home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Reverse Code Engineering RCE CD +sandman 2000
/
ReverseCodeEngineeringRceCdsandman2000.iso
/
RCE
/
E_bliss
/
tutor10.txt
< prev
next >
Wrap
Text File
|
2000-05-25
|
11KB
|
241 lines
Terminal Cilla's
Tutorial#10
[Target Infos:]
[Name :] CrackMe 8
[Author:] FireWorX
[Type :] Serial; Name/Serial; Keyfile
[Where :] http://crackmes.cjb.net
[Needed Tools:]
SoftIce
WinDasm
[Our Aim:]
1. Find the serial.
2. Find a valid serial for our name.
3. Built a keyfile.
-----------------------------------------------------------------------------
Hi Reader.
I'm sorry for all grammatical and orthographic errors.
I assume that you already configured your SoftIce/WinDasm and
that you are basicly down with them - otherwise stop reading
and take a "SoftIce/WinDasm4Newbies - Tutorial".
Still here?
Ok, let's go!
I won't go much in details in this tut 'cause I think
that this crackme is easy to reverse for everyone.
So only short notes...
Part1 - Serial:
---------------
With the help of Softice (using bpx hmemcpy) we'll come here:
-------------------------------------------------------------
:00445D93 E804F8FDFF call 0042559C
:00445D98 8B45FC mov eax, dword ptr [ebp-04]
:00445D9B 803854 cmp byte ptr [eax], 54
:00445D9E 757D jne 00445E1D
:00445DA0 8D55FC lea edx, dword ptr [ebp-04]
:00445DA3 8B83C4020000 mov eax, dword ptr [ebx+000002C4]
:00445DA9 E8EEF7FDFF call 0042559C
:00445DAE 8B45FC mov eax, dword ptr [ebp-04]
:00445DB1 80780165 cmp byte ptr [eax+01], 65
:00445DB5 7566 jne 00445E1D
:00445DB7 8D55FC lea edx, dword ptr [ebp-04]
:00445DBA 8B83C4020000 mov eax, dword ptr [ebx+000002C4]
:00445DC0 E8D7F7FDFF call 0042559C
:00445DC5 8B45FC mov eax, dword ptr [ebp-04]
:00445DC8 80780248 cmp byte ptr [eax+02], 48
:00445DCC 754F jne 00445E1D
:00445DCE 8D55FC lea edx, dword ptr [ebp-04]
:00445DD1 8B83C4020000 mov eax, dword ptr [ebx+000002C4]
:00445DD7 E8C0F7FDFF call 0042559C
:00445DDC 8B45FC mov eax, dword ptr [ebp-04]
:00445DDF 8078036E cmp byte ptr [eax+03], 6E
:00445DE3 7538 jne 00445E1D
:00445DE5 8D55FC lea edx, dword ptr [ebp-04]
:00445DE8 8B83C4020000 mov eax, dword ptr [ebx+000002C4]
:00445DEE E8A9F7FDFF call 0042559C
:00445DF3 8B45FC mov eax, dword ptr [ebp-04]
:00445DF6 80780445 cmp byte ptr [eax+04], 45
:00445DFA 7521 jne 00445E1D
:00445DFC 8D55FC lea edx, dword ptr [ebp-04]
:00445DFF 8B83C4020000 mov eax, dword ptr [ebx+000002C4]
:00445E05 E892F7FDFF call 0042559C
:00445E0A 8B45FC mov eax, dword ptr [ebp-04]
:00445E0D 80780564 cmp byte ptr [eax+05], 64
:00445E11 750A jne 00445E1D
-------------------------------------------------------------------
As we can see, every letter of our input is compared with a
predefined char. The important instructions are listened below:
-
:00445D9B 803854 cmp byte ptr [eax], 54 (T)
:00445DB1 80780165 cmp byte ptr [eax+01], 65 (e)
:00445DC8 80780248 cmp byte ptr [eax+02], 48 (H)
:00445DDF 8078036E cmp byte ptr [eax+03], 6E (n)
:00445DF6 80780445 cmp byte ptr [eax+04], 45 (E)
:00445E0D 80780564 cmp byte ptr [eax+05], 64 (d)
-
So the valid serial is like: 5465486E4564.
These values are in hex, so if we convert them we'll
get the serial.
Part2 - Name/Serial:
--------------------
Once again SICE will bring us to the important routine:
-------------------------------------------------------------
:00446131 E866F4FDFF call 0042559C
:00446136 8B45F4 mov eax, dword ptr [ebp-0C]
:00446139 8D55F8 lea edx, dword ptr [ebp-08]
:0044613C E8FBFEFFFF call 0044603C
:00446141 8B55F8 mov edx, dword ptr [ebp-08]
:00446144 58 pop eax
:00446145 E80ADAFBFF call 00403B54
:0044614A 750A jne 00446156
-------------------------------------------------------------
As a result of tracing we noticed that the jump at :44614A
decides wether we are good or bad cracker. So the call before
must be the compare-routine. Let's see what parameters
the call gets.
Looking at edx and eax and the search is over.
Edx will contain the valid serial for our name and
eax contains our stupid serial.
In my case it was like:
8BFD-FF0F-1F12-C878
for the name
Terminal Cilla
We don't have more to know.
Part3 - Keyfile:
----------------
Using WinDasm we find out that there were 3 'Good Code' calls.
Since now we have found only 2 - one for the serial, one for the
name/serial and so the 3 call must be for the Keyfile.
Let's look at the code:
---------------------------------------------------------------
:00446418 55 push ebp
:00446419 8BEC mov ebp, esp
:0044641B 6A00 push 00000000
:0044641D 53 push ebx
:0044641E 8BD8 mov ebx, eax
:00446420 33C0 xor eax, eax
:00446422 55 push ebp
:00446423 6843654400 push 00446543
:00446428 64FF30 push dword ptr fs:[eax]
:0044642B 648920 mov dword ptr fs:[eax], esp
:0044642E 8D55FC lea edx, dword ptr [ebp-04]
:00446431 8B83C4020000 mov eax, dword ptr [ebx+000002C4]
:00446437 E860F1FDFF call 0042559C
:0044643C 8B45FC mov eax, dword ptr [ebp-04]
:0044643F 803846 cmp byte ptr [eax], 46
:00446442 0F85E5000000 jne 0044652D
:00446448 8D55FC lea edx, dword ptr [ebp-04]
:0044644B 8B83C4020000 mov eax, dword ptr [ebx+000002C4]
:00446451 E846F1FDFF call 0042559C
:00446456 8B45FC mov eax, dword ptr [ebp-04]
:00446459 80780169 cmp byte ptr [eax+01], 69
:0044645D 0F85CA000000 jne 0044652D
:00446463 8D55FC lea edx, dword ptr [ebp-04]
:00446466 8B83C4020000 mov eax, dword ptr [ebx+000002C4]
:0044646C E82BF1FDFF call 0042559C
:00446471 8B45FC mov eax, dword ptr [ebp-04]
:00446474 80780272 cmp byte ptr [eax+02], 72
:00446478 0F85AF000000 jne 0044652D
:0044647E 8D55FC lea edx, dword ptr [ebp-04]
:00446481 8B83C4020000 mov eax, dword ptr [ebx+000002C4]
:00446487 E810F1FDFF call 0042559C
:0044648C 8B45FC mov eax, dword ptr [ebp-04]
:0044648F 80780365 cmp byte ptr [eax+03], 65
:00446493 0F8594000000 jne 0044652D
:00446499 8D55FC lea edx, dword ptr [ebp-04]
:0044649C 8B83C4020000 mov eax, dword ptr [ebx+000002C4]
:004464A2 E8F5F0FDFF call 0042559C
:004464A7 8B45FC mov eax, dword ptr [ebp-04]
:004464AA 80780450 cmp byte ptr [eax+04], 50
:004464AE 757D jne 0044652D
:004464B0 8D55FC lea edx, dword ptr [ebp-04]
:004464B3 8B83C4020000 mov eax, dword ptr [ebx+000002C4]
:004464B9 E8DEF0FDFF call 0042559C
:004464BE 8B45FC mov eax, dword ptr [ebp-04]
:004464C1 80780568 cmp byte ptr [eax+05], 68
:004464C5 7566 jne 0044652D
:004464C7 8D55FC lea edx, dword ptr [ebp-04]
:004464CA 8B83C4020000 mov eax, dword ptr [ebx+000002C4]
:004464D0 E8C7F0FDFF call 0042559C
:004464D5 8B45FC mov eax, dword ptr [ebp-04]
:004464D8 80780633 cmp byte ptr [eax+06], 33
:004464DC 754F jne 0044652D
:004464DE 8D55FC lea edx, dword ptr [ebp-04]
:004464E1 8B83C4020000 mov eax, dword ptr [ebx+000002C4]
:004464E7 E8B0F0FDFF call 0042559C
:004464EC 8B45FC mov eax, dword ptr [ebp-04]
:004464EF 80780733 cmp byte ptr [eax+07], 33
:004464F3 7538 jne 0044652D
:004464F5 8D55FC lea edx, dword ptr [ebp-04]
:004464F8 8B83C4020000 mov eax, dword ptr [ebx+000002C4]
:004464FE E899F0FDFF call 0042559C
:00446503 8B45FC mov eax, dword ptr [ebp-04]
:00446506 80780872 cmp byte ptr [eax+08], 72
:0044650A 7521 jne 0044652D
:0044650C 8D55FC lea edx, dword ptr [ebp-04]
:0044650F 8B83C4020000 mov eax, dword ptr [ebx+000002C4]
:00446515 E882F0FDFF call 0042559C
:0044651A 8B45FC mov eax, dword ptr [ebp-04]
:0044651D 80780C2E cmp byte ptr [eax+0C], 2E
:00446521 750A jne 0044652D
---------------------------------------------------------------
We see a similar routine to Part1. Let's sum up the
important parts:
-
:0044643F 803846 cmp byte ptr [eax], 46 (F)
:00446459 80780169 cmp byte ptr [eax+01], 69 (i)
:00446474 80780272 cmp byte ptr [eax+02], 72 (r)
:0044648F 80780365 cmp byte ptr [eax+03], 65 (e)
:004464AA 80780450 cmp byte ptr [eax+04], 50 (P)
:004464C1 80780568 cmp byte ptr [eax+05], 68 (h)
:004464D8 80780633 cmp byte ptr [eax+06], 33 (3)
:004464EF 80780733 cmp byte ptr [eax+07], 33 (3)
:00446506 80780872 cmp byte ptr [eax+08], 72 (r)
:0044651D 80780C2E cmp byte ptr [eax+0C], 2E (.)
-
The contents of the keyfile gets compared with the same
method as the serial used.
But this time there's a little trick;)
-
:0044651D 80780C2E cmp byte ptr [eax+0C], 2E (.)
-
The last valid char must be at the 12. position of the string.
So it won't work if we use: FirePh33r.
It should be like: FirePh33r .
For the spaces you can take every letter you want.
...our job is done!
Thx4Readin'
-----------------------------------------------------------------------------
-=I'm still a newbie - So I can only get better!=-
(c) Terminal Cilla (mai 1999)
Peace&Respects 2: duelist,The AntiXryst, Torn@do, EB
Sanhedrin,rubor and all crackme-coders
and tutorial-writers.
Special thx2 'duelist' for beeing a good friend and
'Eternal Bliss' for hosting my cMz.
________________________
| Be sure to visit: |
| http://crackmez.cjb.net|
| & |
| http://crackmes.cjb.net|
|________________________|