|
Hellforge Crackme 2 Solution Tutorial |
Introduction:
The serial number here is a number generated using your username. In this tutorial I will show you, and hopefully teach you how to obtain the correct number for your name and if you continue a program to automatically generate correct serial numbers. This tutorial is written in two standards, from a beginner to more advanced yet they both require a firm knowledge of the use of SoftIce as well as a keen cracking sense.
|
Beginner |
'Serial Fishing' |
|
Advanced |
Patching the program to automatically reveal correct serials |
Before attempting to crack this crackme it would be a good idea to read this tutorial through at least once and to print out a copy to hold in your hand as you travel through the cracking process. Good luck! Don't forget also that the name when entered must be more than 4 characters in length.
Beginner:
This is what I simply call 'Serial Fishing'. It doesn't require very much knowledge of assembly or SoftIce, it's how I started out cracking and before moving on to bigger better tasks I think all beginners should try it as it is the basis of the knowledge that will grow and build you into an experienced cracker.
Run the program, enter your name and a dummy serial number (eg. 7777777) into the two text boxes on your screen. Don't click on the button just yet, instead open SoftIce by pressing Ctrl+D. Now what we need to do is set a breakpoint where the program will read the data from each text box. I use Hmemcpy because it works 99.9% of the time. So in SoftIce set a breakpoint on Hmemcpy. BPX HMEMCPY. Exit SoftIce and click on the button. The SoftIce window will open as it has read your name, exit SoftIce and let it read your code data 5 more times. Now press F12 until the line down the bottom of the SoftIce screen reads the name of the crackme exe. Let's search for the dummy serial you entered, in my case '7777777', in SoftIce type s 0 l ffffffff '7777777', and press enter. In my case it was found at 0030:00792AE0, yours may differ. Now let's put a breakpoint on that memory address so that softice will break everytime that code is read, hopefully when it is compared with the real code. So type in SoftIce bpm 0030:00792AE0 R. You will land at the following code.
|
:0040349D |
mov ecx, [esi] |
real serial copied to ECX |
|
:0040349F |
mov ebx, [edi] |
dummy serial copied to EBX |
|
:004034A1 |
cmp ecx, ebx |
ECX compared to EBX |
|
:004034A3 |
jnz 004034fd |
jump if not equal |
Type D ESI in SoftIce to see what the real code for your name should be. If you feel up to it continue reading and learn how to patch this program so that instead of giving the error message 'Wrong code' it will display the correct code for the entered name. This saves a lot of time with building a keygenerator and fulfills exactly the same purpose.
Advanced:
What you've just done is found the serial number for your name, this number will only register the crackme for your name so it's not much use to anyone else, what we are now going to do is patch the program so that it displays the correct serial instead of an error message. When you typed D ESI to find the correct serial take note of the memory address at which it is located. For me it was 00792F64. Trace through the program code just after the above segement till you get to where the error message is about to be created, it should look like this.
|
:00426995 |
mov ecx, 004269DC |
move error message title to ECX |
|
:0042699A |
mov edx, 004269E4 |
move error message text to EDX |
|
:0042699F |
mov eax, [00428624] |
|
|
:004269A4 |
call 00421C08 |
In SoftIce if you type D 4269E4 you will see the error message 'Wrong code'. Hey are you thinking what I'm thinking, if we replace the 004269E4 in the second line of text above with 00792F64 it will display the correct serial number instead of an error message, how cool is that? Type D EIP to display the hex values, write down ALL the bytes on that line, now type A, then 'mov edx, 00792F64' . Type D EIP to see what the string of bytes has been changed to, open the exe in a hex editor search for the string (be careful to match exactly because there is a very similar string of hex values that can be found in the exe) change the appropriate bytes to make the patch permanent. Run the program to be sure that it works and your done. Congratulations!
Conclusion:
I hope that my blabbering on has taught you something that will help you in your hunt for serial numbers and maybe even in thinking of other ways around protection schemes such as this. Any questions please forward to sigmental@yahoo.com