So, we start the program, thinking it's a normal username/serial protection. "Ah, It looks just like the two previous crackme's - just access the menu, and then choose Reg...what? It is'nt there???" Nope, it isnt...so, how do you think it's protected? The first guess would be a keyfile, so start up Filemon and restart the proggie...
Crackme Open D:\CRACKME3\CRACKME3.KEY NOTFOUND ...
Very well, doesn't this look interesting??? Now we know the name of the missing file, so lets create a bogus file called CRACKME3.KEY. Are you done? Then run the program again, but this time do a bpx createfilea first...this way, softice will break whenever a file is opened.
Softice breaks. Ignore it (it breaks cause the program file is beeing opened by the os). Softice breaks again. Ah, now the interesting part begins! Press F11 (I dont need to explain why again, do I? Check out Icedragons tutorial on softice if your stuck) and you'll see this:
:00401032 83F8FF cmp eax, FFFFFFFF ;Does the file exist? :00401035 750C jne 00401043 ;If it does, take the jump ... :00401043 A3F5204000 mov dword ptr [004020F5], eax ;save the handle of the file :00401048 B812000000 mov eax, 00000012 ;number of bytes to read :0040104D BB08204000 mov ebx, 00402008 ;read to this address (ie a buffer) :00401052 6A00 push 00000000 ;Start pushing the parameters for the API function :00401054 68A0214000 push 004021A0 :00401059 50 push eax :0040105A 53 push ebx :0040105B FF35F5204000 push dword ptr [004020F5] :00401061 E830040000 Call KERNEL32.ReadFile, Ord:0000h ;Read 18 bytes (12 hex) from the file called CRACKME3.KEY :00401066 833DA021400012 cmp dword ptr [004021A0], 00000012 ;Did we read 18 bytes? :0040106D 75C8 jne 00401037 ;If not, take the jump (and we'll go to the "bad" place)
So, now we know that it reads 18 bytes from the file. So let's modify the file, so it will be 18 bytes long, and re-run it again. This time we wont take the jump (if you dont know why, please go back to quake!). Start tracing and you'll soon see the simple decryption routine:
:00401311 33C9 xor ecx, ecx :00401313 33C0 xor eax, eax :00401315 8B742404 mov esi, dword ptr [esp+04] :00401319 B341 mov bl, 41 ;Move the value 41h into bl :0040131B 8A06 mov al, byte ptr [esi] ;Move byte from the contents of the keyfile to al :0040131D 32C3 xor al, bl ;Xor them :0040131F 8806 mov byte ptr [esi], al ;Save the result :00401321 46 inc esi ;Increase esi :00401322 FEC3 inc bl ;Increase bl :00401324 0105F9204000 add dword ptr [004020F9], eax ;Add eax with the value at this location (a simple checksum) :0040132A 3C00 cmp al, 00 ;Are we finnished decrypting the string? :0040132C 7407 je 00401335 ;Yes, lets take the jump :0040132E FEC1 inc cl ;Increase cl :00401330 80FB4F cmp bl, 4F ;Have we decrypted 14 chars (4F-41 = 14)? :00401333 75E6 jne 0040131B ;If not, continue :00401335 890D49214000 mov dword ptr [00402149], ecx ;numbers of bytes decrypted
Well, I think that the comments pretty much talks for themself. Go on with the tracing...You'll soon find that the Sum of all decrypted bytes (check out line :00401324 in the code snippet above) is XOR'ed with the value 12345678. Ok, continue the tracing until you see this:
0040133C 8B742404 mov esi, dword ptr [esp+04] :00401340 83C60E add esi, 0000000E :00401343 8B06 mov eax, dword ptr [esi]
So, we take the four last bytes from the contents of the file (those havnt been decrypted) and saves them in eax. Now we're almost done (you can feel that, cant you?). The next piece of interesting code is this one:
:00401093 3B05F9204000 cmp eax, dword ptr [004020F9] :00401099 0F94C0 sete al :0040109C 50 push eax :0040109D 84C0 test al, al :0040109F 7496 je 00401037
First we compare the checksum with eax (and you know what's in eax now, dont you). If they are equal, al will be 1, otherwise it will be 0.
As usal:
1 = Registered (Cracked in this case)
0 = UnRegistered (Uncracked)
That's it...Now go ahead and try to figure out how to create a valid keyfile...If you fail take a look at my solution. Good Luck!
/Cruehead (Cruehead_@hotmail.com)
Back to Training Camp.
Copyright © MiB 1998. All rights reversed.