--Softice Tutorial--- Date written: 27.4.2001 Program Details: Name: CoDe_InSide CracMe 15 Author: Bengaly Tools Used: Softice Rank: easy[ ] medium[X] hard[ ] ____________________________________________________________________________________________ -About this protection system- Protection which based on name/serial protection. _____________________________________________________________________________________________ The Essay As this is a tutorial for more advanced newbies, I'll go into details about how I go about cracking the program. I suggest that you read this tutorial first. When you have completed the tutorial, leave this tutorial open and follow the instructions. Re-do it once more after you have completed the step by step guide... In this essay, when I write type "d EAX" or similar commands in Softice, I mean it without the quotes. _____________________________________________________________________________________________ Lets Crack The Bitch ;) ok, this is pretty hard so study this algo/protection. it was hard for me in the first place i admit it, thanx to CoDe_InSide him self for helping me figure some stuff, beacuse there is alot of stuff that can be confusing. ok first open the crackme, you will see serial/name text boxes . now we need to dissasmble the crackme with 32dasm to see data that's is very important. then after dissasmbly save it as txt and close 32dasm. now enter some name & serial in the crackme. for me it was: name: bengaly serial: 123456789 open softice and bpx on getdlgitemtexta, press f5, click the Register Button, sICE pop-up, press f5 twice to read the serial text box, press f12 once and u will be land here: * Reference To: USER32.GetDlgItemTextA, Ord:0000h | :00401163 FF155C1D4000 Call dword ptr [00401D5C] ;call serial text input :00401169 5D pop ebp ; WE LAND HERE :0040116A A3D81E4000 mov dword ptr [00401ED8], eax :0040116F BF001B4000 mov edi, 00401B00 :00401174 BB001E4000 mov ebx, 00401E00 :00401179 33C9 xor ecx, ecx ;ecx = 0 :0040117B 33D2 xor edx, edx ;edx = 0 :0040117D C705801E400000000001 mov dword ptr [00401E80], 01000000 ;binary table :00401187 C705841E400000100011 mov dword ptr [00401E84], 11001000 ;binary table :00401191 C705881E400001000101 mov dword ptr [00401E88], 01010001 ;binary table :0040119B C7058C1E400001100111 mov dword ptr [00401E8C], 11011001 ;binary table :004011A5 C705901E400010001001 mov dword ptr [00401E90], 01100010 ;binary table :004011AF C705941E400010101011 mov dword ptr [00401E94], 11101010 ;binary table :004011B9 C705981E400011001101 mov dword ptr [00401E98], 01110011 ;binary table :004011C3 C7059C1E400011101111 mov dword ptr [00401E9C], 11111011 ;binary table :004011CD BE801E4000 mov esi, 00401E80 ok, so we see binary table for our serial,what does it mean??, that mean that our name is using a binary convertor, so our serial will be printed in binary (ie: 10010101101), hm..that sound like difficult, well for me it was very difficult cuz i never cracked any binary protection algo, but i got some help from Code_inSide so i got the picture once finding the serial. ok now keep tracing with f10, u will stuff like that: :004011D2 0FBE03 movsx eax, byte ptr [ebx] ; move word in ebx to eax :004011D5 3C30 cmp al, 30 ; compare al with 0 :004011D7 7C32 jl 0040120B ; if lower then 0jump :004011D9 3C39 cmp al, 39 ; compare al with 9 :004011DB 7F19 jg 004011F6 ; if greater then 9 jump :004011DD 0FAFC8 imul ecx, eax ; ecx * eax :004011E0 01C1 add ecx, eax ; eax+ecx :004011E2 D1E1 shl ecx, 1 ; shift left 1 in ecx :004011E4 83E830 sub eax, 00000030 ; eax-30 ok this just takes our name and print numbers between 0-9, now continue tracing with f10 u will see this: :004011E7 668B1446 mov dx, word ptr [esi+2*eax] ;char*2+esi move to dx register :004011EB 668917 mov word ptr [edi], dx ; dx move to edi (char) :004011EE 33D2 xor edx, edx ; edx = 0 :004011F0 83C702 add edi, 00000002 ; edi + 2 :004011F3 43 inc ebx ; ebx + 1 = 1 :004011F4 EBDC jmp 004011D2 ; jump to (004011D2: movsx eax, byte ptr [ebx]) this part will loop couple of times (according to the serial lengh of chars), so keep tracing after this loop and we will land here: :004011F6 3C41 cmp al, 41 ; compare al with A :004011F8 7C11 jl 0040120B ; if lower jump :004011FA 3C46 cmp al, 46 ; compare 46 with F :004011FC 7F0D jg 0040120B ; if higher then jump :004011FE 0FAFC8 imul ecx, eax ; ecx * eax :00401201 0FAFC8 imul ecx, eax ; ecx * eax :00401204 D1E1 shl ecx, 1 ; shift left 1 in ecx :00401206 83E837 sub eax, 00000037 ; eax-37 :00401209 EBDC jmp 004011E7 ; jump to (004011E7:mov dx,word ptr [esi+2*eax]) this is a loop section to, so keep tracing with f10, next you will find your self here: :0040120B 390D801C4000 cmp dword ptr [00401C80], ecx ; compare ecx with char :00401211 7506 jne 00401219 ; not equal jump to mov edi, 00401C00 :00401213 FE05D41E4000 inc byte ptr [00401ED4] ; 00401ED4 + 1 (byte) :00401219 BF001C4000 mov edi, 00401C00 ; 00401C00 move to edi :0040121E BE001B4000 mov esi, 00401B00 ; 00401B00 move to esi :00401223 33C0 xor eax, eax ; eax = 0 :00401225 33C9 xor ecx, ecx ; ecx = 0 :00401227 33D2 xor edx, edx ; edx = 0 :00401229 B220 mov dl, 20 ; 20 move to dl :0040122B 8B07 mov eax, dword ptr [edi] ; 4 bytes in edi move to eax :0040122D 8B0E mov ecx, dword ptr [esi] ; 4 bytes in esi move to ecx :0040122F 33C1 xor eax, ecx ; this is where our binary serial is generated :00401231 750B jne 0040123E ; if eax != 0 then jump to badboy :00401233 83C704 add edi, 00000004 ; edi + 4 (dword?) :00401236 83C604 add esi, 00000004 ; esi + 4 (dword?) :00401239 4A dec edx ; edx-1 :0040123A 75EF jne 0040122B ; not equal jump(0040122B mov eax,dword ptr[edi]) :0040123C EB18 jmp 00401256 ; good boy? This part is a compare section to our serial and the place where the serial is generated. ok beacuse it is supposed to be in binary ( 1/0 ), so in 0040122F xor eax, ecx (eax/ecx = 0 )so if u will do: d edi u will see in the hex data window (the left window) the binary code (and it's very very long so write it down like i did). so d edi for name: bengaly gives me this long binary code: 1100010011011011-11001100110000001100011101000000-11001001001101101000111110001000-10000101100001111011010101000000-10011101011100001111010001000000-10010000000001001101010101001011-10111000111101111001111110011011-11110001000000000001111000000000-1111000011110111 that was long, yeah i know, but it is easier to use a keygen (dont know if i can make one but maby i will try). so we need to convert the binary code we got to ascii, how we do it?? 1 way is to use "crackers tool", 2 way is to make it your self in this method: u see 1100010011011011 ?, devide it to groups (4), like this: 1100/0100/1101/1011 , now take each group and make it ascii using an binary->ascii table. ok so after conveting all the binary numbers we get this: C4DBCCC0C740C9368F888587B5409D70F4409004D54BB8F79F9BF1001E00F0F7 long eh? so enter the serial under the name bengaly and you will get a "YOU CRACKED IT!" ;) ok done with that part. Now how the serial is really generated?? we need to see the algo scheme for that, so here we go: [ALGO SCHEME]: -------------- :004010AC 33D2 xor edx, edx ; edx=0 :004010AE 8B8700010000 mov eax, dword ptr [edi+00000100] ; char[edi+0100] move to eax :004010B4 50 push eax ; save eax :004010B5 F7E9 imul ecx ; ecx * eax :004010B7 5A pop edx ; load edx from stack :004010B8 01C2 add edx, eax ; eax+edx :004010BA 81F278563412 xor edx, 12345678 ; edx xor 12345678 :004010C0 810F01010101 or dword ptr [edi], 01010101 ; or statment : edi OR 01010101 :004010C6 E857000000 call 00401122 ; swich ebx with ecx :004010CB 2117 and dword ptr [edi], edx ; AND statement edi & edi :004010CD 83C704 add edi, 00000004 ; edi+4 :004010D0 01D6 add esi, edx ; esi + edx :004010D2 49 dec ecx ; ecx-1 :004010D3 75D7 jne 004010AC ; jump to 04010AC(xor edx, edx) :004010D5 33C0 xor eax, eax ; eax = 0 :004010D7 56 push esi ; save esi :004010D8 B140 mov cl, 40 ; cl get the value of 40 :004010DA BF001C4000 mov edi, 00401C00 ; edi get the value of 00401C00 :004010DF F3 repz ; repeat zero :004010E0 AB stosd ; Store String Dword (string) :004010E1 BF001B4000 mov edi, 00401B00 ; edi get the value of, 00401B00 :004010E6 33DB xor ebx, ebx ; ebx = 0 :004010E8 33D2 xor edx, edx ; edx = 0 :004010EA B980000000 mov ecx, 00000080 ; ecx get the value of, 0080 :004010EF BE001C4000 mov esi, 00401C00 ; esi get the value of, 00401C00 so if you plan in making a keygen just follow that algo and understand it ;) name: bengaly serial: C4DBCCC0C740C9368F888587B5409D70F4409004D54BB8F79F9BF1001E00F0F7 Have fun ;D CrackMe cracked ;) ________________________________________________________________________________________________ My thanks and gratitudes goes to: ----CoDe_InSiDe----- ;for helping in cracking -----BLAcKgH0sT------ ;for being good friend :) -------FusS------ ;asm / keygenning helper All the writers of Cracks tutorials and CrackMes