Kro_ baR Tutorial
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Trail CrackMe by ACidbuRN/CrackerWorld
Serial Number:
Ok. We look at Acid Burn crackme, and first thing we see is the nag. How many times we seen snags (shit nags) ??? Well we deal to that later. For now just click ok and load the crackme.
First we gonna enter the single serial number and use softice to find the correct one.
So click the serial button and enter 999999999.
You know what to do now!!! Ctrl d softice up, and set a breakpoint. We gonna try bpx hmemcpy, coz it seems to work most times.
So type:
bpx hmemcpy and push enter. Now F5 out of softice and click Check it Baby!
Well we back in softice and push F11, then disable breakpoint... bd0
We know what to do here! We gotta get to the code in the program. Look down between the bottom two windows and you see KERNEL(01), so we in the KERNEL.dll. Start pushing F12 till we see CRACKME2!CODE+0002B4BD...six times actually, then STOP and look at the code.
See a RET instruction a few lines below where we landed. This means we gonna return from a procedure so F10 down to it, and yep, onto another bit of code. Heh, another RET a few lines down...so F10 down and onto another bit of code. Keep F10 ing through the RETs, about six RETs all up. If we look at the EAX register (top left) it still equals 9...length of our serial???
After about the 6th RET, we'll land here:
xxxx:0042F4CA 8B45F0 MOV EAX,[EBP-10]
xxxx:0042F4CD 8B55F4 MOV EDX,[EBP-0C]
xxxx:0042F4D0 E82745FDFF CALL 004039FC
xxxx:0042F4D5 751A JNZ 0042F4F1
We see a CALL just before a jump. Well we gonna trace INTO this call. F8 traces INTO a call (push F8 when we on the call line) and we end up here:
xxxx:004039FC 53 PUSH EBX<--we land here
xxxx:004039FD 56 PUSH ESI
xxxx:004039FE 57 PUSH EDI
xxxx:004039FF 89C6 MOV ESI,EAX
xxxx:00403A01 89D7 MOV EDI,EDX
xxxx:00403A03 39D0 CMP EAX,EDX
xxxx:00403A05 0F848F000000 JZ 00403A9A
Hmmmm, three pushes followed by some MOVs, then a CMP/JZ, a TEST/JZ, and another TEST/JZ. I think this interesting. Often we look for a CMP followed by a jump, or TEST followed by a jump, coz it maybe where our serial is compared to the real one. If not the same we jump to piss off message; or if the same, jump to good boy message.
I think we might be close, so we gonna to do some dumping (d) to see what the different registers and addresses contain.
- At line 004039FC type d eax and push the enter/return key...our serial in the display window, d ebx...hmm nothing.
- F10 to line 004039FD d esi...nothing.
- F10, d edi/enter...nothing.
- F10, to MOV ESI, EAX d esi/enter...nothing, d eax/enter...our serial.
- F10 to line 00403A01, d edi/enter...nothing, d edx/enter...what this in the display window? Correct serial??
Next line down we see our serial getting compared to correct serial, and if they the same we jump. Guess if they the same we jump to good boy message. Now before we F5 out of softice to see if we got the correct serial, we going to note down the JZ address...
xxxx:0403A05 0F848F00000 JZ 00403A9A
...I explain why later.
F5 out of sice and put in the serial. Congratz! Hey God Job dude!!=) <--hmm,spelling as bad as mine??
Well we finish this level. Next we gonna look at the name/serial level.
Name/Serial Number:
This time we gonna choose the serial/name option. Do it and enter name and serial.
You know what to do now!!! Ctrl d softice up, and set a breakpoint. We gonna try bpx hmemcpy again, coz it seems to work most times.
So type:
bpx hmemcpy and push enter. Now F5 out of softice and click Check it Baby!
Well we back in softice and do the same as last time...push F11, then disable breakpoint... bd0
We know what to do here! We gotta get to the code in the program remember. Look down between the bottom two windows and you see KERNEL(01), so we in the KERNEL.dll. Start pushing F12 till we see CRACKME2!CODE+0002B4BD...six times actually, then STOP and look at the code.
Looks a lot like level one code dont it...we'll see. F10 through the six returns and we land here:
xxxx:0042F9CD 8B45F0 MOV EAX[EBP-10]
Stop here. The code looks different from the last level now, so have a look at it...lots of calls...and remember what we looking for? A compare before a jump, or a call before a jump. Well scroll the code window down a bit (Ctrl down arrow) and we see a call before a jump at:
xxxx:0042FA52 E8D96EFDFF CALL 00406930
Think we'll try it. F10 down to that address so it is highlighted, and F8 into the call. We land here:
xxxx:00406930 89FA MOV EDX , EDI
and if you do a d eax you see a bit of your name in the display window. I also see a compare followed by a jump further down, but we arent going to get there this time coz there a RET in the way.
F10 to the RET and we land here:
xxxx:0042FA57 83F804 CMP EAX , 04 <.....is our serial 4 characters
xxxx:0042FA5A 7D1D JGE 0042FA79 <.....jump if greater or equal to 4
Cant see nothing interesting here...can check the registers if you want (d etc) but see not a lot so F10 once to the JGE (jump if greater or equal) and F10 to execute the jump.
Stop where you land and look at the code. Lots of calls, AND, if you scroll the code window down (Ctrl down arrow) you see a call followed by a jump at:
xxxx:0042FAFE E8F93EFDFF CALL 004039FC
xxxx:0042FB03 751A JNZ 0042FB1F
Well I think we go into that call, so F10 down to it, then F8 into it. We land here:
xxxx:004039FC 53 PUSH EBX<--we land here
xxxx:004039FD 56 PUSH ESI
xxxx:004039FE 57 PUSH EDI
xxxx:004039FF 89C6 MOV ESI,EAX
xxxx:00403A01 89D7 MOV EDI,EDX
xxxx:00403A03 39D0 CMP EAX,EDX
xxxx:00403A05 0F848F000000 JZ 00403A9A
and what you know...it the same bit of code that we ended up at in our last tut. The bit that gives us our correct serial.
F10 to the CMP, do a d edx...our number, and a d eax...looks like the correct serial to me.
Now dont forget to make a note of the address where the jump takes place, although if you worked through the last tut, we already have it.
F5 out of softice and enter the serial...Congratz!! Good job dude=).
That it. We done it. Did you notice that the well done messages were different for the two levels??? I wonder if that means anything.
Next we gonna look at patching the crackme so we can use any name and number, using W32dasm and Hiew. Dont think we usually sposed to patch crackmes, but we gonna for the experience, so before we start our next tut, load crackme.exe into W32dasm, and click on string references.
You might say what the point of patching when we already got the serial??? Well there no point, but we gonna do it to do it!!
Patching:
So did ya check out the string references in W32dasm. Hehe none there were there...so what we gonna do??
Well remember making a note of this address in the last tut when we were in softice...
xxxx:004039FC 53 PUSH EBX
xxxx:004039FD 56 PUSH ESI
xxxx:004039FE 57 PUSH EDI
xxxx:004039FF 89C6 MOV ESI,EAX
xxxx:00403A01 89D7 MOV EDI,EDX
xxxx:00403A03 39D0 CMP EAX,EDX
xxxx:00403A05 0F848F000000 JZ 00403A9A<-this one
...we gonna use that coz we can assume that we jump to the good message if the serials are equal. So write down the address (00403A05) and the hex code (0F848F000000), and we ready to make our changes.Load the crackme into Hiew ( or other hex editor)...making sure you have a BACK UP copy...and, you know what to do!
- F4 and change to code mode if Hiew doesnt open in this mode.
- F5, put in address...(.00403A05...remembering the full stop BEFORE the address) push enter.
- F3...now we gonna change the JZ to JNZ...so we jump if the serials not match.
Wow, look at that hex code we gotta change...0F848F000000...what we do here? Well all we gonna change is 0F84 to 0F85 (or the 4 to 5 actually). So...- F3...the cursor square will be on 0F, and type in 0F85...(or you can use the right arrow button to move the cursor over the 4, and just push 5). The code will now be 0F858F000000.
- F9 to make the changes permanent, and F10 (or Esc) to exit Hiew
We ready to see if it worked. Start crackme and...SHIT WHAT THIS???
Exception EAccessViolation blah blah blah
Hmmmm, guess that wasnt the right change to make after all. Lucky we got a copy. If you werent smart enough to backup youll have to reload the crackme in hiew and undo the changes.
Well what we gonna do now. I'm gonna check out softice again, coz we got the correct serial, so we can compare what the code does with correct serial and incorrect serial.
So this was the code we found last time:
xxxx:0042FAFE E8F93EFDFF CALL 004039FC<-last time
xxxx:0042FB03 751A JNZ 0042FB1F
We went into this call remember, and landed here:
xxxx:004039FC 53 PUSH EBX
xxxx:004039FD 56 PUSH ESI
xxxx:004039FE 57 PUSH EDI
xxxx:004039FF 89C6 MOV ESI,EAX
xxxx:00403A01 89D7 MOV EDI,EDX
xxxx:00403A03 39D0 CMP EAX,EDX
xxxx:00403A05 0F848F000000 JZ 00403A9A
...notice the JNZ at address xxxx:0042FB03???? We call something and then jump if its not equal to zero. I wonder if that jump takes us to the incorrect, or the correct message. Well I used the correct serial number, and went through softice like before, got to that jump, and didnt jump. So I'm assuming that that jump takes us to the buggar off message. We want to change it to JZ I think... you think about why.
We try it. Make a note of the address and, yeah, exit softice (ctrl d) and load up hiew.
- F4 if you not on code mode, select code, then push enter (or you can toggle the three modes by just pushing enter).
- F5 (goto) and enter the address .0042FB03 (lower or uppercase, doesnt seem to matter)and push enter.
- F3 (edit) and change the 75 to a 74.
- F9 (update) to make changes permanent.
- F10 (or Esc) to exit hiew.
- I just mention here that in Hiew you might notice that instead of JZ or JNZ, you might see JE or JNE. These mean the same so no worries!
Now click on the crackme (shit we gotta get rid of that nag), go to serial/name, and enter anything. Click check it baby, and yeah, good job dude.We better try the other option too. Go to just the serial option, enter any number, and incorrect....bummer, looks like it back to softice!
Well this one be easy, we know what to do. Start crackme and go to the serial option. Back into softice and do the same as in tut 1. Now you remember this piece of code, coz we went into this call in tut 1:
xxxx:0042F4CA 8B45F0 MOV EAX,[EBP-10]
xxxx:0042F4CD 8B55F4 MOV EDX,[EBP-0C]
xxxx:0042F4D0 E82745FDFF CALL 004039FC<-here
xxxx:0042F4D5 751A JNZ 0042F4F1
...so we gonna change the JNZ at 0040F4D5 to a JZ, same as for serial/name. Also while you in softice at this piece of code, have a look down. You will see an unconditional jump at address 0042F4EF. Unconditional jump means we gonna jump whatever, but if we put in the wrong serial, the JNZ that we gonna change in a minute, takes us over this and we miss it. We can assume that this unconditional jump takes us to the good guy message, but if we have the wrong serial we dont get there.
Anyway, load up hiew and make the change...you know what to do by now...then check it.
Hey works...cool, we done it. Now for both options we can stick in anything we want and we get the cool dude message.
One thing that pisses me off is that nag...it got to go!!!
Kill The Nag:
It time for the nag to die!!
When we click on this crackme, we are greeted with a message box. We dont want it, so what we gonna do?? We want to find out what makes the nag happen, so what we really want is for softice to break when that message box is called, so we can have a look at the code.
Fortunately, there are breakpoints that we can use to make this happen. The obvious one is to set a breakpoint on messagebox to which we add an A at the end because it is a 32 bit program. There heaps of tuts available to learn more about all this.
All we got to know is that we gonna use the breakpoint bpx messageboxa and see if we can get softice to break when this function is called.
So Ctrl D softice up and type bpx messageboxa then push enter.
Now double click the crackme (to open it), and yeah softice springs to life. Push F11 and you'll be greeted with the crackme nag. Click ok (on the nag) and pow, back into softice, and you'll see that we in the program if you look between the bottom two windows.
We see this:
xxxx:0042A1A9 E8FAB5FDFF CALL USER32!MessageBoxA
xxxx:0042A1AE 8945FC MOV [EBP-04]-EAX<-we land here
Now if you look at the line above where we land, you'll see a call to USER32! MessageBoxA. Hmmm...with a bit of thought we could come to the conclusion that if that call did not happen, then the message box would not appear.
We gonna nop it out. Nop means no operation and causes the program to do nothing for that particular line. The hex for nop is 90 and each nop is equal to one byte. So two numbers equals one byte. If you look above to the call, at the hex instruction for the call ( E8FAB5FDFF ) you see ten numbers...so it equals five bytes. When we nop out this call, we gotta make sure it five bytes.
Nopping out the call should mean that the message box never happens and therefore no nag.
Lets give it a go! Take a note of the whole line
xxxx:0042A1A9 E8FAB5FDFF CALL USER32!MessageBoxA, and especially the address
0042A1A9, then F5 out of softice.
I not going to explain what to do with Hiew...you'll just have to go back and read previous tuts if you dont know, but, I will remind you to make a backup copy of the PATCHED crackme.exe (in case the changes we make are wrong).
Load one of the copies into hiew, then push F4 and select HEX mode. Push enter to go into Hex mode, then F5, and enter the address
.0042A1A9 remembering to put the full stop BEFORE the number.
We nearly there. You should land on the hex instruction that comes after the address. That is you should land here: E8FAB5FDFF, of course surrounded by lots of other numbers/letters. The white cursor square should be on the E8.
If you dont end up here, you may have to push Alt/F1 and try again. Toggling this enables us to put an address we found in softice straight into hiew, but I not sure which is the default setting. One of them will get you to where you want to be anyway.
When we there, push F3 (edit), make sure the cursor square is highlighting the E8 then enter 90. The E8 will be replaced by 90. You remember how may times we have to add 90?? Five! So enter 90 four more times, and you'll observe the white square cursor moving along as we make our changes. When you done it, push F9 to update the crackme.exe, push F10, or Esc, and we outa Hiew.
Click on the crackme you changed....and.....hey no nag. Test it out to make sure it functions how it supposed to, and we done it.
But...what this?? When we click on 'Check it Baby' we dont get any box telling us we right or wrong. Oops...I think as well as nopping out the nag, we also got rid of the correct/incorrect messagebox...so we havent done it after all!!!
What can we do now. First we either change back the version we patched, or delete it and go back to the original patched one...making another backup of course.
Ok...lets give it another go.
We know what a debugger is?? We been using one, and thats softice. Allows us to enter a programs code while the program is running. Well W32dasm also has a debugger included, and we going to give that a go.
So start W32dasm and select crackme.exe to disassemble (the patched one).
When it has finished disassembling click on 'Debug' from the menu bar along the top, then select 'Load Process' from the drop down menu.
A few boxes will pop up while it loads and you should end up with three...one to the left of the page; one to the right, and the disassembler window at the top.
Now I not going to go into the ins and outs of the debugger side of W32dasm, (you'll find good tuts about it at lots of places...or click the krobar logo at bottom and check out my site) coz, hehe, I'm a newer than newbie cracker myself, and it a bit like the blind leading the blind, so I just tell you what I did.
We interested in the right hand window. Along the bottom of this window you'll see...from the left: Autostep Into F5; AutoStep Over F6; Step Into F7; Step Over F8; pause; Run F9; then above Run: Terminate; patch Code; and Goto Address.
Okay, so what we gonna do is F8..Step Over...coz we want the nag to appear and we want to see the address where this happens. As we step over, if you look up at the diassembler window (up top), you'll see the address changing as we execute each line of code. Try it. Push F8. The code moves down one line. Keep doing it until the nag appears.
You might notice that when the nag first appears, it happens at address :0042FD97 Call 00429F8C. Actually it wont appear until we go to the next line because we have to step off the line to execute it. This may be interesting because the call that we nopped out previously was at address 0042A1A99 (meaning that we now got a new address to try changing). Hmmm, I wonder if this might do it...we gonna try.
It wise, when using W32dasm, to have another copy to use thats the same as the one you going to patch. This is because you cant change the code in Hiew if the program is in use by W32dasm. What this means is everytime you want to make a change with hiew, you got to exit W32dasm, and then load up again if the changes dont work.
You know the address we going to, but you'll have to look at the top window (disassembler) to see the bytes to change...the hex instruction (E8F0A1FFFF).See it??? Anyway, exit W32dasm (or minimise it if you got an exact copy to patch), and load up Hiew.
You know what to do. F4 HEX mode; F5 goto address .0042FD97; F3 change the 5 bytes to 9090909090; F9 to update; F10 (Esc) to exit.
Start crackme and check it out.
Hmmmm...half worked. No nag, but we go straight to the name/serial part of the crackme, with no option to go to just the serial part.
Try again I think. Delete that version, or undo the changes, and go back to the debugger in W32dasm. This time make backups (if you havent already) of the patched version...one to load in W32dasm, and one to load in Hiew.
Ok, redo what we did before, and F8 to the call we just nopped out, and then carry on F8ing to the next call at address 0042FDAF. Reload in Hiew and nop out this....nothing....Bummer.
Well I think what we gonna do is step into the call where the nag first appears, because somewhere in that call is where the nag comes from. I guess this might be getting confusing (hehe, I certainly confused) but stay with it...we nearly there.
So reload the patched version of crackme into W32dasm, start debugger as before, and F8 (step over) to the original call where the nag appears...0042FD97. If you already had crackme loaded, you can restart it by clicking on Terminate, then click Load process (from the debug drop down menu) again.
When you get to this address, push F7 (step into), and you'll go into this call. Now F8 (Step Over) to the next call where the nag appears.
This is address 00429FC2. You wont know that the nag is going to appear until you step past, but then you have to reload again, so just take my word for it, and step into this call (Press F7 when you're on this call) and then keep clicking F8 till you get to address 0042563D. If you step past this call (F8) the nag will appear, so just stop on this address and look at the disassembler window at the top. You'll see
:0042563D FF93CC010000 call dword ptr [ebx+000001CC]
Take note of the address...0042563D, and the hex instruction...FF93CC010000. Notice that the hex has 12 letters/numbers, so is 6 bytes. This means we got to replace it with 6 bytes...six nops, or 909090909090.
We know what to do.
- Load crackme in Hiew.
- F4..hex mode/enter
- F5..go to address .0042563D/enter (remember the dot BEFORE the address).
- F3...replace FF93CC010000 with 909090909090.
- F9...update.
- F10 (Esc) to exit Hiew.
Now check it.
Yeah!!! Works. We now got a crackme that we can enter any serial/name in, and we killed the nag.
I think we gave it a good hammering...or as I say: we Kro_baR'd it to death!!
Serial Number:
Ok. We look at Acid Burn crackme, and first thing we see is the nag. How many times we seen snags (shit nags) ??? Well we deal to that later. For now just click ok and load the crackme.
First we gonna enter the single serial number and use softice to find the correct one.
So click the serial button and enter 999999999.
You know what to do now!!! Ctrl d softice up, and set a breakpoint. We gonna try bpx hmemcpy, coz it seems to work most times.
So type:
bpx hmemcpy and push enter. Now F5 out of softice and click Check it Baby!
Well we back in softice and push F11, then disable breakpoint... bd0
We know what to do here! We gotta get to the code in the program. Look down between the bottom two windows and you see KERNEL(01), so we in the KERNEL.dll. Start pushing F12 till we see CRACKME2!CODE+0002B4BD...six times actually, then STOP and look at the code.
See a RET instruction a few lines below where we landed. This means we gonna return from a procedure so F10 down to it, and yep, onto another bit of code. Heh, another RET a few lines down...so F10 down and onto another bit of code. Keep F10 ing through the RETs, about six RETs all up. If we look at the EAX register (top left) it still equals 9...length of our serial???
After about the 6th RET, we'll land here:
xxxx:0042F4CA 8B45F0 MOV EAX,[EBP-10] xxxx:0042F4CD 8B55F4 MOV EDX,[EBP-0C] xxxx:0042F4D0 E82745FDFF CALL 004039FC xxxx:0042F4D5 751A JNZ 0042F4F1
We see a CALL just before a jump. Well we gonna trace INTO this call. F8 traces INTO a call (push F8 when we on the call line) and we end up here:
xxxx:004039FC 53 PUSH EBX<--we land here xxxx:004039FD 56 PUSH ESI xxxx:004039FE 57 PUSH EDI xxxx:004039FF 89C6 MOV ESI,EAX xxxx:00403A01 89D7 MOV EDI,EDX xxxx:00403A03 39D0 CMP EAX,EDX xxxx:00403A05 0F848F000000 JZ 00403A9A
Hmmmm, three pushes followed by some MOVs, then a CMP/JZ, a TEST/JZ, and another TEST/JZ. I think this interesting. Often we look for a CMP followed by a jump, or TEST followed by a jump, coz it maybe where our serial is compared to the real one. If not the same we jump to piss off message; or if the same, jump to good boy message.
I think we might be close, so we gonna to do some dumping (d) to see what the different registers and addresses contain.
- At line 004039FC type d eax and push the enter/return key...our serial in the display window, d ebx...hmm nothing.
- F10 to line 004039FD d esi...nothing.
- F10, d edi/enter...nothing.
- F10, to MOV ESI, EAX d esi/enter...nothing, d eax/enter...our serial.
- F10 to line 00403A01, d edi/enter...nothing, d edx/enter...what this in the display window? Correct serial??
Next line down we see our serial getting compared to correct serial, and if they the same we jump. Guess if they the same we jump to good boy message. Now before we F5 out of softice to see if we got the correct serial, we going to note down the JZ address...
xxxx:0403A05 0F848F00000 JZ 00403A9A
...I explain why later.
F5 out of sice and put in the serial. Congratz! Hey God Job dude!!=) <--hmm,spelling as bad as mine??
Well we finish this level. Next we gonna look at the name/serial level.
Name/Serial Number:
This time we gonna choose the serial/name option. Do it and enter name and serial.
You know what to do now!!! Ctrl d softice up, and set a breakpoint. We gonna try bpx hmemcpy again, coz it seems to work most times.
So type:
bpx hmemcpy and push enter. Now F5 out of softice and click Check it Baby!
Well we back in softice and do the same as last time...push F11, then disable breakpoint... bd0
We know what to do here! We gotta get to the code in the program remember. Look down between the bottom two windows and you see KERNEL(01), so we in the KERNEL.dll. Start pushing F12 till we see CRACKME2!CODE+0002B4BD...six times actually, then STOP and look at the code.
Looks a lot like level one code dont it...we'll see. F10 through the six returns and we land here:
xxxx:0042F9CD 8B45F0 MOV EAX[EBP-10]
Stop here. The code looks different from the last level now, so have a look at it...lots of calls...and remember what we looking for? A compare before a jump, or a call before a jump. Well scroll the code window down a bit (Ctrl down arrow) and we see a call before a jump at:
xxxx:0042FA52 E8D96EFDFF CALL 00406930
Think we'll try it. F10 down to that address so it is highlighted, and F8 into the call. We land here:
xxxx:00406930 89FA MOV EDX , EDI
and if you do a d eax you see a bit of your name in the display window. I also see a compare followed by a jump further down, but we arent going to get there this time coz there a RET in the way.
F10 to the RET and we land here:
xxxx:0042FA57 83F804 CMP EAX , 04 <.....is our serial 4 characters
xxxx:0042FA5A 7D1D JGE 0042FA79 <.....jump if greater or equal to 4
Cant see nothing interesting here...can check the registers if you want (d etc) but see not a lot so F10 once to the JGE (jump if greater or equal) and F10 to execute the jump.
Stop where you land and look at the code. Lots of calls, AND, if you scroll the code window down (Ctrl down arrow) you see a call followed by a jump at:
xxxx:0042FAFE E8F93EFDFF CALL 004039FC xxxx:0042FB03 751A JNZ 0042FB1F
Well I think we go into that call, so F10 down to it, then F8 into it. We land here:
xxxx:004039FC 53 PUSH EBX<--we land here xxxx:004039FD 56 PUSH ESI xxxx:004039FE 57 PUSH EDI xxxx:004039FF 89C6 MOV ESI,EAX xxxx:00403A01 89D7 MOV EDI,EDX xxxx:00403A03 39D0 CMP EAX,EDX xxxx:00403A05 0F848F000000 JZ 00403A9A
and what you know...it the same bit of code that we ended up at in our last tut. The bit that gives us our correct serial.
F10 to the CMP, do a d edx...our number, and a d eax...looks like the correct serial to me.
Now dont forget to make a note of the address where the jump takes place, although if you worked through the last tut, we already have it.
F5 out of softice and enter the serial...Congratz!! Good job dude=).
That it. We done it. Did you notice that the well done messages were different for the two levels??? I wonder if that means anything.
Next we gonna look at patching the crackme so we can use any name and number, using W32dasm and Hiew. Dont think we usually sposed to patch crackmes, but we gonna for the experience, so before we start our next tut, load crackme.exe into W32dasm, and click on string references.
You might say what the point of patching when we already got the serial??? Well there no point, but we gonna do it to do it!!
Patching:
So did ya check out the string references in W32dasm. Hehe none there were there...so what we gonna do??
Well remember making a note of this address in the last tut when we were in softice...
xxxx:004039FC 53 PUSH EBX xxxx:004039FD 56 PUSH ESI xxxx:004039FE 57 PUSH EDI xxxx:004039FF 89C6 MOV ESI,EAX xxxx:00403A01 89D7 MOV EDI,EDX xxxx:00403A03 39D0 CMP EAX,EDX xxxx:00403A05 0F848F000000 JZ 00403A9A<-this one...we gonna use that coz we can assume that we jump to the good message if the serials are equal. So write down the address (00403A05) and the hex code (0F848F000000), and we ready to make our changes.
Load the crackme into Hiew ( or other hex editor)...making sure you have a BACK UP copy...and, you know what to do!
- F4 and change to code mode if Hiew doesnt open in this mode.
- F5, put in address...(.00403A05...remembering the full stop BEFORE the address) push enter.
- F3...now we gonna change the JZ to JNZ...so we jump if the serials not match.
- F3...the cursor square will be on 0F, and type in 0F85...(or you can use the right arrow button to move the cursor over the 4, and just push 5). The code will now be 0F858F000000.
- F9 to make the changes permanent, and F10 (or Esc) to exit Hiew
Exception EAccessViolation blah blah blahHmmmm, guess that wasnt the right change to make after all. Lucky we got a copy. If you werent smart enough to backup youll have to reload the crackme in hiew and undo the changes.
Well what we gonna do now. I'm gonna check out softice again, coz we got the correct serial, so we can compare what the code does with correct serial and incorrect serial.
So this was the code we found last time:
xxxx:0042FAFE E8F93EFDFF CALL 004039FC<-last time xxxx:0042FB03 751A JNZ 0042FB1F
We went into this call remember, and landed here:
xxxx:004039FC 53 PUSH EBX xxxx:004039FD 56 PUSH ESI xxxx:004039FE 57 PUSH EDI xxxx:004039FF 89C6 MOV ESI,EAX xxxx:00403A01 89D7 MOV EDI,EDX xxxx:00403A03 39D0 CMP EAX,EDX xxxx:00403A05 0F848F000000 JZ 00403A9A
...notice the JNZ at address xxxx:0042FB03???? We call something and then jump if its not equal to zero. I wonder if that jump takes us to the incorrect, or the correct message. Well I used the correct serial number, and went through softice like before, got to that jump, and didnt jump. So I'm assuming that that jump takes us to the buggar off message. We want to change it to JZ I think... you think about why.
We try it. Make a note of the address and, yeah, exit softice (ctrl d) and load up hiew.
- F4 if you not on code mode, select code, then push enter (or you can toggle the three modes by just pushing enter).
- F5 (goto) and enter the address .0042FB03 (lower or uppercase, doesnt seem to matter)and push enter.
- F3 (edit) and change the 75 to a 74.
- F9 (update) to make changes permanent.
- F10 (or Esc) to exit hiew.
- I just mention here that in Hiew you might notice that instead of JZ or JNZ, you might see JE or JNE. These mean the same so no worries!
We better try the other option too. Go to just the serial option, enter any number, and incorrect....bummer, looks like it back to softice!
Well this one be easy, we know what to do. Start crackme and go to the serial option. Back into softice and do the same as in tut 1. Now you remember this piece of code, coz we went into this call in tut 1:
xxxx:0042F4CA 8B45F0 MOV EAX,[EBP-10] xxxx:0042F4CD 8B55F4 MOV EDX,[EBP-0C] xxxx:0042F4D0 E82745FDFF CALL 004039FC<-here xxxx:0042F4D5 751A JNZ 0042F4F1...so we gonna change the JNZ at 0040F4D5 to a JZ, same as for serial/name.
Also while you in softice at this piece of code, have a look down. You will see an unconditional jump at address 0042F4EF. Unconditional jump means we gonna jump whatever, but if we put in the wrong serial, the JNZ that we gonna change in a minute, takes us over this and we miss it. We can assume that this unconditional jump takes us to the good guy message, but if we have the wrong serial we dont get there.
Anyway, load up hiew and make the change...you know what to do by now...then check it.
Hey works...cool, we done it. Now for both options we can stick in anything we want and we get the cool dude message.
One thing that pisses me off is that nag...it got to go!!!
Kill The Nag:
It time for the nag to die!!
When we click on this crackme, we are greeted with a message box. We dont want it, so what we gonna do?? We want to find out what makes the nag happen, so what we really want is for softice to break when that message box is called, so we can have a look at the code.
Fortunately, there are breakpoints that we can use to make this happen. The obvious one is to set a breakpoint on messagebox to which we add an A at the end because it is a 32 bit program. There heaps of tuts available to learn more about all this.
All we got to know is that we gonna use the breakpoint bpx messageboxa and see if we can get softice to break when this function is called.
So Ctrl D softice up and type bpx messageboxa then push enter.
Now double click the crackme (to open it), and yeah softice springs to life. Push F11 and you'll be greeted with the crackme nag. Click ok (on the nag) and pow, back into softice, and you'll see that we in the program if you look between the bottom two windows.
We see this:
xxxx:0042A1A9 E8FAB5FDFF CALL USER32!MessageBoxA xxxx:0042A1AE 8945FC MOV [EBP-04]-EAX<-we land here
Now if you look at the line above where we land, you'll see a call to USER32! MessageBoxA. Hmmm...with a bit of thought we could come to the conclusion that if that call did not happen, then the message box would not appear.
We gonna nop it out. Nop means no operation and causes the program to do nothing for that particular line. The hex for nop is 90 and each nop is equal to one byte. So two numbers equals one byte. If you look above to the call, at the hex instruction for the call ( E8FAB5FDFF ) you see ten numbers...so it equals five bytes. When we nop out this call, we gotta make sure it five bytes.
Nopping out the call should mean that the message box never happens and therefore no nag.
Lets give it a go! Take a note of the whole line
xxxx:0042A1A9 E8FAB5FDFF CALL USER32!MessageBoxA, and especially the address
0042A1A9, then F5 out of softice.
I not going to explain what to do with Hiew...you'll just have to go back and read previous tuts if you dont know, but, I will remind you to make a backup copy of the PATCHED crackme.exe (in case the changes we make are wrong).
Load one of the copies into hiew, then push F4 and select HEX mode. Push enter to go into Hex mode, then F5, and enter the address .0042A1A9 remembering to put the full stop BEFORE the number.
We nearly there. You should land on the hex instruction that comes after the address. That is you should land here: E8FAB5FDFF, of course surrounded by lots of other numbers/letters. The white cursor square should be on the E8.
If you dont end up here, you may have to push Alt/F1 and try again. Toggling this enables us to put an address we found in softice straight into hiew, but I not sure which is the default setting. One of them will get you to where you want to be anyway.
When we there, push F3 (edit), make sure the cursor square is highlighting the E8 then enter 90. The E8 will be replaced by 90. You remember how may times we have to add 90?? Five! So enter 90 four more times, and you'll observe the white square cursor moving along as we make our changes. When you done it, push F9 to update the crackme.exe, push F10, or Esc, and we outa Hiew.
Click on the crackme you changed....and.....hey no nag. Test it out to make sure it functions how it supposed to, and we done it.
But...what this?? When we click on 'Check it Baby' we dont get any box telling us we right or wrong. Oops...I think as well as nopping out the nag, we also got rid of the correct/incorrect messagebox...so we havent done it after all!!!
What can we do now. First we either change back the version we patched, or delete it and go back to the original patched one...making another backup of course.
Ok...lets give it another go.
We know what a debugger is?? We been using one, and thats softice. Allows us to enter a programs code while the program is running. Well W32dasm also has a debugger included, and we going to give that a go.
So start W32dasm and select crackme.exe to disassemble (the patched one).
When it has finished disassembling click on 'Debug' from the menu bar along the top, then select 'Load Process' from the drop down menu.
A few boxes will pop up while it loads and you should end up with three...one to the left of the page; one to the right, and the disassembler window at the top.
Now I not going to go into the ins and outs of the debugger side of W32dasm, (you'll find good tuts about it at lots of places...or click the krobar logo at bottom and check out my site) coz, hehe, I'm a newer than newbie cracker myself, and it a bit like the blind leading the blind, so I just tell you what I did.
We interested in the right hand window. Along the bottom of this window you'll see...from the left: Autostep Into F5; AutoStep Over F6; Step Into F7; Step Over F8; pause; Run F9; then above Run: Terminate; patch Code; and Goto Address.
Okay, so what we gonna do is F8..Step Over...coz we want the nag to appear and we want to see the address where this happens. As we step over, if you look up at the diassembler window (up top), you'll see the address changing as we execute each line of code. Try it. Push F8. The code moves down one line. Keep doing it until the nag appears.
You might notice that when the nag first appears, it happens at address :0042FD97 Call 00429F8C. Actually it wont appear until we go to the next line because we have to step off the line to execute it. This may be interesting because the call that we nopped out previously was at address 0042A1A99 (meaning that we now got a new address to try changing). Hmmm, I wonder if this might do it...we gonna try.
It wise, when using W32dasm, to have another copy to use thats the same as the one you going to patch. This is because you cant change the code in Hiew if the program is in use by W32dasm. What this means is everytime you want to make a change with hiew, you got to exit W32dasm, and then load up again if the changes dont work.
You know the address we going to, but you'll have to look at the top window (disassembler) to see the bytes to change...the hex instruction (E8F0A1FFFF).See it??? Anyway, exit W32dasm (or minimise it if you got an exact copy to patch), and load up Hiew.
You know what to do. F4 HEX mode; F5 goto address .0042FD97; F3 change the 5 bytes to 9090909090; F9 to update; F10 (Esc) to exit.
Start crackme and check it out.
Hmmmm...half worked. No nag, but we go straight to the name/serial part of the crackme, with no option to go to just the serial part.
Try again I think. Delete that version, or undo the changes, and go back to the debugger in W32dasm. This time make backups (if you havent already) of the patched version...one to load in W32dasm, and one to load in Hiew.
Ok, redo what we did before, and F8 to the call we just nopped out, and then carry on F8ing to the next call at address 0042FDAF. Reload in Hiew and nop out this....nothing....Bummer.
Well I think what we gonna do is step into the call where the nag first appears, because somewhere in that call is where the nag comes from. I guess this might be getting confusing (hehe, I certainly confused) but stay with it...we nearly there.
So reload the patched version of crackme into W32dasm, start debugger as before, and F8 (step over) to the original call where the nag appears...0042FD97. If you already had crackme loaded, you can restart it by clicking on Terminate, then click Load process (from the debug drop down menu) again.
When you get to this address, push F7 (step into), and you'll go into this call. Now F8 (Step Over) to the next call where the nag appears.
This is address 00429FC2. You wont know that the nag is going to appear until you step past, but then you have to reload again, so just take my word for it, and step into this call (Press F7 when you're on this call) and then keep clicking F8 till you get to address 0042563D. If you step past this call (F8) the nag will appear, so just stop on this address and look at the disassembler window at the top. You'll see
:0042563D FF93CC010000 call dword ptr [ebx+000001CC]
Take note of the address...0042563D, and the hex instruction...FF93CC010000. Notice that the hex has 12 letters/numbers, so is 6 bytes. This means we got to replace it with 6 bytes...six nops, or 909090909090.
We know what to do.
- Load crackme in Hiew.
- F4..hex mode/enter
- F5..go to address .0042563D/enter (remember the dot BEFORE the address).
- F3...replace FF93CC010000 with 909090909090.
- F9...update.
- F10 (Esc) to exit Hiew.
Now check it.
Yeah!!! Works. We now got a crackme that we can enter any serial/name in, and we killed the nag.
I think we gave it a good hammering...or as I say: we Kro_baR'd it to death!!