KeyGen Studio 2002

home *** CD-ROM | disk | FTP | other *** search

/ KeyGen Studio 2002 / KeyGen_Studio_2002.iso / Tutorials / Code Inside / Ben_tut20.txt < prev next >

Wrap

Text File | 2001-09-21 | 17.3 KB | 350 lines

--Softice Tutorial--- Written by Shany Email: shanytc@yahoo.com Date written: 12.5.2001 Program Details: Name: Acid_Burn CrackerWorld CrackMe #2 Author: BenGALY Tools Used: Softice Hview Level: easy [x] medium [ ] hard [ ] ok.. another CrackMe on the hands..this time Triple Protections: 1.nag 2.serial 3.serial/name ok..first let's deal with the nag. [v] 1. -----NAG------ When we openning the crackme there is a little MessageBoxA appears, A Nag as we say in cracking tearms. "Hello you have to kill me!" <= this is what the nag say. ok..let's kill him ;D To do this the easiest way to kick the nag is bpx bfore the nag is appeared, That way we can see which call called this nag and kick the instruction ;D so Open Soft-Ice..set a sweet bpx on api "MessageBoxA" : bpx MessageBoxA 'press Enter' breakpint is set..now exit sIce (x/f5/ctrl+d). Click the crackme2.exe..Sice poped up now Press F12 or F11, that will take, Us to the caller of the nag (messageboxa api). we will be out of Ice automatically anf u will see the nag screen appear. Press OK button and Sice will pop up again. u will see this: EAX=00000001 EBX=00C42EAC ECX=80007638 EDX=80007390<FONT ESI=0042F7BC EDI=0042F7A0 EBP=0071FCB8 ESP=0071FC94 EIP=0042A1AE o d I Sz a p c CS=0177 DS=017F SS=017F ES=017F FS=33CF GS=0000 SS:0071FCB4=01C435F0 -------------------------------------------------------------------------PROT32- 0177:0042A1A9 CALL USER32!MessageBoxA <= Write that Adress (0042A1A9) call of nagScreen. 0177:0042A1AE MOV [EBP-04],EAX ; eax move to ebp-04 0177:0042A1B1 XOR EAX,EAX ; eax = 0 0177:0042A1B3 POP EDX ; load edx 0177:0042A1B4 POP ECX ; load ecx 0177:0042A1B5 POP ECX ; load ecx again 0177:0042A1B6 MOV FS:[EAX],EDX ; edx move to eax locatino 0177:0042A1B9 PUSH 0042A1D7 ; click OK ? 0177:0042A1BE MOV EAX,[EBP-0C] ; ebp-0c move to eax 0177:0042A1C1 CALL 00424250 ; call to program? -------------------------------------------------------------------------------- WINICE: Load32 Obj=0002 Add=017F:7D652000 Len=00001000 Mod=INDICDLL WINICE: Load32 Obj=0003 Add=017F:7D653000 Len=00001000 Mod=INDICDLL WINICE: Load32 Obj=0004 Add=017F:7D654000 Len=00001000 Mod=INDICDLL WINICE: Load32 Obj=0005 Add=017F:7D655000 Len=00001000 Mod=INDICDLL Break due to BPX USER32!MessageBoxA (ET=1.48 seconds) so..we have found the switch that calls our little NagScreen: 0042A1A9 (in hex) so what we goona do is to goo to hex editor and loop for : 0042A1A9. ----Patching-Nag-Screen---: Open Hview..load the crackme. press F4..select DECODE mode..press F5 enter the adress .0042A1A9 (with .)..we will be here: ....snip...snip... .0042A1A9 E8FAB5FDFF CALL 00405718 <= this is what need to patch .....snip snip.... lets devide this to bytes: E8FAB5FDFF -> E8 FA B5 FD FF (5 bytes) 1 2 3 4 5 now alittle Nop (90) instruction could help us kick the MessageBoxA beacouse it's a byte long we will need to put 90 on any instruction like this now press F3 in Hview and do this: E8FAB5FDFF to 9090909090 F9 to save the file, F10 to exit...run the program..NO MORE NAG SCREEN ;D ------------------------Nag Screen Kicked----------------------- Ok now that the nag screen is kicked, we can continue with our crackme. [v] 2. ---------------SERIAL------------------ open the crackme..there are to options..1.serial 2.serial/name Chose Serial only button. ok enter a fake serial. serial: 1234567890 but before press "check it baby" let's open Sice and set a bpx on HMEMCPY. now i will teach u a little trick i found.. mostly 90% of hmemcpy serial/name protections breakpoints i can press f12 with only see the code and even not understand it, most of times u will only press F12 (12 times). in our cases it 12 f12 aswell. here: bpx hmemcpy f5 "check it baby"' we will land here: (after pressed "check it baby") first breakPoint (without pressing f12 yet): -----KERNEL!LOGERROR+0123------------------------------------------------PROT16- 0157:9EA3 RETF 0008 KERNEL!HMEMCPY 0157:9EA6 PUSH BP 0157:9EA7 MOV BP,SP 0157:9EA9 PUSH DS 0157:9EAA PUSH EDI 0157:9EAC PUSH ESI 0157:9EAE CLD 0157:9EAF MOV ECX,[BP+06] 0157:9EB3 JECXZ 9F2D ------------------------------------KERNEL(01)-<----dll..not the crack me code yet pressing 1 time f12 will bring us this: ........................................................... 177F:0CA6 CALL KERNEL!HMEMCPY 177F:0CAB PUSH WORD PTR [DI] 177F:0CAD CALL KERNEL!LOCALUNLOCK 177F:0CB2 MOV AX,SI 177F:0CB4 POP SI 177F:0CB5 POP DI 177F:0CB6 LEAVE 177F:0CB7 RET 000A 177F:0CBA ENTER 0006,00 177F:0CBE PUSH SI ────────────────────────────────────USER(0A)───────────────────────────────── nope still no effect. pressing 6 more times more will bring u the same result, only in diffrent dll. but, in the 7'th (f12) we will see this: EAX=0000000A EBX=0071F860 ECX=00000014 EDX=0041CD2D ESI=00C49440 EDI=0071F8A0 EBP=0071F870 ESP=0071F820 EIP=0042C4C2 o d I s z a P c CS=0177 DS=017F SS=017F ES=017F FS=316F GS=0000 ─────────────────────────────────────────────────────────────────────────PROT32─ 0177:0042C4BD CALL 0041CC8C 0177:0042C4C2 POP ESI ; not matter 0177:0042C4C3 POP EBX ; not matter 0177:0042C4C4 RET ; return 0177:0042C4C5 LEA EAX,[EAX+00] ; not matter 0177:0042C4C8 PUSH ESI ; not matter 0177:0042C4C9 MOV ESI,EAX ; not matter 0177:0042C4CB MOV EAX,ESI ; not matter 0177:0042C4CD MOV ECX,[EAX] ; not matter 0177:0042C4CF CALL [ECX-10] ; not matter ──────────────────────────────────────────────────────────────────────────────── Crackme2 <= we see the crackme name. well this is much better cuz we see the crackme code at last. ok here is is the trick..in knowing where the hell is the right place that the serial might generate..so in 90+% of casses if u wil press f12 (5 more time) from the 7th f12..u will surely be at the exact place the serial is. 12'th f12 pressed we land here: ─────────────────────────────────────────────────────────────────────────PROT32─ 0177:0042F4C5 CALL 0041AA58 ; call input TextA field 0177:0042F4CA MOV EAX,[EBP-10] ; ebp-10 move to eax 0177:0042F4CD MOV EDX,[EBP-0C] ; ebp-0c move to edx 0177:0042F4D0 CALL 004039FC ; call compare (trace into with f8) 0177:0042F4D5 JNZ 0042F4F1 ; bad serial??..jump to bad boy message 0177:0042F4D7 PUSH 00 ; call api? 0177:0042F4D9 MOV ECX,0042F564 ; cant reach here unless serial is correct ;D 0177:0042F4DE MOV EDX,0042F570 ; cant reach here unless serial is correct ;D 0177:0042F4E3 MOV EAX,[00430A48] ; cant reach here unless serial is correct ;D 0177:0042F4E8 MOV EAX,[EAX] ; cant reach here unless serial is correct ;D ──────────────────────────────────────────────────────────────────────────────── Crackme2 <= make sure u see this so..this is the main part of the crackme (serial) checking routine. so we see a little Call and a JMP after it..that's good becouse: 1.we can be suspicious that if there is a call and then a jmp so there might be a compare 2.or call algo..and then jump if not correct (serial) ok..we have a Call..trace into the Call with F8 (while tracer on that instruction). we are here: ................................................................................ 0177:004039F9 LEA EAX,[EAX+00] 0177:004039FC PUSH EBX ; Save EBX 0177:004039FD PUSH ESI ; Save ESI 0177:004039FE PUSH EDI ; Savr EDI 0177:004039FF MOV ESI,EAX ; Fake move to esi (eax/esi = fake serial) 0177:00403A01 MOV EDI,EDX ; real serial move to edi (edx/edi = serial) 0177:00403A03 CMP EAX,EDX ; Comapre EDX & EAX 0177:00403A05 JZ 00403A9A ; GOOD BOY ;d 0177:00403A0B TEST ESI,ESI ; ESI = 0? 0177:00403A0D JZ 00403A77 ; JUMP ──────────────────────────────────────────────────────────────────────────────── Wow you say, it's so easy u say..well it is ;D just do this folowing: At Adress: 004039FF :D EAX 017F:00C4A4D0 32 31 33 34 35 36 37 38-39 30 00 00 52 07 00 00 2134567890..R... ;fake no ;D 017F:00C4A4E0 80 87 C4 00 00 00 00 00-0F 00 00 80 00 00 00 00 ................ At Adress: 00403A03 :D EDX 017F:00C4A4B8 48 65 6C 6C 6F 20 44 75-64 65 21 00 1A 00 00 00 Hello Dude!..... ; good serial ;D 017F:00C4A4C8 01 00 00 00 0A 00 00 00-32 31 33 34 35 36 37 38 ........21345678 ; fake serial serial: Hello Dude! "GOD JUB DUDE" lol a spelling mistake.. hahaha u can see that this was a little compare to our serial no??..yeah ;D serial protection cracked. ------------------------First Serial Protection Cracked----------------------- onto the third serial/name protection ;D [v] 3. --------------Serial/Name Protection------------- ok..this method is also the same as described above..but we only need to break on the second textA field of our serial. do the folowing: name: bengaly serial: 1234567890 load Sice..bpx hmemcpy f5 click "check it baby" sIce breakes..now press F5 to read the SERIAL textA field. *remember what i have said erlier on hmemcpy..that if u will press F12 12 times it will 90+% take u to the right place of our serial comparation/calculation/generation. so it. did it?? if so we are here: ─────────────────────────────────────────────────────────────────────────PROT32─ 0177:0042F9E3 CALL 0041AA58 0177:0042F9E8 MOV EAX,[EBP-10] <= we land here 0177:0042F9EB MOVZX EAX,BYTE PTR [EAX] ; move 1 byte od 0177:0042F9EE MOV ESI,EAX ; eax move to esi 0177:0042F9F0 SHL ESI,03 ; shift left 03 om esi 0177:0042F9F3 SUB ESI,EAX ; esi-eax 0177:0042F9F5 LEA EDX,[EBP-14] ; move 0177:0042F9F8 MOV EAX,[EBX+000001DC] ; move 0177:0042F9FE CALL 0041AA58 ; call ?? 0177:0042FA03 MOV EAX,[EBP-14] ; move ──────────────────────────────────────────────────────────────────────────────── but..wait where is the call and the jmp ..what is going on here??? hahah didn't figure??..ok..so s i said, WE NEED TO LOOK FOR A CALL->ANY JMP where we land a call and a jump after it is not there, so therefore we need to trace with F10 alittle. first clear breakpoints BC* (So we wont jump to adresses). after a short tracing we are here: ─────────────────────────────────────────────────────────────────────────PROT32─ 0177:0042FA36 CALL 0041AA58 0177:0042FA3B MOV EAX,[EBP-14] 0177:0042FA3E MOVZX EAX,BYTE PTR [EAX+02] 0177:0042FA42 IMUL EAX,EAX,0E 0177:0042FA45 ADD ESI,EAX 0177:0042FA47 MOV [00431758],ESI 0177:0042FA4D MOV EAX,[0043176C] 0177:0042FA52 CALL 00406930 ; Call Compare routine -| trace into this call 0177:0042FA57 CMP EAX,04 | 0177:0042FA5A JGE 0042FA79 ; A jump <= -| never mind the jump ──────────────────────────────────────────────────────────────────────────────── after we traced the call with f8 u will see this: ─────────────────────────────────────────────────────────────────────────PROT32─ 0177:0040692E CMP AL,[EAX] 0177:00406930 MOV EDX,EDI <- we land here 0177:00406932 MOV EDI,EAX ; WHAT IS THIS?? 0177:00406934 MOV ECX,FFFFFFFF 0177:00406939 XOR AL,AL 0177:0040693B REPNZ SCASB 0177:0040693D MOV EAX,FFFFFFFE 0177:00406942 SUB EAX,ECX 0177:00406944 MOV EDI,EDX 0177:00406946 RET ──────────────────────────────────────────────────────────────────────────────── *Somtimes dont expect see a CMP instruction..that dont mean the serial isn't there ;D go over adress : 00406932 D EAX 017F:00C4A54C 07 00 00 00 62 65 6E 67-61 6C 79 00 16 00 00 00 ....bengaly..... 017F:00C4A55C 01 00 00 00 07 00 00 00-62 65 6E 67 61 6C 79 00 ........bengaly. ; name 017F:00C4A56C 0F 00 00 80 00 00 00 00-00 00 00 00 43 57 2D 38 ............CW-8 ; good serial 017F:00C4A57C 30 33 36 2D 43 52 41 43-4B 45 44 00 84 53 C4 00 036-CRACKED..S.. ; good serial 017F:00C4A58C 84 53 C4 00 38 00 00 00-31 32 33 34 35 36 37 38 .S..8...12345678 ;fake serial 017F:00C4A59C 39 30 30 00 A0 A5 C4 00-A0 A5 C4 00 20 00 00 00 900......... ... 017F:00C4A5AC 26 43 68 65 63 6B 20 69-74 20 42 61 62 79 20 21 &Check it Baby ! name: bengaly serial: CW-8036-CRACKED we will get "GOOD JUB DUDE!" ---------------------------------Serial/Name Cracked----------------------------- have fun ;D My thanks and gratitude goes to: ---ANALYST(ACiD-BUrN)--- ; for helping in cracking ----CODE_INSIDE----- ;for helping in cracking -----BLAcKgH0sT------ ;for being good friend :) -------FusS------ ;asm / keygenning helper All the writers of Cracks tutorials and CrackMes