|
|
| Author | Falcon |
| Target | cyTom!c's Crackme #2 |
| Public Release | Friday,23 of June,2000 |
| Author Contact | falcon_geno@mail.ru |
| Dedication | Irwin Shaw |
| Difficulty Level (1..7) | 2-3 (EASY-MEDIUM) |
| Tools Required | SortIce 3.xx.;Hex WorkShop |
|
|
Ok, crackers, today I am going to
explain how to crack another CrackMe with keyfile protection.The crackime,we're
going to examine requires restoring some text,in the file, to make the
program say that we are registered user.Author of the CrackMe also asked
us to create keymaker, so let's do it also, the compiled file with source
you can find in another zip, that was enclosed.
The crackme is not so hard,the
hardness of this program is to create the right keymaker,to make it let's
examine what the program does itself.If you understand the algorythm,you
will easily be able to restore the text that your keyfile has and coding
a keymaker will be easier.
That's my second tutorial for keyfile,so
I will try to make it very clear, if you're ready then...
|
|
Let’s begin….
1)-First thing we need to do is find
correct keyfile, if we do so then we can calculate the correct contents
of it.
2)-Execute the program and you will
see that it says it could not find correct keyfile...
We need to set a good breakpoint
that will give us the name of the keyfile.So, Activate Soft-Ice and set
bpx CreateFileA.
2)-Press ENTER and you should be
back to Windows.
3)-Press 'Try again' button and
Soft-Ice is activated...you should Press once F11 and you will see this
code...
0040416A CALL
KERNEL32!CreateFileA
0040416F
CMP EAX,-01
00404172
JZ 0040419D
First line of this code returns a
certain value to EAX register. CreateFileA procedure
checks if a correct file exists in the same directory with CrackMe.If it
does not exist then value of EAX register becomes EAX=FFFFFFFF or EAX=-01.
The second line compares two values,if
EAX is equal to -01 (If there is no correct keyfile), then Jump to 'Invalid
KeyFile'.
So,to find the correct one you have
to scroll a little bit program code up and you will see this piece of code:
00404165 PUSH
EAX
00404166 LEA
EAX,[EBX+48] {LEA command moves the effective address
where the name of correct keyfile is located.The only thing you have to
do is to type d ebx+48 and in the data window
you will see the name of the correct keyfile,it should be.....ctm_cm02.key
00404169 PUSH
EAX
Quit Soft-Ice and create file with
this name and extention.As you did it I also advice to edit it a little...If
that's new file type in this file your nick or anything that you will easily
can distinguish from other text,soon you will see why.
As you did it,let's move to the
second objective...That is to find correcr contents of the file...Let's
roll further...
As you created the file-do the same
procedure to get into Soft-Ice and you will see that it passes through
00404172
JZ 0040419D this line,not
jumping to the 'Invalid KeyFile'...Ok,let's see the next piece of code.
Trace the program code till you
got here.....
00426592 CALL
004026E4
{This is crap CALL,do not even go inside it}
00426597 TEST
EAX,EAX
{This command checks if value of EAX is zero}
00426599 JNZ
00426705
{Jump to 00426705 if it is zero}
0042659F LEA
EAX, [EBP+FFFEFEA8]
004265A5 CALL 00403F04 {To see what code is in this CALL,press F8 and you will see...}
00403F04
PUSH EBX
{Stores in the stack
value of EBX register}
00403F05 MOV
EBX,EAX
{Value of EAX is MOVed to EAX....EAX=EBX}
00403F07 MOV
EDX, [EBP+04]
{Here you will see that EDX will be equal to D7B3h}
00403F0A SUB
EDX,0000D7B1
{Subtraction...EDX=EDX-D7B1=2}
00403F10 CMP
EDX,02
{CoMPares EDX and
2...}
00403F13 JA
00403F34
{Jump if value of EDX is above than 2}
00403F15 PUSH
00
{Stores 00}
00403F17 PUSH
DWORD PTR [EBX]
00403F19 CALL
KERNEL32!GetFileSize {This
procedure returns size of the file you're working with}
00403F1E CMP
EAX,-01
{CoMPares EAX with -01 or FFFFFFFF}
00403F21 JZ
00403F2A
{Jump to 'Bad boy' if EAX=FFFFFFFF}
00403F23 XOR
EDX,EDX
{Value of EDX becomes 0}
00403F25 DIV
DWORD PTR [EBX+08]
{Divides EAX by value that is located at d ebx+08...It is 1}
00403F28 POP
EBX
{Restores last PUSHed value in EBX register}
00403F29 RET
....
{Exits from CALL}
004265AA CALL
004026A8
{This one is a crap CALL,even do not go there for code}
004265AF MOV
[EBP-04],EAX
{The size of your keyfile goes at [ebp-04] address}
004265B2 CMP
DWORD PTR [EBP-04],00 {CoMPares
file size with 0}
004265B6 JNZ
004265CD
{Jump if file size is not equal to 0}
004265B8 MOV
EDX,00426764
{Else,you go to this
piece of code, from here you jump to 'Invalid'}
004265BD MOV
EAX,[EBX+000001B0]
004265C3 CALL
00411C94
004265C8 JMP
004266F5
004265CD CMP
DWORD PTR [EBP-04],00010000 {Your file size
is CoMPared with 10000h}
004265D4 JLE
004265DD
{Jump if file size is Less or Equal}
004265D6 MOV
DWORD PTR [EBP-04],00010000 {Else,file size
is equal to 10000h}
004265DD PUSH
00
{Stores it to the stack zero value}
004265DF LEA
EDX,[EBP+FFFEFFFC]
004265E5 MOV
ECX,[EBP-04]
{File size is MOVed
to ECX}
004265EE CALL
00403E64
{This is Cracl CALL,it
again checks if file size bigger than 0}
004265F3 CALL
004026A8
{This is also crap
CALL...Funny things are below}
004265F8 PUSH
EBX
004265F9 PUSH
EDI
004265FA PUSH
ESI
004265FB LEA
ESI,[EBP-04]
{Moves effective address
of file size to ESI}
004265FE MOV
ECX,[ESI]
{Again,file size is
MOVed to ECX}
00426600
LEA ESI, [EBP+FFFEFFFC]
{The address location of your keyfile contents are moved to
esi.Type d esi, and you will see the text from this keyfile.Here is most
significant part of the code,all the calculations start here,so do not
sleep}
00426606 LEA
EDI, [EBP+FFFEFFFB]
{The address is a little bit moved left,It is also moved to EDI }
0042660C XOR
EAX,EAX
{XORing of EAX,EAX...EAX=0}
0042660E OR
EDX,-01
{EDX=EDX or -01}
00426611 XOR
EBX,EBX
{EBX=0}
00426613 INC
EAX
{EAX is increased by 1...}
00426614 NOT
EDX
{Changing of all bits
of Operand...EDX=not EDX}
00426616
MOV BL,[EDX+ESI]
{As the counter increasing
the program moves all chars, till char with code 00, to BL register.}
00426619 TEST
BL,BL
{TEST command subtracts bits of 1st Operand from bits of 2nd Operand,
and if final result is zero then zero flag takes value of Zero}
0042661B JZ
00426646
{Jump if zero flag is equal to Zero}
0042661D CALL
00426638
{In this CALL, the program stores your name in another string,this
user name will be displayed if you find good contents of the file}
00426622 PUSH
EDX
{Stores value of EDX register in stack}
00426623 MUL
EBX
{MULtiplication...EAX=EAX*EBX}
00426625 POP
EDX
{POP command restores value of EDX from stack}
00426626 XOR
EAX,63546D32
{XORing....EAX=EAX xor 63546D32h}
0042662B INC
DL
{Here DL is our counter...Increase DL by 1}
0042662D CMP
EDX,ECX
{CoMPares EDX and ECX, if you remember in ECX there is our file size,
the counter, DL, is compared with ECX value}
0042662F JZ
00426673
{We have to not allow after this command to jump, we have to edit OUR
KEYFILE a little,...
1)-Clear current breakpoint....bc
*
2)-Set new one, typing bpx 00426614
3)-Open De-Activate SoftIce, and
execute Hex WorkShop
4)-Open our keyfile using it...And
type there your nick
5)-Right after your nick write a
char with 00h code
6)-Type after char,with 00 code,
any 4 bytes. Soon you will see why I asked to do that..
7)-As you did it go back to the
program code where we stopped..
00426631 CMP
DL,FF
{CoMPare DL (counter)
with 255...This is maximum length for string}
00426634 JZ
00426673
{Jump is DL is equal to 255}
00426636 JMP
00426616
{Unconditional Jump to the start of this loop}
COMMENTS:
Ok,after this
loop we get get the idea what happens there.So, the situation is like this:
IF <code of char> is not 00h then do Calculations;
Else Goto program code that goes after the calulations...
00426646 CALL
00426638
{I was mentioning about this CALL before.It srotes last char in new
string that displays the UserName in the main form(if you find correct
contents)}
0042664B INC
EDX
{Shifts the address
to the zero char...Increase EDX by 1}
0042664C ADD
EDX,04
{ADDition...EDX=EDX+4}
0042664F CMP
ECX,EDX
{CoMPares two Operands,ECX (our file size) and EDX (our counter)...
I mentioned this too.I was saying
that the file should consist of your Nick,char with 00 code, and 4 more
chars (any)....If this conditions do not appliy,so....}
00426651 JNZ
00426673
{So,it jumps to the 'Invalid KeyFile'}
00426653 SUB
EDX,04
{Subtraction..EDX=EDX-04}
00426656 TEST
EAX,EAX
{Checks if EAX is zero}
00426658 JBE
0042665C
{Jump if Below or Equal to comparison line}
0042665A SHR
EAX,1
{SHift Operand Right by 2..In fact it is Division by 2}
0042665C CMP
EAX,[EDX+ESI]
{If you reach this line, you can consider that you found the right
contents of the file....By the address of, d EDX+ESI, is those 4 chars
I was talking about.You can see them in Data Window..So, you see what is
the value of EAX...it coresponds to x1x2x3x4...you have to make it in reverse
manner, so it will x4x3x2x1 (Write down this number and go to Hex WorkShop
and write it after 00 char)..
That's it, you just had to know the value of EAX register, as you can see these are straight calculations, that's why the crackme is not so hard...}
If you have anything to say (critics
or ...anything) mail me...
Hope it gave you some more experience
working with files, with this information you can crack similar Programs..
|
|
A good practice
crackme.Here you can prctice your skills with working with files..
|
|
All members
from Genocide Crew,
http://www.genocidecrew.cjb.net/
All members
from Hellforge { Mercution, Acid_Cool_178, Ac|dfusion, Dark_Wolf,
BiSHoP…}
Enormous thanks
goes to Acid_Cool_178 and Mercution {his design of this tut}for providing
me with LOGOs
http://kickme.to/hforge2k
tHe CrEaM members
{ For their good intend to help everybody }
ImmortalDescendants
People-Elite
To every one
who makes tutorials…
Cool coders:
Terminal Cilla, AntiXrist, Chafe, The+Q, LaZaRuS, Lucifer48, FatboyJoe
(great coder)
CzDrillard { he is great in making good Math algos}
Reversers
:
Yates,TSCube, and everybody I forgot to add..
|
|
Any mistakes, corrections, or comments may be mailed to the members individually, or to the group : hellforge@hellforge.org.