Cracking 2

home *** CD-ROM | disk | FTP | other *** search

/ Cracking 2 / Cracking II..iso / Texty / crackme / hf-scm3.txt < prev next >

Wrap

Text File | 1999-07-10 | 6.7 KB | 172 lines

░ ░ ░ ░ ▄▓ ▄▄ ░░ ▄▄▄▄■ ░░▀ ■▄▄▄ ▄▄ ▐█▓▌ ▄▀▀ ▀■ ▀ ░░ ▀ ■▀ ▀▀▄ ██▌ ■ ▄▄▀▀ ▄▄██▀██▄▄ ▄▄▄███▄▄ ▀▄▄ ■ ▄▄▄███▄▄▐██ ▄▄████▄▄ ▀▄▄ ▄▀▀ ▄███▀ ▀██▓▄ ▄████▀ ▀██▓▄ ▀▄ ▄▄▀ ▄████▀ ▀██▓██ ▄████▀ ▀██▓▄ ▀▀ ▄ ▐███▌ ░ ▐██▓▌ ▐████▌ ░ ▐██▓▌ ▄ ▀▀ ▐████▌ ░ ▐████▌ ▐████▌ ▐██▓▌ ■██▄▄▓▌ ████ ░▒░ ████ █████▄▄▄ ▀▀▀▀ ▐█▄▄█▓ █████ ░ █████ █████▄▄▀▀▀▀▀▀▀ ▐████ ░░ ▓██▌ ░▒▓▒░ ▐███ ▄▄▄▄▄ ▀▀▀████▄ ████▌ ▓███▌ ▐████ ▓███▌ ░░░░░░ ░ ███▌ ░ ▐▓███ ░▒▓▒░ ▓███▌▓███▌ ░░░ ▐████ ▐▓██ ▓███▌ ▄▀▀ ▐████ ▓███▌ ░░░░░░░ ▓██▌ ▐▓███ ░▒░ ▓███▌▐▓███ ░ ▓███▌ ▐▓██ ▐▓███ ▓███▌ ▐▓███ ▐▓███ ▐▓▓██▌ ░ ▐▓███▌ ▓▓██▌ ▐▓███ ▓███▌ ▓▓██▌ ░ ▐▓███ ▓▓██▌ ▓▓▓██▌ ■▓▓▓▓██ ░ ▓█████■ ▀▓▓█▄ ▄▓██▀ ▐▓████ ▄ ▀▓██▄ ▄▓██▀ ▀▓██▄ ▀▓███▄ ▀▀▀██▄ ▄▓█▀▀▀ ▀▀█▀▀ ▄▓▓▓▀▀ ▀▀█▀▀ ▀▀▀▀ js ▀▀▀▀▀▄▄ ░ inside ▄▄▀▀▀▀▀ ░ ▀▄ ░ ░░ ▄▀ ░░ ░ ░░ Tutor : duelist Date Wrote : May 10, 1999 Level (1/10) : 2 Target : Hellforge Softice Crackme 3 Size : 120kb Protection : Anti-Softice, Packed, Name/Serial Tools Used : SoftIce - INTRODUCTION: - Before anything else i would like to say that i rated this crackme with 2 because of the softice check, it is very easy and about everyone should be able to reverse it. We'll start with 'killing' that check (+ analysing the code around it...) Advice: I won't say what you have to type in softice, only what do you need to do, or else you won't learn! - CRACKING ANTI-SICE CHECK: - Most of the programs that have this kind of check (actually, these are mostly used in crackmes) use the CreateFileA with '\\.\SICE' as the file parameter, so it won't be hard to kill this one. 1. Switch to softice and set a breakpoint on CreateFileA 2. Back to windows and execute the crackme 3. You'll break just after executing it, just ignore that break because Explorer calls CreateFileA whenever some application is executed... (go back to windows) 4. You'll break again, this time it's not normal and it should be due to some call inside the program. Press F12 and you'll be inside the crackmes' code: push 00435314 <- dump this address to see it is call KERNEL32!CreateFileA '\\.\SICE', it's our check! mov [ebp-04], eax cmp dword ptr [ebp-04], -01 <- does '\\.SICE' exist? if yes, /----< jz 00401625 softice loaded, don't jump! | push dword ptr [ebp-04] | call KERNEL32!CloseHandle <- close the file if it existed | mov eax, 1 <- important! eax is set to 1 if | pop ecx softice was loaded | pop ebx | ret |----> xor eax, eax <- no softice loaded, set eax | pop ecx to 0 | pop ebx | ret | \-! Stop at this line and do the following: "a" to edit the code in it, then "jmp 401625" to make it jump always and press Escape to get out of code editing mode. Why did i do this? Later in the program this routine will be used for another thing, and since we don't want to be checking when its run again, just leave it patched the correct way! SIDE-NOTE: For winNT users: The program will also check for '\\.\NTICE' by using this snippet of code, if u change the code this way, you'll spare some time! 5. Now that you understood this snippet of code, let the program run after the ret instruction, and after some steping we'll be here: test eax, eax /----< jz 40156D | mov dword ptr [00439200], 00000006 | jmp 00401577 >--\ \----> mov dword ptr [00439200], 00000005 | mov edx, [ebp-28] <--/ What this snippet of code does is to set the offset 00439200 to 5 if softice is npt loaded and to 6 if softice is loaded. You may think: why is this done if the app only runs when softice is _not_ loaded? This tricks people who just reverse the flag in the softice check routine, since it is executed later again to load the correct value into the offset. Nice work LaZaRuS :) - CRACKING NAME/SERIAL CHECK: - 1. Enter any name and serial you wish 2. Switch to softice and set a breakpoint on hmemcpy (this is a delphi app, so standard api calls are not issued to get editbox's text) 3. Delete any char in your name or serial (since they are checked in real time, we've no button) 4. Ignore the first break on hmemcpy, that's just windows erasing the char... Next time it breaks, press F12 until you get to the crackme's code. 5. Now, i don't include much code here because the target is packed and i've got other things than manually reproducing code here. Set a break- point on 004017AF (bpx 4017AF) and you should break at the code genera- tion routine: /---> movsx ecx, byte ptr [eax] <- move each letter of the name into ecx | xor ecx, [ebp-54] <- xor ecx with the counter | imul ecx, [00439200] <- remember this offset? should be 5! | add [ebp-50], ecx <- add the value to this offset | ... | inc dword ptr [ebp-54] <- increase counter | ... | ... | test ecx, ecx <- end of name reached? \---< jnz 00401783 <- if no, go back to the beginning ... ... __/ mov eax, [ebp-50] <- code is at ebp-50 now... | \ imul eax, [ebp-50] <- code = code * code (square of code) | | \-! These 2 lines of code are executed when all the name has been parsed by the above routine... 6. You now have all the info you need to code a keygenerator, you can check my pascal source below if you want to (or you can't code one :) - CODING A KEYGENERATOR: - ... write(' Enter name: '); readln(name); for i:=1 to length(name) do begin ecx:=ord(name[i]); ecx:=ecx xor i; ecx:=ecx * 5; ebp:=ebp + ecx; end; ebp:=ebp * ebp; str(ebp, code); writeln(' Registration code: ', code); ... - FINAL REMARKS & THX: - Hope you enjoyed this tut, i've tried to not only show you things by a 'distant' look, but see them deeply, so you can't miss anything. Also i hope you learn something about keygens by looking at this tut... Thx 2: E_Bliss for kinda 'forcing' me to write tuturials LaZaRuS for writing this crackme tC for being such a nice friend with some nice crackmes MisterE for showing me the way to go ;) Everyone that _wants to learn_ at #cracking4newbies! signing off, duelist [isd]