Tutorial Number 18 Written by Etenal Bliss Email: Eternal_Bliss@hotmail.com Website: http://crackmes.cjb.net http://surf.to/crackmes Date written: 2nd Apr 1999 Program Details: Name: Hellforge CrackMe II Author: LaZaRuS Tools Used: W32Dasm SoftIce Cracking Method: Code sniffing Routine analysis Viewing Method: Use Notepad with Word Wrap switched on Screen Area set to 800 X 600 pixels (Optional) __________________________________________________________________________ About this protection system Protection is based on a serial which is calculated from the Name you enter. The name you entered must be more than 4 characters. __________________________________________________________________________ The Essay In this essay, when I write type "d edx" or similar commands in Softice, I mean it without the quotes. _________________________________________________________________________ W32Dasm Disassemble the crackme using W32Dasm. Open the String Data Reference. **That is the last 2nd icon on the toolbar next to the printer icon. Scroll though the strings found. I can't understand most of them except for a few. On the last 3 lines, you will see: "Wrong Code" "Y" "You did it" Double click on the "You did it" and see where the string is used. You will be brought to somewhere below: :00426970 8B55FC mov edx, dword ptr [ebp-04] :00426973 58 pop eax :00426974 E8FBCAFDFF call 00403474 :00426979 7518 jne 00426993 :0042697B 6A00 push 00000000 * Possible StringData Ref from Code Obj ->"Congratulations" | :0042697D B9F0694200 mov ecx, 004269F0 * Possible StringData Ref from Code Obj ->"You did it" <-- Here is the string | :00426982 BA006A4200 mov edx, 00426A00 :00426987 A124864200 mov eax, dword ptr [00428624] :0042698C E877B2FFFF call 00421C08 :00426991 EB16 jmp 004269A9 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00426979(C) | :00426993 6A00 push 00000000 * Possible StringData Ref from Code Obj ->"Sorry" | :00426995 B9DC694200 mov ecx, 004269DC * Possible StringData Ref from Code Obj ->"Wrong Code" | :0042699A BAE4694200 mov edx, 004269E4 Look at the codes at :00426974 and :00426979. You will see that there is a call followed by a conditional jump. A favourite patching point for crackers. Look at where the jump will bring you to... jne 00426993 means jump to :00426993 if not equal and :00426993 is going to show you the "Wrong Code" Message So, newbie crackers can just patch the conditional jump from jne 00426933 to the following options: 1) 7518 jne 00426993 to 7418 je 00426993 (will jump if you enter the correct serial) 2) 7518 jne 00426993 to 9090 NOP NOP (will not jump regardless of what you enter) By using one of the patches, you can "Register" the crackme with whatever serial you want. _________________________________________________________________________ Softice But wait... Why be a total newbie when you can improve? Now, looking at the codes :00426970 8B55FC mov edx, dword ptr [ebp-04] :00426973 58 pop eax :00426974 E8FBCAFDFF call 00403474 :00426979 7518 jne 00426993 :0042697B 6A00 push 00000000 Since we know that this call will compare the correct serial with the serial we entered, we should be able to see what the correct serial is. (or I won't be writing this tutorial!) Run the crackme, set a general breakpoint to break into the crackme first. I used hmemcpy. So, type "d hmemcpy". Type in 'Eternal Bliss" for the name and "123456" for the serial. After you break, F12 a few times until you come to the crackme codes. **HF CRACKME S1!... will be seen below the code window. You do this about 7 times, then when you come to the crackme codes, you will see a few instructions, then a ret. This happens a few more times. These codes are useless for us. So, F12 5 more times. **ret is to return to the code that called this part of the codes. **So, a total of F12 will do nicely. Disable the hmemcpy breakpoint. Then, trace a bit using F10 until you come across this. **F10 is to trace the codes without going into calls. I have commented on the important part and deleted the unimportant part to save space. :0042689C E86FEDFDFF call 00405610 :004268A1 83F804 cmp eax, 00000004 :004268A4 7D1B jge 004268C1 **See this cmp eax with 00000004? eax contains the length of your username So, if it is longer than 4 char, you will jump and continue else you will go below to get the "Wrong Code" message. :004268A6 6A00 push 00000000 * Possible StringData Ref from Code Obj ->"Sorry" | :004268A8 B9DC694200 mov ecx, 004269DC * Possible StringData Ref from Code Obj ->"Wrong Code" | :004268AD BAE4694200 mov edx, 004269E4 :004268B2 A124864200 mov eax, dword ptr [00428624] :004268B7 E84CB3FFFF call 00421C08 :004268BC E9E8000000 jmp 004269A9 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004268A4(C) | **You will land here if you enter more than 4 char in your name. :004268C1 8D55FC lea edx, dword ptr [ebp-04] :004268C4 8B83B0010000 mov eax, dword ptr [ebx+000001B0] :004268CA E881B3FEFF call 00411C50 :004268CF 8B45FC mov eax, dword ptr [ebp-04] **eax will contain your name -> "Eternal Bliss" :004268D2 0FB600 movzx eax, byte ptr [eax] **move the first char into eax -> eax=00000045 ("E") :004268D5 8BF0 mov esi, eax **move it to esi -> esi=00000045 :004268D7 C1E602 shl esi, 02 **shl the value with 02 -> esi=00000114 :004268DA 8D3476 lea esi, dword ptr [esi+2*esi] **value of esi will be (114 + 144*2) which is 33C **Note, 144 is in HEX : : __________Snip___________ : :004268EB 8B45F8 mov eax, dword ptr [ebp-08] :004268EE 0FB64001 movzx eax, byte ptr [eax+01] **move the 2nd char into eax -> eax=00000074 ("t") :004268F2 8D0480 lea eax, dword ptr [eax+4*eax] **eax will be (74 + 74*4) = 244 (HEX) :004268F5 8D0480 lea eax, dword ptr [eax+4*eax] **eax will be (244 + 244*4) = B54 :004268F8 03F0 add esi, eax **Add B54(eax's value) to 144(esi's value) and esi = E90 : : __________Snip___________ : :0042690B 0FB64002 movzx eax, byte ptr [eax+02] **move the 3rd char into eax -> eax=00000065 ("e") :0042690F 03C0 add eax, eax **eax = (65 + 65) = CA :00426911 03F0 add esi, eax **Add CA(eax's value) to E90(esi's value) and esi = F5A : : __________Snip___________ : :00426924 0FB64003 movzx eax, byte ptr [eax+03] **move the 4th char into eax -> eax=00000072 ("r") :00426928 6BC00B imul eax, 0000000B **Multiple 72 with B and eax = 4E6 :0042692B 03F0 add esi, eax **Add 4E6(eax's value) to F5A(esi's value) and esi = 1440 : : __________Snip___________ : :00426938 E8D3ECFDFF call 00405610 **this call gets the length of your name = D (13 characters for "Eternal Bliss") **this value is in eax :0042693D 8B1590864200 mov edx, dword ptr [00428690] **value of edx here is 1440 :00426943 0FAF1590864200 imul edx, dword ptr [00428690] **mulitple 1440 with 1440. edx = 19A1000 :0042694A F7EA imul edx **multiple value of eax(D) with value of edx(19A1000) **eax will contain the result which is 14D2D000 **type "? eax" and see the command window the ascii for 14D2D00 you will see 349360128 :0042694C A390864200 mov dword ptr [00428690], eax **move this value to location 00428690 : : __________Snip___________ : **You have seen the below before. Remember the compare and the jump?? :00426970 8B55FC mov edx, dword ptr [ebp-04] :00426973 58 pop eax :00426974 E8FBCAFDFF call 00403474 :00426979 7518 jne 00426993 :0042697B 6A00 push 00000000 Ok. After tracing through that lot, F10 to :00426974. Stop there. At :00426970, sometime is moved into edx. See what it is by typing "d edx" You will see the serial you entered in the data window. At :00426973, something is popped at eax. Type "d eax" to see what is the value. You will see 349360128 in the data window. Then...it is followed by the compare... So, edx contains the serial we typed. What would eax be then?? It the correct serial, of course!! Then exit Softice using F5. Key in 349360128 for the serial. You will get the "You did it" message. CrackMe Cracked!! __________________________________________________________________________ Final Notes This tutorial is dedicated to all the newbies like me. And because I'm a newbie myself, I may have explained certain things wrongly So, if that is the case, please forgive me. Email me if there is anything you are not clear about. My thanks and gratitude goes to:- The Sandman All the writers of Cracks tutorials and CrackMes