Reverse Code Engineering RCE CD +sandman 2000

home *** CD-ROM | disk | FTP | other *** search

/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / E_bliss / eb_tut22.txt < prev next >

Wrap

Text File | 2000-05-25 | 9KB | 229 lines

Tutorial Number 22 Written by Etenal Bliss Email: Eternal_Bliss@hotmail.com Website: http://crackmes.cjb.net http://surf.to/crackmes Date written: 31st May 1999 Program Details: Name: Crack Me! #1 Author: DaRkShAdOw Language: Visual Basic 4 Tools Used: Softice Cracking Method: Code Sniffing Viewing Method: Use Notepad with Word Wrap switched on Screen Area set to 800 X 600 pixels (Optional) __________________________________________________________________________ About this protection system This CrackMe contains a hardcoded code which is 12 characters long. It doesn't use the 2 common breakpoints (__vbaStrComp and __vbaVarTstEq) to check the input. _________________________________________________________________________ About the tutorial For this tutorial, I'll only be using Softice. And when I say "d eax", do it without the quotes. And since this is a VB program, there are a lot of "rubbish" codes while tracing. I'll only be showing the relevant parts. When you traced through it yourself, don't expect it to be that clear. 8P _________________________________________________________________________ Softice First, run the CrackMe. You will be told that the code is 12 char long. So, enter any 12 chars. I chose "123456789012" Then, we have to choose the breakpoints to use. Because it is a VB program, I have tried using __vbaStrComp and __vbaVarTstEq. Both of which are the commonest bp used to break into a VB prog. But in this CrackMe, although __vbaStrComp does break, the function is not used to compare the input. So, no point in trying them. Well, we have to have a bp right?? Another bp that is possible is multibytetowidechar. This function will change a string to s.t.r.i.n.g and is common as well. Not sure why VB has to do this for a string, but maybe microsoft wants a reason to make big and bloated programs. 8P Anyway, set the bp by typing "bpx multibytetowidechar" If you don't click on any button, the bp will still break. But to get into the location where the compare is done, we must click on the "Go!, let's see if your code number is correct!!!" button. You will break on the function. Press F12 to go out of it and back to the code that called the function. I've pasted a bit of the codes below. :0F738BC1 FF1500C27B0F CALL [KERNEL32!MultiByteToWideChar] :0F738BC7 8BD8 MOV EBX,EAX <<you land here after F12 :0F738BC9 83FEFF CMP ESI,-01 :0F738BCC 7501 JNZ 0F738BCF :0F738BCE 4B DEC EBX :0F738BCF 53 PUSH EBX :0F738BD0 6A00 PUSH 00 :0F738BD2 FF1518C97B0F CALL [OLEAUT32!SysAllocStringLen] :0F738BD8 8BE8 MOV EBP,EAX :0F738BDA 85ED TEST EBP,EBP :0F738BDC 0F845B260100 JZ 0F74B23D :0F738BE2 43 INC EBX :0F738BE3 53 PUSH EBX :0F738BE4 55 PUSH EBP :0F738BE5 56 PUSH ESI :0F738BE6 57 PUSH EDI :0F738BE7 6A00 PUSH 00 :0F738BE9 6A00 PUSH 00 :0F738BEB FF1500C27B0F CALL [KERNEL32!MultiByteToWideChar] :0F738BF1 8BC5 MOV EAX,EBP :0F738BF3 5D POP EBP After 0F738BF1, if you do a "d eax" to display the content of the register, you will see 1.2.3.4.5.6.7.8.9.0.1.2 So, we are right about the CrackMe changing 123456789012 to that. We will now have to trace further... Like I said, there are a lot of "rubbish" codes floating around. So, be patient. Trace through the codes using F10. At a certain point, you will notice this piece of code... :0F7A2CFF 6A00 PUSH 00 :0F7A2D01 E894F6F7FF CALL 0F72239A :0F7A2D06 6683F800 CMP AX,00 <<interesting... :0F7A2D0A B800000000 MOV EAX,00000000 :0F7A2D0F 0F94C0 SETZ AL :0F7A2D12 F7D8 NEG EAX :0F7A2D14 50 PUSH EAX :0F7A2D15 0FB706 MOVZX EAX,WORD PTR [ESI] :0F7A2D18 83C602 ADD ESI,02 :0F7A2D1B FF2445F4997B0F JMP [EAX*2+0F7B99F4] There is a CALL at 0F7A2D01 and then a "CMP AX,00" in the next line... Let's presume that the call is to check our input. So, at 0F7A2D01, press F8 and trace into the call. :0F72239A 66837C240400 CMP WORD PTR [ESP+04],00 :0F7223A0 B800000000 MOV EAX,00000000 :0F7223A5 0F85DBB20100 JNZ 0F73D686 :0F7223AB FF74240C PUSH DWORD PTR [ESP+0C] :0F7223AF FF74240C PUSH DWORD PTR [ESP+0C] :0F7223B3 50 PUSH EAX :0F7223B4 E899FEFFFF CALL 0F722252 <<another call :0F7223B9 C20C00 RET 000C It looks like there is nothing there... Just a few pushes and a CALL. But if you F10 pass the CALL at 0F7223B4, EAX will be equal to FFFFFFFF and when it returns from the CALL from the above, EAX will be compared to 00. Bad news... So, let's pretend that the CALL at 0F7223B4 will check our input. F8 into it. :0F722252 83EC04 SUB ESP,04 :0F722255 53 PUSH EBX :0F722256 56 PUSH ESI :0F722257 57 PUSH EDI :0F722258 BB00000000 MOV EBX,00000000 :0F72225D 8B7C241C MOV EDI,[ESP+1C] <<"d edi" :0F722261 55 PUSH EBP :0F722262 85FF TEST EDI,EDI :0F722264 7403 JZ 0F722269 :0F722266 8B5FFC MOV EBX,[EDI-04] :0F722269 8B74241C MOV ESI,[ESP+1C] <<"d esi" :0F72226D 85F6 TEST ESI,ESI :0F72226F 0F84FAAA0100 JZ 0F73CD6F :0F722275 8B46FC MOV EAX,[ESI-04] :0F722278 89442410 MOV [ESP+10],EAX :0F72227C 8B6C2410 MOV EBP,[ESP+10] :0F722280 3BEB CMP EBP,EBX :0F722282 7202 JB 0F722286 :0F722284 8BEB MOV EBP,EBX :0F722286 837C241800 CMP DWORD PTR [ESP+18],00 :0F72228B 0F8527AB0100 JNZ 0F73CDB8 :0F722291 85ED TEST EBP,EBP :0F722293 0F85E3AA0100 JNZ 0F73CD7C (JUMP) :0F73CD7C 8BC5 MOV EAX,EBP :0F73CD7E D1E8 SHR EAX,1 :0F73CD80 50 PUSH EAX :0F73CD81 56 PUSH ESI :0F73CD82 57 PUSH EDI :0F73CD83 E8C0E50500 CALL 0F79B348 <<CALL and then TEST!!! :0F73CD88 85C0 TEST EAX,EAX :0F73CD8A 0F851555FEFF JNZ 0F7222A5 If you do a "d edi" at 0F722258 and "d esi" at 0F722269, you will see "1.2.3.4.5.6.7.8.9.0.1.2" and "q.a.z.w.s.x.e.d.c.r.f.v" respectively... Well, do you think "qazwsxedcrfv" is the correct code? It is 12 chars long. 8) To see if we are correct, look at line 0F73CD83, there is a CALL, then followed by a TEST. That is a classic thing that crackers must look out for as well. Let's trace into that too... So, F8 when you reach 0F73CD83. :0F79B348 56 PUSH ESI :0F79B349 57 PUSH EDI :0F79B34A 8B7C2410 MOV EDI,[ESP+10] :0F79B34E 8B74240C MOV ESI,[ESP+0C] :0F79B352 8B4C2414 MOV ECX,[ESP+14] :0F79B356 33C0 XOR EAX,EAX :0F79B358 F366A7 REPZ CMPSW <<see this?? :0F79B35B 7405 JZ 0F79B362 (NO JUMP) :0F79B35D 1BC0 SBB EAX,EAX :0F79B35F 83D8FF SBB EAX,-01 :0F79B362 5F POP EDI :0F79B363 5E POP ESI :0F79B364 C20C00 RET 000C There is the compare we have been looking for at 0F79B358... and ECX=0000000C which is the length to compare... C(hex) = 12 (dec) And edi and esi contain our input and the correct code respectively. Notice the conditional jump at 0F79B35B? If you enter the correct code, you will jump pass the 2 "SBB" lines. And EAX will be 00. 8) CrackMe cracked!! __________________________________________________________________________ Additional stuff I suddenly remember about hardcoded codes...Maybe... Just Maybe... Let's open up the CrackMe with a Hexeditor. Look through the whole file. You will see "q.a.z.w.s.x.e.d.c.r.f.v" at file offset 25246h. 8P Well, if you didn't know the correct code at the start, you will never know that it is the one even if you had seen it in a Hexeditor. __________________________________________________________________________ Final Notes This tutorial is dedicated to all the newbies like me. And because I'm a newbie myself, I may have explained certain things wrongly So, if that is the case, please forgive me. Email me if there is anything you are not clear about. My thanks and gratitude goes to:- All the writers of Cracks tutorials and CrackMes and also to all the crackers that have been supporting my site and project forum.