--Unpacking/Softice Tutorial--- Date written: 30.4.2001 Program Details: Name: CoDe_InSide CracMe 16 Author: Bengaly Tools Used: Softice ProcDump 32DASM Rank: easy[ ] medium[X] hard[ ] ____________________________________________________________________________________________ -About this protection system- Protection which based on name/serial protection. _____________________________________________________________________________________________ The Essay As this is a tutorial for more advanced newbies, I'll go into details about how I go about cracking the program. I suggest that you read this tutorial first. When you have completed the tutorial, leave this tutorial open and follow the instructions. Re-do it once more after you have completed the step by step guide... In this essay, when I write type "d EAX" or similar commands in Softice, I mean it without the quotes. _____________________________________________________________________________________________ Lets Crack The Bitch ;) Hello again to my 18's tut..and i am very proud of it. Ok first this CrackMe is very cool..since it combine several protection inside of it. So let's go to work. First try on your own to crack it...ok u cant crack it regulary..why?? first we will Dissasmble the crack me...Opps..what do we see??...we see only little stuff dissasmbled, where is all of the asm code gone???...hahaha this is nice, now since it's my first tutorial using ProcDump i can't really explain every thing..i my self didn't knew about how to use procdump in crackme..so i suggest u guy to grasp code_inside's tut13 about unpacking, this will give u a rough idea how it works. ok...so we will need to use procdump...open the program (procdump)..press the PE editor..chose your crackme, in our case crackme 16 by code_inside ;) now after openning the program..press the SECTIONS button (under structores editor)..u will see alittle box with offsets and raw numbers, now u can see in the last name (under .rsrc) a blank name (without name) and have a offsets of 0000000 for all raw/virtual/sizes..ok that's mean like a small protection..u avoid us to use 32dasm..right click on mouse (on the blank name) and choose "kill task", haha now click ok, then again ok, and exit program. now u cab able to dissasmble the crackme using 32dasm....wee we have finished the unpacking part. now after dissasmblination choose "strn-ref" button, u will see this: "Great !!! now write a KeyGen...", click on that and we will be here: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040121D(C) | :00401230 33C0 xor eax, eax ; eax = 0 :00401232 8BC2 mov eax, edx ; eax holds edx :00401234 43 inc ebx ; ebx + 1 :00401235 4B dec ebx ; ebx - 1 :00401236 85DB test ebx, ebx ; is ebx = ebx? :00401238 7418 je 00401252 ; yes?? jump :0040123A 55 push ebp ; no?? save ebp :0040123B 8BEC mov ebp, esp ; ebp now holds esp * Possible StringData Ref from Data Obj ->"Great !!! now write a KeyGen..." ; we are here | :0040123D 68BE1E4000 push 00401EBE ;call api ok now that we know where we are it's more easy to find the adress where the right serial is. now scroll up untill here: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004011CF(C) | :004011EF C1C904 ror ecx, 04 ; rotate 04 in ecx :004011F2 0FC9 bswap ecx ; swap bytes in ecx :004011F4 F7D1 not ecx ; NOT operation on ecx :004011F6 51 push ecx ; save ecx :004011F7 33C9 xor ecx, ecx ; if ecx = 0 then: :004011F9 8B05FC1B4000 mov eax, dword ptr [00401BFC] ; 00401BFC move to eax (name we entered) :004011FF B9FC1A4000 mov ecx, 00401AFC ; serial move to ecx :00401204 81E9FC000000 sub ecx, 000000FC ; ecx - FC :0040120A 8B11 mov edx, dword ptr [ecx] ; ecx move to ebx (string??) :0040120C 8B5904 mov ebx, dword ptr [ecx+04] ; ecx+04(string) moves to ebx :0040120F 85DB test ebx, ebx ; ebx = ebx?? :00401211 7402 je 00401215 ; yes? jump :00401213 01D3 add ebx, edx ; ebx + edx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401211(C) | :00401215 83C108 add ecx, 00000008 ; ecx + 8 :00401218 8B11 mov edx, dword ptr [ecx] ; ecx (4 bytes?) moves to edx :0040121A 5B pop ebx ; load ebx from memory :0040121B 2BC3 sub eax, ebx ; ebx - eax :0040121D 7411 je 00401230 ; jump :0040121F 33DB xor ebx, ebx ; ebx = 0 :00401221 8B5904 mov ebx, dword ptr [ecx+04] ; ecx+4 (4 bytes?) moves to ebx :00401224 83C108 add ecx, 00000008 ; ecx + 8 :00401227 8B11 mov edx, dword ptr [ecx] ; ecx (4 bytes?) moves to edx :00401229 8B59FC mov ebx, dword ptr [ecx-04] ; ecx-04 (4 bytes?) move to ebx :0040122C 2BD3 sub edx, ebx ; ebx - edx :0040122E 33DB xor ebx, ebx ; ebx= 0 ok so we got the stuff we wanted right?? yeah..once u look at the code above the crackme began to be very logical. ok next we need to figure out the algo scheme, so here we go: [ALGO SCHEME]: -------------- :004011F2 0FC9 bswap ecx ; swap bytes in ecx :004011F4 F7D1 not ecx ; NOT operation on ecx :004011F6 51 push ecx ; save ecx :004011F7 33C9 xor ecx, ecx ; if ecx = 0 then: :004011F9 8B05FC1B4000 mov eax, dword ptr [00401BFC] ; 00401BFC move to eax (name we entered) :004011FF B9FC1A4000 mov ecx, 00401AFC ; serial move to ecx [ALGO EXPLANATION]: ------------------- so after our serial (fake) is enteres, it is not being compare to a real serial or something, by looking in the code we ca see that first our serial get's a: bswap . a bswap meaning swaping bytes of our serial. Example: our entered serial is: 912E59DC (mostly it will use leters to in sice..u will see that later) so we will swap the numbers (like a mirror, we actually if u will write those numbers in a paper and look at them in the mirror it will be swaped ;) ). so swap serial is: DC592E91...go it??..i hope so..;D on to the second operation..after fake serial is now swaped we get a " NOT " operation..(it's like in c/c++ ther is a not operation..)..so how to use he NOT operation in our swaped numbers?? we will do that: 1.open calculator.exe ( like in any windows OS) ;) 2.switch to view->sientific mode 3.chose HEX mode (in te left side) 4. new we will take ever 2 numbers and make a NOT operation on it Example: DC 59 2E 91 type DC in calculator..choose not button it will be calculated to this: FFFFFF23 ignore the FFFFFFF then the calculated number is : 23 ;) got it?? i hope so now we get in the Sice part: open the crackme and inset any name/serial, open SoftIce by press ctrl+d..enter a bpx (u can use either hmemcpy or getdlgitemtextA) i will prefer getdlgitemtextA since it's much faster to debug ;), Ctrl+d again..press "CHECK" button..sICE pop-up press f5 to read the seria text field, f12, now trace with f10..(do u remember that we need to trace untill where our serial is generated right??..so the adress was 004011FF)..keep tracing..WHATTT!!!! we jumped to 4012XX (xx mark any adress point)..why??..i will tell u why..when u look at the disasmbled file, look more up to see this code: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004011ED(U) | :004011CA 0FBE07 movsx eax, byte ptr [edi] ; move 1 byte from edi to eax :004011CD 85C0 test eax, eax ; test eax : ? :004011CF 741E je 004011EF ; no test jump :004011D1 3C30 cmp al, 30 ; compare with 0 :004011D3 7CE9 jl 004011BE ; lower then 0? jump out :004011D5 3C39 cmp al, 39 ; compare with 9 :004011D7 7F04 jg 004011DD ; greater then 9? jump :004011D9 240F and al, 0F ; compare with 0F :004011DB EB0A jmp 004011E7 ; jump good boy (algo) what does it mean?? it means that if u enter a serial with less then 0 chars or more then 9 chars then the ouput will always be "Too Bad, please try again !!!" so..in order ot get to the right road we need to enter 8 chars for the serial to be correct (after finding it of course). so now after entered a 8 chars serial with your name ..we can debug from the start, bpx getdlgitemtexta->f5->f12->trace with f10..not we wont jump out cuz we entered a 8 chars fpr our name..so keep tracing..u will find your self in a loop of the compares and nonnecery stuff..keep pressing f10 7 more time, at the 8's time u will be at the algo part: xxxx:004011FF mov ecx, 00401AFC ; <= be on this adress. if u type: d 00401AFC u will see your name in swaped bytes (ie: YLAGNEB) and if u will type: ? eax u will see your fake swaped file in sice (be sure to look the the hex code number, since we are talking about a hex code stuff (not operations) and since your fake serial that has been made by the algo will probly use chars as well, so it's in hex mode ;) Example: i got this when i typed ? eax : "912E59DC" - 2435733980 - (blah blah) ^ | hex number we need to write so let's swap and not and find the right serial for our name. 1.swapping: 912E59DC => DC592E91 2.using NOT opperation in calculator.exe (hex mode) we get: DC592E91 => 23A6D16E so our correct serial is: name: bengaly serial: 23A6D16E Have fun ;D CrackMe cracked ;) ________________________________________________________________________________________________ My thanks and gratitudes goes to: ----CoDe_InSide----- ;for helping in cracking -----BLAcKgH0sT------ ;for being good friend :) -------FusS------ ;asm / keygenning helper All the writers of Cracks tutorials and CrackMes