home *** CD-ROM | disk | FTP | other *** search
- Hello again...
-
- I'm back with Tut nuber 4/5 on >>Nullz<< CrackMe Version 1.1
-
- This time it is a LITTLE more complicated to catch the serial,
- but still very easy, I did'nt write this tut ti COMPLETE newbies,
- though it might bee TOO easy, for Intermediate Crackers, But i say
- it is Intermediate anyway :)
-
- This is what you need:
-
- Soft-Ice 3.0 (or higher)
- >>Nulltz<< Crackme Version 1.1
- - can be found on HarvestR's site: http://surf.to/HarvestR/ (nice site BTW...:-D)
- And this tut..hehe
-
-
- So, we fire up the proggie, we go to Level 4 "Pretty Common"
-
- - Enter:
- Name : EinZtein <---- 8 Chars (8 in HEX)
- Company: USC <---- 3 Chars (3 in HEX)
- Serial : 7894561230 <---- 10 Chars (A in HEX)
-
-
- hmmm...let's see.
-
- What is the two most common used Breakpoint, when we are catching serials ?
- -GetWindowTextA & GetDlgItemTextA
-
- So lets go to SoftIce by pressing Ctrl+D, and put a breakpoint on those two.
- Now, enter our Name/Company/Serial, and press ok.
- huh, S-Ice pops up, so we have probalby found the right place.
- First, push F11 to get out of the windows API call.
- Now, take a look at the EAX register. What do you see ?
-
- We see: Eax == 00000008
-
- That must be the name, and that is NOT what we are looking for. So lets just go on,
- by pushing F5, and F11 again.
-
- ahh...What we now see is: EAX == 0000000A
-
- That HAVE to be the serial. (This is very common used in normal protected shareware, so
- you will probably see this very often.)
-
- Ok. We are in the right place...so, what now ?
-
- Now we have to step a little, throug all the boring stuff, and get directly into the
- Serial Compare routine itself.
- (You can often find the Compare routine itself, by checking the registers, when they change,
- If your serial pops up in one of them, there is a big change you are in the right place.)
-
- So let's step...
-
- After we stepped a few times (with F10), we come to a new file called "Crackme".
- Hmm. That ain't so bad, coz the most common protection schemes is in the executable file
- itself. So we are on the right way.
-
- After 1 or 2 steps in the "Crackme" file, we see that our name is being put into EAX
- so do a: D EAX, and you'll see our name.
-
- hmmm...could be something we might could use, so why dont we take a look on what
- happens next.
-
- :00401E54 E8910D0000 Call 00402BEA
- :00401E59 8B442410 mov eax, dword ptr [esp+10]
- :00401E5D 8B40F8 mov eax, dword ptr [eax-08] <--- Our length of our name
- gets in EAX
- :00401E60 83F805 cmp eax, 00000005 <--- Have we writen less
- than 5 letters ?
- :00401E63 0F8CCD000000 jl 00401F36 <--- If yes, go away
- :00401E69 3D00010000 cmp eax, 00000100 <--- More than 100(HEX) ?
- :00401E6E 0F8FC2000000 jg 00401F36 <--- Go away again
-
-
- Check this: :00401E5D 8B40F8 mov eax, dword ptr [eax-08]
-
- (if your serial is in EAX, then is it very common used, that the length of your
- name/serial, is 8 chars behind the name/serial itself. i.e. If your serial is in EDX,
- the length of the serial is VERY often (almost always) in [EDX-08]. Remember that.)
-
- well...back to the cracking part.
-
- So, now we know that our name must be AT LEAST 5 chars, so if you did'nt wrote that,
- go change it.
-
- Ok, we have now bypassed the check for our name. So let's see what we might find
- in the next few lines.
-
- Right after the check we see this:
-
- :00401E74 8B4C2414 mov ecx, dword ptr [esp+14] <--- Serial get moved into ECX
- :00401E78 3959F8 cmp dword ptr [ecx-08], ebx <--- Length of serial is
- compared to 0
- :00401E7B 0F84C8000000 je 00401F49 <--- Length of serial = 0 ?
- <--- Yes ? Go away!
-
-
- So, what do we do now ?. You oughta know by now...:-)
-
- We do a check in ECX ofcource.
-
- and what do we see ?
-
- OUR SERIAL...ding ding
-
- We MUST be close to the end now...
-
- so lets take a closer look on what happens to our serial. ahh, it checks [ECX-08],
- must be the length of our serial. But what does it compare it to ?
- -cmp dword ptr [ecx-08], ebx
-
- and what is EBX ?
-
- EBX == 00000000
-
- so, it checks if we have written a serial at ALL, but ofcource we have,
- so we just pass this check.
-
- Let's step a little further to see if we catch something interesting...
-
- we step, step, step and step, and NOTHING we can use ?
-
- hmmm, could we might in the wrong place ?
-
- nah, let's give it another try. Step some more...:-)
- (You might as well get use to it, when you are catching serials, there will ALWAYS be a
- hell lot of boring stepping.)
-
- after like 15-20 steps, you will come to this:
-
-
- * Reference To: KERNEL32.lstrlenA, Ord:02A1h
- |
- :00401EBA FF1500404000 Call dword ptr [00404000]
- :00401EC0 8D4C2414 lea ecx, dword ptr [esp+14]
- :00401EC4 8BF8 mov edi, eax
-
- * Reference To: MFC42.MFC42:NoName0092, Ord:106Bh
- |
- :00401EC6 E8250D0000 Call 00402BF0
- :00401ECB 8B442414 mov eax, dword ptr [esp+14] <--- Hmmmm
- :00401ECF 8D542420 lea edx, dword ptr [esp+20]
- :00401ED3 8B48F8 mov ecx, dword ptr [eax-08] <--- Hmmmm
- :00401ED6 2BC2 sub eax, edx
-
-
- dont let os worry TOO much about what actually happens, coz we JUST wanna catch hat damn
- serial, right ?.....:-)
-
- So, lets take a look at EAX, just after we passed 00401ECB.
-
- Hmm looks strange, What we see is "0321654987"
-
- errr...Does'nt this look familiar ?
-
- it is the serial we wrote, just backwards.
-
- Why is that ?, you might ask yourself about.
- -It is probably just a little trick the programmer made, just to scare some dumb crackers away.
- But not us!
-
- so lets step by Adress 00401ED3.
-
- now take a look at EDX. DING DING DING !
-
- if THIS is not a serial, i am the Queen of Saba. BUT remember, OUR serial was
- written backwards, so, why should'nt THIS serial be written backward as well?
-
- Hmmmm, kinda easy to find out though :)
-
- Write the serial down, remove your breakpoints, by typing: "BC *", in SoftIce,
- and go try the serial as you saw it the first time (0321654987).
-
- Huh, does'nt work ?
-
- Try reverse it and write it backwards...
-
- and THERE we go, it works !!!
-
- Now try to put this Tut away, and try to catch the serial with your own name/company,
- all by yourself (No help from this tut).
- >>>Experience is the best book<<<
-
- I hoped you enjoyed this little tut. If you have any comments on it, just catch me on:
- efNet, #Cracking4Newbies.
-
- Greets to: MAK, BiGMoM, Vizion, CrackZ, Doctor Scoop, Decoder|Z, Corn2,
- Rudeboy, DEZM, G-RoM, YOSHI, Darkl0rd, HarvestR, Quantum-X,
- Nitrus, Cruehead, r00ster, all the guys in #cracking4newbies
- and all those i forgot....:-)
-
-
- Than you for this time :)
-
-
- /EinZtein
-
-