home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Reverse Code Engineering RCE CD +sandman 2000
/
ReverseCodeEngineeringRceCdsandman2000.iso
/
RCE
/
E_bliss
/
cm12_tut.txt
< prev
next >
Wrap
Text File
|
2000-05-25
|
13KB
|
340 lines
Tutorial for Crackme id:9 (tC...)
by Sanhedrin
Tools
Wdasm
Softice
PEEK
--PART ONE--
This crackme requires an unlock code before it allows you to enter your name and serial number.
First thing to do is to disassemble and look at the binary text with PEEK. Nothing too
unusual in the binary text, but something stands out at 004442FF. The String Data Reference
to "CrackMe [id:9] by tC... ." is in an unusual place for something that is in the about dialog
box. Furthermore, there is another "CrackMe [id:9] by tC... .Today". Just a clue, but perhaps
it has something to do with the unlock code. So, enter an unlock code
12344321
go into softice and enter the breakpoint
bpx hmemcpy
go back to the crackme and enter another number in the unlock code box.
Once in softice, disable the breakpoints and press F12 until you end up at:
:004442DE 8BD8 mov ebx, eax
:004442E0 33C0 xor eax, eax
:004442E2 55 push ebp
:004442E3 6875434400 push 00444375
:004442E8 64FF30 push dword ptr fs:[eax]
:004442EB 648920 mov dword ptr fs:[eax], esp
:004442EE 8D55FC lea edx, dword ptr [ebp-04]
:004442F1 8B83C4020000 mov eax, dword ptr [ebx+000002C4]
:004442F7 E898F9FDFF call 00423C94
:004442FC 8B45FC mov eax, dword ptr [ebp-04]<----you will land here
* Possible StringData Ref from Code Obj ->"CrackMe [id:9] by tC... ."
|
:004442FF BA88434400 mov edx, 00444388
:00444304 E83BF8FBFF call 00403B44<---call the compare code routine
:00444309 7507 jne 00444312<----jump if not the same
:0044430B E8BCFFFFFF call 004442CC
:00444310 EB4D jmp 0044435F
//SNIP//
* Possible StringData Ref from Code Obj ->"Please enter your name and serial..."
|
:0044434F BAAC434400 mov edx, 004443AC
:00444354 8B83F0020000 mov eax, dword ptr [ebx+000002F0]
:0044435A E8FDF4FFFF call 0044385C
//SNIP//
* Possible StringData Ref from Code Obj ->"UnlockCode needed..."
|
:00444405 BA20444400 mov edx, 00444420
Interesting place to land! At 004442FC (call 00403B44) press F8 and you will end up:
:00403B44 53 push ebx<---you will land here
:00403B45 56 push esi
:00403B46 57 push edi
:00403B47 89C6 mov esi, eax<---move our 3 to esi
:00403B49 89D7 mov edi, edx<---move real # to edi
:00403B4B 39D0 cmp eax, edx<---compare our # to real #
:00403B4D 0F848F000000 je 00403BE2<---jump if the same
:00403B53 85F6 test esi, esi
:00403B55 7468 je 00403BBF<---jump if no number is entered
:00403B57 85FF test edi, edi
:00403B59 746B je 00403BC6
:00403B5B 8B46FC mov eax, dword ptr [esi-04]<---count our number of digits
:00403B5E 8B57FC mov edx, dword ptr [edi-04]<---count the amount in real #
:00403B61 29D0 sub eax, edx<---subtract real number from our number
:00403B63 7702 ja 00403B67<---jump if greater than 0
:00403B65 01C2 add edx, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403B63(C)
|
:00403B67 52 push edx
:00403B68 C1EA02 shr edx, 02
:00403B6B 7426 je 00403B93
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403B89(C)
|
:00403B6D 8B0E mov ecx, dword ptr [esi]
:00403B6F 8B1F mov ebx, dword ptr [edi]
:00403B71 39D9 cmp ecx, ebx
:00403B73 7558 jne 00403BCD<---check 1st four numbers jump if not the same
:00403B75 4A dec edx
:00403B76 7415 je 00403B8D
:00403B78 8B4E04 mov ecx, dword ptr [esi+04]
:00403B7B 8B5F04 mov ebx, dword ptr [edi+04]
:00403B7E 39D9 cmp ecx, ebx
:00403B80 754B jne 00403BCD<---check 2nd four numbers jump if not the same
:00403B82 83C608 add esi, 00000008
:00403B85 83C708 add edi, 00000008
:00403B88 4A dec edx
:00403B89 75E2 jne 00403B6D<---finished all the numbers? Repeat process if no
:00403B8B EB06 jmp 00403B93<---jump when finished the first 24 numbers
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403B76(C)
|
:00403B8D 83C604 add esi, 00000004
:00403B90 83C704 add edi, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00403B6B(C), :00403B8B(U)
|
:00403B93 5A pop edx
:00403B94 83E203 and edx, 00000003
:00403B97 7422 je 00403BBB
:00403B99 8B0E mov ecx, dword ptr [esi]
:00403B9B 8B1F mov ebx, dword ptr [edi]
:00403B9D 38D9 cmp cl, bl<---compare 25th #
:00403B9F 7541 jne 00403BE2<---jump if not the same
:00403BA1 4A dec edx<---decrease the count on our # by one
:00403BA2 7417 je 00403BBB<---jump if zero
:00403BA4 38FD cmp ch, bh
:00403BA6 753A jne 00403BE2
:00403BA8 4A dec edx
:00403BA9 7410 je 00403BBB
:00403BAB 81E30000FF00 and ebx, 00FF0000
:00403BB1 81E10000FF00 and ecx, 00FF0000
:00403BB7 39D9 cmp ecx, ebx
:00403BB9 7527 jne 00403BE2
//SNIP//
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00403B4D(C), :00403B9F(C), :00403BA6(C), :00403BB9(C), :00403BBD(U)
|:00403BC4(U), :00403BCB(U), :00403BD0(C), :00403BD4(C), :00403BDE(C)
|
:00403BE2 5F pop edi
:00403BE3 5E pop esi
:00403BE4 5B pop ebx
:00403BE5 C3 ret<---return
Here is where things get a little strange. We know what the first 24 characters should be,
and we know that the last character should be a period. I have to admit that I got lost in
the code somewhat here, but here is what works. Either enter another space after the last
period, or delete the period after you have entered it. I am not sure if this is a bug, or
planned for, but it through me for a bit of a loop (tC informs me that it was an
intentional annoyance). So the Unlock Code is:
CrackMe [id:9] by tC... .
^ ^
Spaces before and after the last period.
--PART TWO--
Notice that you can enter your name and serial number, and that the Register button is enabled.
So, enter your name and serial number
Sanhedrin
12344321
enter softice and place a breakpoint
bpx hmemcpy
and press Register
Once we have broken into softice, disable the breakpoint press F12 a few times and we will be at:
:0044477E 8B55F8 mov edx, dword ptr [ebp-08]<---we will land here
:00444781 B868684400 mov eax, 00446868
Press F10 until
//SNIP//
:00444848 E813FCFFFF call 00444460<---first important call - STOP here
:0044484D E81EFEFFFF call 00444670<---second important call
:00444852 A150684400 mov eax, dword ptr [00446850]
:00444857 3B0554684400 cmp eax, dword ptr [00446854]
:0044485D 7546 jne 004448A5<---no jump if the calcualtions are not the same
--FIRST CALL--
A lot of information in these few lines of code. I would love to go through each line of
code and explain everything, but I really only have space to go through the highlights.
Let's start with 00444848. Once you are there press F8:
:00444460 55 push ebp<---you will land here
:00444461 8BEC mov ebp, esp
:00444463 6A00 push 00000000
:00444465 53 push ebx
:00444466 56 push esi
:00444467 33C0 xor eax, eax
//SNIP//
Press F10 until 004444CD.
:004444CD 8B55FC mov edx, dword ptr [ebp-04]<---stop here
At the top of your softice window, you will notice all of the registers EAX=, EBX=, etc., etc..
The lower right hand is SS=. The addresses may not be the same, but on my computer it says:
ss:0068FA90=00BB6194
It's the second location that we are interested in. Type:
d 00BB6194
and you will see the first part of your code (for me it was B20E). Write it down.
Continue pressing F10 until:
:00444537 8D45FC lea eax, dword ptr [ebp-04]<---stop here
Again, on my computer:
ss:0068FA90=00BB2DDC
Type
d 00BB2DDC (for me it was FFFBDC4A)
you will see the final section of your code. Write it down.
--SECOND CALL--
Here's where things get complicated. tC has added a lot of dummy routines to cloud
exactly which serial number is correct. All look like they could be serial numbers.
Again, to make things short, I will go over the code which relates only to obtaining a
valid serial number. Let's begin at the second call routine 0044484D. Once you have
finishedthe first call, stop at the second call and press F8. This call brings you
to the magical sequence that ties everything together. Follow the code carefully....
:00444848 E813FCFFFF call 00444460
:0044484D E81EFEFFFF call 00444670<---stop here, press F8
:00444670 55 push ebp<---you will land here
:00444671 8BEC mov ebp, esp
:00444673 6A00 push 00000000
:00444675 6A00 push 00000000
:00444677 53 push ebx
:00444678 56 push esi
:00444679 33C0 xor eax, eax
:0044467B 55 push ebp
//SNIP//
Press F10 until:
:00444700 E847FEFFFF call 0044454C<---stop here, press F8
:00444705 33C0 xor eax, eax
:00444707 5A pop edx
:00444708 59 pop ecx
:00444709 59 pop ecx
:0044470A 648910 mov dword ptr fs:[eax], edx
//SNIP//
:0044454C 55 push ebp<---you will land here
:0044454D 8BEC mov ebp, esp
:0044454F 6A00 push 00000000
:00444551 6A00 push 00000000
:00444553 6A00 push 00000000
Press F10 until:
:00444645 8D45F4 lea eax, dword ptr [ebp-0C]
:00444648 BA03000000 mov edx, 00000003
:0044464D E88AF1FBFF call 004037DC<---stop here, press F8
:00444652 C3 ret
//SNIP//
:004037DC 53 push ebx<---you will land here
:004037DD 56 push esi
:004037DE 89C3 mov ebx, eax
:004037E0 89D6 mov esi, edx
:004037E2 8B13 mov edx, dword ptr [ebx]
:004037E4 85D2 test edx, edx
:004037E6 7419 je 00403801
:004037E8 C70300000000 mov dword ptr [ebx], 00000000<---stop here
Alright, we have found that magic spot in the program that will tie it all together and do
all of the work for us. Cancel all breakpoints and put a breakpoint:
bpx 004037E8
Before we look at the whole serial, look at the second address at SS (top right hand of the
register window) and type (for me)
d 00BB613C
This will give you the third part of the key code (for me it was 1135). Press F5, look at the same
register and type the address(for me it was)
d 00BB6128
This will give you the second part of the serial (for me it was 46653). BUT WAIT!!!! Press F5 again,
type in the address
d 00BB570C
and VOILA, our entire serial waiting patiently for us.
B20E-46653-1135-FFFBDC4A
--FINAL NOTES--
There was a lot of code that I had to leave out for brevity's sake. tC does a lot of neat
things to try and trick the cracker. For example, if you watch the initial serial being
made, you will notice that there is a '65A' after the first part of the code. At the serial
check routine, it looks for that '65A', and sends you immediately to the bad cracker
section. There are some other fun tricks in this one, and I suggest that, rather than just
following the above code, that you do some exploring.
Greets to tC
Thanks to all of those coders that make these crackmes, to Pepper for sending me on the
right path so long ago and of course to Eternal Bliss.
Sanhedrin
stachi@geocities.com