Cracking 2

home *** CD-ROM | disk | FTP | other *** search

/ Cracking 2 / Cracking II..iso / Texty / crackme / SiFLyiNG_6.txt < prev next >

Wrap

Text File | 1999-07-27 | 6.2 KB | 166 lines

SiFLyiNG Tutorial #6 ____________________________________________________________________________ Target : CupOfCoffee Crackme 2 (giger_crackme.zip) d/l on EB site at http://crackmes.cjb.net Protection Type : Code, VB : code sniffing and patch Level : the author says it's easy Tools needed : SoftIce 3.xx Windasm An hex editor (Hiew, hewWorkshop, Hedit...) Some basis of VB cracking and patching ____________________________________________________________________________ Before beginning... First I advise you to read my 3rd Tut on CupOfCoffee crackme 1. The method to find the serial is exactly the same. Here i'll summarize but you can find my tut on EB site. We'll then study different ways to crack the protection scheme (a classic comparison). Time is money... so let's start ! ____________________________________________________________________________ The essay... 1. Finding the correct serial Ok, i'll won't do big explanations. If you wanna know more, read my 3rd tut. Besides the serial hasn't change from the first crackme to this one! So, let's bpx on __vbaStrCmp. Exit SoftIce. Enter any serial, press the check button and you're to SoftIce. There press F11 to return from the caller and you will see that line. :0052168D Call [MSVBVM50!__vbaStrCmp] It's the call to the comparison function. You must know that this compare the two last string pushed on the stack. So we need to know what the last pushed strings are. One is certainly our fake code and the other the good code. And these strings are in Wide Characters, ie '123456' becomes '1.2.3.4.5.6.' where '.' represents the Null char. So trace up a bit in the display of the code and you'll see up to the call : :00521684 Mov ECX, [EBP-18] :00521687 Push ECX :00521688 Push 00450560 ; very interesting :) :0052168D Call [MSVBVM50!__vbaStrCmp] ; call to the comparison function so you make a breakpoint on the line at adress 521687 : either you double click on it, or you make 'BPX 521687' and you should see the line in blue. Return to your crackme and press 'Check' another time. Boom, you should come back in Softice and see that : 'Break due to 'XXXX:00521687' or something like that. And you see the previous code: :00521687 Push ECX 'd ECX' and you see your code :00521688 Push 00450560 'd 00450560' and you see 2E 00 2E 00 2E 00 2E 00 - 2E 00 2E 00 2E 00 2E 00 ................ 2E 00 2E 00 00 00 00 00 - 24 00 00 00 49 00 6E 00 ........$...I.n. What's that you ask me ??? There nothing !!! No, look attentively the hexa display. Do you see only 00 00 00 ??? No ! You see 2E 00 2E ... and if you make a '? 2E' you should see : 0000002E 0000000046 "." so you rapidly deduce that 2Eh is the ASCII code of the point character ! Thus, our code is composed by 10 "." ; yes, really! Count them if you don't believe me. This protection is certainly the reason why the author of the crackme told it was 'tricky but easy'. You have to open your eyes to see the code, and it's not so easy ... But we found it ! We can now go to the second part of the crackme... 2. The patch There are different ways to patch the giger_crackme. Here is the important code for the serial check routine: :00521684 Mov ECX, [EBP-18] :00521687 Push ECX ; push the entered serial :00521688 Push 00450560 ; push the good serial :0052168D Call [MSVBVM50!__vbaStrCmp] ; call to the comparison function :00521693 Mov ESI, EAX ; returns 0 if good serial, FFFF FFFF if bad serial :00521695 Lea ECX, [EBP-18] :00521698 Neg ESI :0052169A Sbb ESI :0052169E Neg ESI :0052169E Neg ESI :005216A0 Call [MSVBVM50!__vbaFreeStr] :005216A6 Lea ECX, [EBP-1C] :005216A9 Call [MSVBVM50!__vbaFreeObj] :005216AF Cmp SI, DI ; DI=0 :005216B2 Jz 00521722 ; JZ to Good Cracker and display the new form ...otherwise it displays a Message Box with 'Incorrect password' with a call rtcMsgBox. So SI must be equal to DI to jump to the good cracker routine and we know that DI = 0 so SI must be equal to 0 to jump! The first way would be to force ESI to 0. Instead of Neg ESI, we could put Xor ESI, ESI, which means that we have to change: :0052169E F7DE Neg ESI to :0052169E 33F6 Xor ESI, ESI But there are others solutions... of course you can patch the jz Good Cracker and replace it by a Jump Good Cracker, which would always jump. You can also replace the comparison between SI and DI by a comparison between DI and DI because DI is always equal to DI :) :005216AF 663BF7 Cmp SI, DI => :005216AF 663BFF Cmp DI, DI We know too that before the call to the VB strings comparison function, the good code and the entered code had been pushed on the stack, so that the call would compare them. But if you push the entered code instead of the good code, the call would compare the both same code, and would return 0 to say they are equal ( of course because they are the same ) So could change : :521687 51 Push ECX :521688 6860054500 Push 00450560 to: : 51 Push ECX : 51 Push ECX : 90 Nop : 90 Nop : 90 Nop : 90 Nop Try it ! it functions and the winner form will be displayed ! Ok i believe they are others ways to patch this crackme, but i think i have found enough for the moment. So the crackme can now be patched to admit any serial. ____________________________________________________________________________ The end... Voila, another crackme cracked by two ways this time. Just note that lots of VB progs (crackmes and commercial soft) have the same protection scheme (if we can call that a protection scheme because it's a simple comparison between the entered serial and the good serial). I hope it was understandable. But if something was wrong or not cleared just mail me. SiFLyiNG siflying@ifrance.com Greetz : Eternal Bliss, Acid Burn, Carpathia, Lucifer48, Skymarshall and the others i've forgotten.