Reverse Code Engineering RCE CD +sandman 2000

home *** CD-ROM | disk | FTP | other *** search

/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / E_bliss / eb_tut21.txt < prev next >

Wrap

Text File | 2000-05-25 | 13KB | 311 lines

Tutorial Number 21 Written by Etenal Bliss Email: Eternal_Bliss@hotmail.com Website: http://crackmes.cjb.net http://surf.to/crackmes Date written: 30th May 1999 Program Details: Name: Crackme 2a Author: n0p3x Tools Used: W32Dasm HexEditor Cracking Method: Code Analysis Viewing Method: Use Notepad with Word Wrap switched on Screen Area set to 800 X 600 pixels (Optional) __________________________________________________________________________ About this protection system This CrackMe produces a Nag whenever we run it. There is no other registration method other than cracking it to remove the Nag. What the author said: "The previous programs have used message boxes called by the function 'MessageBoxA'. This program uses an alternative method to display it's nag" _________________________________________________________________________ W32Dasm First, disassemble the CrackMe using W32Dasm. You do this by running W32Dasm, then choose "Disassembler" -> "Open File To Disassemble". Go to the little icon that says "Imp Fa". When your mouse is there, you will see the word "Imports" popping up. Ok. We will take a look at the imports to see what functions are used in the CrackMe. Hopefully find the one that produces the Nag. You will see a few "cw3220.__XXX" functions. These are utilised by the CrackMe using the cw3220.dll file. They don't concern us. Other functions include: USER32.DialogboxParamA USER32.EndDialog USER32.MessageBoxA Well, MessageBoxA is not used for the Nag. (The author told us that) So, the most probable function will be DialogBoxParamA to produce the nag and EndDialog to end the Nag... Double click on the USER32.DialogBoxParamA to see where in the codes is this function used...Do it a few times to make sure that we have covered every single location using this function. You will get these locations... 004010AF, 0040114C, 004014EE I've pasted the codes below... USER32.DialogBoxParamA at 004010AF ================================================================= * Possible Reference to Dialog: DialogID_0002 | :00401098 6A02 push 00000002 :0040109A FF7508 push [ebp+08] * Reference To: USER32.EndDialog, Ord:0000h | :0040109D E858040000 Call 004014FA :004010A2 6A00 push 00000000 :004010A4 68DF104000 push 004010DF :004010A9 6A00 push 00000000 * Possible Reference to Dialog: DialogID_0001 | :004010AB 6A01 push 00000001 :004010AD 6A00 push 00000000 * Reference To: USER32.DialogBoxParamA, Ord:0000h | :004010AF E83A040000 Call 004014EE * Possible Reference to Dialog: DialogID_0001 | :004010B4 B801000000 mov eax, 00000001 :004010B9 EB20 jmp 004010DB ================================================================= USER32.DialogBoxParamA at 0040114C ================================================================= :0040113B 55 push ebp :0040113C 8BEC mov ebp, esp :0040113E 6A00 push 00000000 :00401140 687C104000 push 0040107C :00401145 6A00 push 00000000 * Possible Reference to Dialog: DialogID_0002 | :00401147 6A02 push 00000002 :00401149 FF7508 push [ebp+08] * Reference To: USER32.DialogBoxParamA, Ord:0000h | :0040114C E89D030000 Call 004014EE :00401151 33C0 xor eax, eax :00401153 5D pop ebp :00401154 C21000 ret 0010 ================================================================= The last USER32.DialogBoxParamA at 004014EE doesn't concern us. Looking at these two pieces of codes, you will see "DialogID_0001" or "DialodID_0002" just before the DialogBoxParamA function. So, what are the parameters for this function? We will have to refer to W32 API. You can get this off the web easily... int DialogBoxParam( HINSTANCE hInstance, // handle to application instance LPCTSTR lpTemplateName, // identifies dialog box template HWND hWndParent, // handle to owner window DLGPROC lpDialogFunc, // pointer to dialog box procedure LPARAM dwInitParam // initialization value ); Ok. You need 5 parameters before the function. I read somewhere that the parameters are always "fed" into the memory from back to front. ie LPARAM dwInitParam will be pushed first and HINSTANCE hInstance will be pushed last. So, in the disassembled codes, we see DialogID_000x in the 4th push which means that it is the dialog box template... Now, what is "DialogID_0001" and "DialodID_0002"?? Go all the way up to the top of the disassembled codes... You will see +++++++++++++++++ DIALOG INFORMATION ++++++++++++++++++ Number of Dialogs = 2 (decimal) Name: DialogID_0001, # of Controls=009, Caption:"Crackme 2a - n0p3x", ClassName:"" 001 - ControlID:0002, Control Class:"BUTTON" Control Text:"E&xit" 002 - ControlID:0009, Control Class:"BUTTON" Control Text:"A&bout" 003 - ControlID:0065, Control Class:"EDIT" Control Text:"Nag Removal The previous programs have" 004 - ControlID:0066, Control Class:"BUTTON" Control Text:"-=n0p3x=-" 005 - ControlID:FFFF, Control Class:"STATIC" Control Text:"Coded By n0p3x. 10th May 1999." 006 - ControlID:FFFF, Control Class:"STATIC" Control Text:"EMAIL: adminno1@yahoo.com" 007 - ControlID:FFFF, Control Class:"STATIC" Control Text:"WEB: http://cod3r.cjb.net" 008 - ControlID:FFFF, Control Class:"STATIC" Control Text:"If you suceed in killing this nag screen and write a tutorial on it then email" 009 - ControlID:FFFF, Control Class:"STATIC" Control Text:"Frame2" Name: DialogID_0002, # of Controls=004, Caption:"The deadly NAG!", ClassName:"" 001 - ControlID:FFFF, Control Class:"STATIC" Control Text:"This is a demonstration version of this program." 002 - ControlID:0065, Control Class:"BUTTON" Control Text:"Uhh, youv'e made me feel guilty now. Heres all my money." 003 - ControlID:0066, Control Class:"BUTTON" Control Text:"Take the program for a test drive before paying." 004 - ControlID:FFFF, Control Class:"STATIC" Control Text:"SOFTWARE PIRACY IS ILLEGAL" ================================================================= Now, if you had run the CrackMe, you will see the Nag with the caption "The deadly NAG!". So, the nag is DialogID_0002 and the main program is 0001. Remember the "USER32.EndDialog" function we saw in the Imports as well? It will close the corresponding Dialog depending on which DialogID is pushed as the parameter... Ok. The basic introduction is over. Lets get down to cracking it... Looking at the two pieces of codes earlier... I've commented on what I know... (remember that I am a newbie too) USER32.DialogBoxParamA at 004010AF ================================================================= * Possible Reference to Dialog: DialogID_0002 <<Nag ID | :00401098 6A02 push 00000002 :0040109A FF7508 push [ebp+08] * Reference To: USER32.EndDialog, Ord:0000h | :0040109D E858040000 Call 004014FA <<End the Nag!! :004010A2 6A00 push 00000000 <<1st parameter of :004010A4 68DF104000 push 004010DF USER32.DialogBoxParamA :004010A9 6A00 push 00000000 for main prog * Possible Reference to Dialog: DialogID_0001 <<Main Prog ID | :004010AB 6A01 push 00000001 :004010AD 6A00 push 00000000 * Reference To: USER32.DialogBoxParamA, Ord:0000h <<Show the prog | :004010AF E83A040000 Call 004014EE * Possible Reference to Dialog: DialogID_0001 | :004010B4 B801000000 mov eax, 00000001 :004010B9 EB20 jmp 004010DB ================================================================= USER32.DialogBoxParamA at 0040114C ================================================================= :0040113B 55 push ebp :0040113C 8BEC mov ebp, esp :0040113E 6A00 push 00000000 <<1st parameter of :00401140 687C104000 push 0040107C USER32.DialogBoxParamA :00401145 6A00 push 00000000 for Nag * Possible Reference to Dialog: DialogID_0002 <<Nag ID | :00401147 6A02 push 00000002 :00401149 FF7508 push [ebp+08] * Reference To: USER32.DialogBoxParamA, Ord:0000h <<Show the Nag!! | :0040114C E89D030000 Call 004014EE :00401151 33C0 xor eax, eax :00401153 5D pop ebp :00401154 C21000 ret 0010 ================================================================= Well, looking at what I commented, do you understand what we must do? If you are thinking of NOPing the 6 lines from 0040113E to 0040114C, you are wrong. I tried it. The CrackMe crashes... 8P So, if patching it that way doesn't work, there is one more way. Did you think about jumping straight to the "Show Main Prog" codes, therefore bypassing the NagScreen? 8) Ok. We must start patching at 0040113E so the the CrackMe will jump to 004010A2. Why 004010A2?? Well, from 00401098 to 0040109D is the codes to end the Nag... If we were to stop the CrackMe producing a Nag, then we would not need the End-Nag codes anymore right??? 8) Simple? Now, we will need to find what codes to use to patch it so that the CrackMe will jump to the Show Main Prog without showing and ending the Nag Screen... You can use Softice to do it. But because I have not loaded softice and you still need to break into the CrackMe first before patching in Softice, I have decided to use W32Dasm instead... There is a debugger function in W32Dasm too. What you need to do is this: 1) Go to "Debug", choose "Load Process" 2) You may get another prompt asking you something. Just click on "Load" 3) You will then see 3 seperate windows. Don't be afraid. 8P 4) Go to the right window (the one showing the words "Code Address ..." 5) Click on "Goto Address" 6) Fill in the offset which is 0040113E (remember we are jumping FROM here) 7) You will see the pushes exactly like what is in the disassembled file 8) Click on "Patch Code" 9) In the "Enter New Instruction Below" line, type in "jmp 004010A2" without quotes. (rememeber we are jumping TO here) 10) Hit "Enter" key. You will see in the 'Code Patch Listing" the required bytes to make the CrackMe jump to 004010A2... 11) It is E95FFFFFFF 12) Now, click on "Clear Patch" and answer "Yes" and then click "Close" 13) Back to the right window, click on "Terminate" because we have finished our job here Back to the main disassembled file, go to the location 0040113E Look at the bottom of W32Dasm and you will see this: Line:298 Pg 4 of 12 Code Data @:0040113E @Offset 0000073Eh in File:crackme2a.exe What you need is the Offset which is 0000073E Now, make a copy of the CrackMe and open it with a HexEditor. ** You need to open the copy because you will not be able to patch if W32Dasm is using the same file. Using whatever Hexeditor you have, go to the offset 73E. You will see the bytes as 6A 00 68 7C 10 ** compare it to W32Dasm (they are the same) Change them to E9 5F FF FF FF and save the patched file... Now, run the patched file and see... If you do everything correctly, you will be brought to the main program without seeing the NagScreen. CrackMe cracked!! __________________________________________________________________________ Final Notes This tutorial is dedicated to all the newbies like me. And because I'm a newbie myself, I may have explained certain things wrongly So, if that is the case, please forgive me. Email me if there is anything you are not clear about. My thanks and gratitude goes to:- All the writers of Cracks tutorials and CrackMes and also to all the crackers that have been supporting my site and project forum.