home *** CD-ROM | disk | FTP | other *** search
- Hiya!
-
- First I want to thank all those good guys who are writing Crackme's and tests so that we can
- learn and improve our knowledge. Greetings this time especially to tC who coded the target
- we're dealing with now and to Eternal Bliss for doing a great work with his CrackMe(s)-site.
-
- This time tC just asks us to enter a valid unlock-code that is splitted into six parts. If we're
- dealing with this kind of protection scheme it's most likely that our entered password is
- compared with a hardcoded serial. So let's check what we have here...
-
- Again we will use Numega's powerful SoftICE. Start Stx_cm and type in any code you want.
- 'Ctrl-D' to go to SoftICE and set a breakpoint on hmemcpy ('bpx hmemcpy'). F5 to go back to the
- Crackme and press the OK-button.
- SoftICE pops up; disable the breakpoint ('bd0') and press F11 ('go to') once and then F12
- ('Return from the procedure call') until we reach the Stx_cm-code (watch the line between
- the Code window and the Command window). You can go on by pressing F10 ('step over') or -
- faster - by using some more F12's to pass some obvious ret's until...
-
-
-
- ...we finally arrive here:
-
-
- :0043D9DE E89D2EFEFF call 00420880
- :0043D9E3 8B45F4 mov eax, dword ptr [ebp-0C]
- :0043D9E6 8D55FC lea edx, dword ptr [ebp-04]
- ---
-
- ---
- So if we trace the code we'll find part one here:
-
- :0043DA38 E8DF5FFCFF call 00403A1C
- :0043DA3D 83C040 add eax, 00000040
- :0043DA40 3BF0 cmp esi, eax
- :0043DA42 740A je 0043DA4E
-
- Add 40h to eax to get the real code and compare it then with the fake code (esi). Both are hex
- values so to get the decimal values just type '? eax' and '? esi'. If we have entered a wrong
- code - what we accidently could have done - we don't jump but soon afterwards we go the bad way
- to the unregistered status ('jmp 0043DB10').
-
-
-
- :0043DA57 E8242EFEFF call 00420880
- :0043DA5C 8B45F4 mov eax, dword ptr [ebp-0C]
- :0043DA5F BA44DB4300 mov edx, 0043DB44
- :0043DA64 E8C360FCFF call 00403B2C
- :0043DA69 740A je 0043DA75
-
- This is part two. Our fake code is copied to eax and the real code is copied from 0043DB44 to edx.
- You can check this by typing 'd eax' and 'd edx' in SoftICE. If the codes are equal then jump and
- go on with the calculation routine; if not we will reach our bad jump soon ('jmp 0043DB10').
-
-
-
- :0043DA75 897DF0 mov dword ptr [ebp-10], edi
- :0043DA78 DB45F0 fild dword ptr [ebp-10]
- :0043DA7B D8354CDB4300 fdiv dword ptr [0043DB4C]
- :0043DA81 D81D50DB4300 fcomp dword ptr [0043DB50]
- :0043DA87 DFE0 fstsw ax
- :0043DA89 9E sahf
- :0043DA8A 7407 je 0043DA93
-
- Ahh part three is probably not so easy to understand and to explain this could be a little chapter
- by itself. So here are just some short descriptions of this FPU mnemonics:
- fild - load integer; fdiv - divide; fcomp - compare real; fstsw - store status word;
- The results of this calculation: after passing 0043DA75 look at your register window and you will
- see something like 'SS:0067F3E4=000000XX' where SS is the Stack Segment and XX is the hex value of
- the code you entered ('? XX').
- After passing the fdiv instruction another look at the register window shows us
- 'DS:0043DB50=42F60000' where DS is the Data Segment and F6 is our real code as a hex value.
- The sahf instruction is used to copy the floating point status register flags into the 80x86's
- flag register. What does this mean for us here? If we entered a wrong code the Zero flag is not
- set and we don't jump at location 0043DA8A which is bad because we'll see our old friend
- 'jmp 0043DB10' then. So the Zero flag must be set to go on with the code calculation.
-
-
-
- :0043DA9E E8ED9AFCFF call 00407590
- :0043DAA3 8B45EC mov eax, dword ptr [ebp-14]
- :0043DAA6 BA5CDB4300 mov edx, 0043DB5C
- :0043DAAB E87C60FCFF call 00403B2C
- :0043DAB0 7407 je 0043DAB9
-
- Part four: Our fake code is copied to eax and the real code is copied to edx; both as hex values.
- At location 0043DAAB we find the 'comparison call' for these two values. Equal? Yes then jump and
- go on. Remember that you have to enter the decimal value as your unlock-code.
-
-
-
- :0043DAC2 E8B92DFEFF call 00420880
- :0043DAC7 8B45F4 mov eax, dword ptr [ebp-0C]
- :0043DACA BA68DB4300 mov edx, 0043DB68
- :0043DACF E85860FCFF call 00403B2C
- :0043DAD4 7407 je 0043DADD
-
- Part five works the same way as part two. Our fake code is copied to eax and the real code is
- copied from 0043DB68 to edx. You can check this by typing 'd eax' and 'd edx' in SoftICE. If the
- codes are equal then jump and go on with the calculation routine; if not we will reach our bad
- jump soon ('jmp 0043DB10').
-
-
-
- :0043DAE6 E8952DFEFF call 00420880
- :0043DAEB 8B45F4 mov eax, dword ptr [ebp-0C]
- :0043DAEE BA78DB4300 mov edx, 0043DB78
- :0043DAF3 E83460FCFF call 00403B2C
- :0043DAF8 7407 je 0043DB01
- :0043DAFA E885FEFFFF call 0043D984
- :0043DAFF EB0F jmp 0043DB10
-
- Again! Fake code to eax, real code to edx. Jump if good or go to the bad jump if you entered a
- wrong code. This was the final comparison and if you typed in all six parts correctly you will
- finally reach the 'registered status'.
-
-
- If you look back to our entry point at location 0043D9E3 trace the code and watch the registers;
- you will see then that some of the real codes are getting 'prepared' for the following comparisons
- there.
- I haven't shown the real code here by numbers and chars because I think you can easily find it out
- by yourself now.
-
-
- Done!
-
-
- Greetings to all those helpful guys at the forums.
-
-
- Good luck!
-
-
- cheers tnwo_
-
