004011E1 CALL 00401272
{ Important Call, to go there press again F8 and you will see: }
00401272
MOV EDX, 004030F4
{ The address where you serial is, MOVed to EDX }
00401277
CMP BYTE PTR [EDX+ECX], 00
{ Takes char and compares each byte with 0h }
0040127B
JZ 00401295
{ Jump if there are no chars left }
0040127D
CMP ECX, 03
{ After it check first 4 chars, it jumps over the piece of program that checks if your
char is in the range of [30-39]h=[0-9] decimal }
00401280
JG 0040128E
{ Jumps is value of ECX is Greater than 3 }
00401282
CMP BYTE PTR [EDX+EDX], 30
{ CoMPare byte with 30…}
00401286
JB 00401291
{ Jump (to bad message ) if Below…}
00401288
CMP BYTE PTR [EDX+EDX], 39
{ CoMPare byte with 39…}
0040128C
JA 00401291
{ Jump (to bad message ) if Above…}
0040128E
INC ECX
{ Increase ECX…ECX=ECX+1…}
0040128F
JMP 00401277
{ JuMP to the beginning of the loop…}
00401291
INC ECX
{ Bad routine…Increases ECX by 1 }
00401292
XOR EBX, EBX
{ Xor EBX and EBX…=> EBX=0…}
00401294
RET
{ Exit from CALL…}
00401295
MOV EBX, 01
{ EBX takes value of 1…}
0040129A
RET
{ Exit from CALL…}
Comments about last Loop:
The last loop, was created to check whether
your first chars were numbers or not. They they were not, then it jumps to the bad
message. The program does not care what chars were after first 4. Another point we have to
consider, it calculates the length of the serial. Later you are going to see what should
be.
Let’s continue tracing…We get here:
004011E6
JCXZ 0040125C
{ This command is checking the value of ECX register. If it is equal to zero then it jumps
to ‘bad’ message that informs you that you did not enter anything, if it is
different than zero then goes to next operation…}
004011E9
TEST EBX, EBX
{ Checks the value of EBX…}
004011EB
JZ 00401230
{ If EBX=0 then Jumps to ‘bad’ message..}
004011ED
CMP ECX, 08
{ CoMPares the length of the serial. So, if you want to pass to the main calculations-the
length of the serial must be 8…}
004011F0
JNZ 00401230
{ JuMP if [(length of serial)-8] is Not equal to Zero..}
004011F2
MOV EBX, 0040309C
{ Loads the address with string ‘Bjanes’ to EBX…}
004011F7
MOV EBX, [EBX]
{ It takes the hexadecimal value of this string in reverse manner. Let’s see.
1:-Reverse manner, that is ‘najB’ (only 4 bytes)
2:-Hex
value, is hex equivalents of the given chars, for ‘najB’ is 6E616A42. You will
see this number in the register as you pass this command…}
004011F9
MOV ECX, 004030F4
{ Our serial is now in ECX as you pass…}
004011FE
MOV ECX, [ECX]
{ The same thing here. It takes first 4 chars in reverse and loads it in ECX. If you have
entered as serial 11115432, you will see this….ECX=31313131…}
00401200
ROL ECX, 08
{ Rotates Operand Left. All bits are rotated by 8 units, as you pass this command
you will see that ECX=31313131 ( nothing changed )…}
00401203 ROR EBX, 08
{ Rotates Operand Right. All bits ar erotated by 8 unit to right. As you pass through this
command you will see that EBX=426E616A. You see 42 is gone from last position to the
first….}
00401206
IMUL EBX, ECX
{ MULtiplication of two operand’s values…EBX:=EBX*ECX…}
00401209
SHL EBX, 02
{ EBX:=EBX*2^2..}
0040120C
MOV ECX, 004030F4
{ Our serial’s address is in ECX…}
00401211
MOV ECX, [ECX+04]
{ Moves next last 4 chars in the ECX, and again in reverse manner. In the end when we find
the real serial we will have to reverse it back…Let’s assume that as serial you
have entered 1 1 1 1 X1 X2 X3 X4 , so after this command ECX=X4X3X2X1…}
00401214 MOV EDX,
0040309C
{ loads again address with string ‘Bjanes’ in EDX…}
00401219 MOV
EDX, [EDX]
{ MOVs 6E616A42 to EDX { you see it is again in reverse…}
0040121B
ADD ECX, EDX
{ ADDition of 2 operand ECX:=ECX+EDX…}
0040121D
SHR ECX, 02
{ ECX:=ECX div 2^2…}
00401220 PUSH
004030F4
{ Push the serial in the stack…Interesting why he did it??? }
00401225 PUSH
004030A3
0040122A CALL
0040129B
{ CoMParing CALL…Let’s see what happens there…}
0040129B
XOR EBX, ECX
{ XORing of EBX and ECX….}
0040129D
JNZ 00401230
{ If you want to have a good message the values of EBX and ECX must be equal before the
xoring…}
Comments:
That was our last part of the code we had
to trace…Here we have calculations of the serial. Almost all Math commands here. Our
aim is to find the second part of the serial. It is calculated according to first, so the
first can be left constant. Let’s see next part of tutorial to get the serial…
Strategy for getting the serial:
Let us see the information we have
gathered until now. We have reached the code where the serial is calculated. Firstly, I am
going to use the names of registers { they will represent values }, then we will use
calculator to get the serial.
Serial calculation can be written like
that:
EBX*ECX_1*4=( EDX+ECX_2 ) / 4
ECX_1:- here represents our ROLed first
part of the serial. That is 31313131
EBX :- here represents
426E616A. { This is our RORed ‘najB’ }
EDX :- here represents
6E616A42. { ‘najB’ }
ECX_2:- here represents our second part of
the serial. That is X4X3X2X1.
Let’s use some Math to simplify somehow this formula:
4 can be moved to other side. But do not forget we are dealing with hex numbers and 4*4=10h
So, we get:
EBX*ECX_1*10= ( EDX+ECX_2 )
EBX*ECX_1*10-EDX=ECX_2
Do you see how easy I reached the last
step. Now, let’s put some values and get the ECX_2
(426E616A)*(31313131)*10-(6E616A42)=ECX_2
Use a calculator to get the value of ECX_2.
Check it with mine. It should be 029D8A5E
Remember we were talking about reverse manner. That is it: 029D8A5E represents X4X3X2X1, but we have to find X1X2X3X4, as you understood we have to make it reverse like that: 5E8A9D02
It is time to use a hex editor:
Open any text file you want and replace 8
bytes with our final number. Save the changes and open that file where you did them. Copy
those bytes that you have obtained after replacing and near 1111 paste them and press
‘Check it’ button. Nothing can be good then seeing a good message.