Saturday, May 06, 2000
Tutorial written by Falcon
Target: Borna Janes crackme v1.0
Tools
: SoftIce
Calculator
Hex Editor ( I used Hex WorkShop )
Where:
http://www.crackmes2.cjb.net
Level
: 3
Essay:
Today we will examine another crackme that will require
from us a little bit of thinking, One formula to reverse this program will be enough.
Certainly, the protection is good, so we will have to concentrate our attention on
commands like ROL, ROR, and XOR;
We have to find the right serial to get good message box;
the whole protection consist of couple of small loops. For those people who are new ones,
I recommend to print this tutorial.
Let’s begin….
1:-Execute the program and type 8 numbers in the edit
box. { Why 8? The reason will be explained after we reach the first loop. As serial you
can type 11115432, type the same numbers…}
2:-Activate SoftIce and type bpx
getdlgitemtexta { On this breakpoint SoftIce reacts…}
3:- Press Enter and then F5 and you again in Windows.
4:- Press ‘Check it’ button and you will be in
SoftIce immediately.
5:- Press F11 and you should to the following
position…
0040119F CALL 004011D7
What goes after this call does not matter at this moment, so Pressing F8 you should enter in this Call. Press and you will see the following code…
004011D7 MOV ESI,
ESP
{ The value od ESP is MOVed to ESI…}
004011D9 XOR EAX,
EAX
{ Xor EAX and EAX =>EAX=0..}
004011DB XOR EBX,
EBX
{ Xor EBX and EBX =>EBX=0..}
004011DD XOR ECX,
ECX
{ Xor ECX and ECX =>ECX=0..}
004011DF XOR EDX,
EDX
{ Xor EDX and EDX =>EDX=0..}
004011E1 CALL 00401272
{ Important Call, to go there press again F8 and you will see: }
00401272 MOV EDX,
004030F4
{ The address where you serial is, MOVed to EDX }
00401277 CMP BYTE
PTR [EDX+ECX], 00
{ Takes char and compares each byte with 0h }
0040127B
JZ 00401295
{ Jump if there are no chars left }
0040127D CMP ECX, 03
{ After it check first 4 chars, it jumps over the piece of program that checks if your
char is in the range of [30-39]h=[0-9] decimal }
00401280
JG 0040128E
{ Jumps is value of ECX is Greater than 3 }
00401282 CMP BYTE
PTR [EDX+EDX], 30
{ CoMPare byte with 30…}
00401286
JB 00401291
{ Jump (to bad message ) if Below…}
00401288 CMP BYTE
PTR [EDX+EDX], 39
{ CoMPare byte with 39…}
0040128C
JA 00401291
{ Jump (to bad message ) if Above…}
0040128E
INC ECX
{ Increase ECX…ECX=ECX+1…}
0040128F JMP
00401277
{ JuMP to the beginning of the loop…}
00401291
INC ECX
{ Bad routine…Increases ECX by 1 }
00401292 XOR
EBX, EBX
{ Xor EBX and EBX…=> EBX=0…}
00401294 RET
{ Exit from CALL…}
00401295 MOV
EBX, 01
{ EBX takes value of 1…}
0040129A RET
{ Exit from CALL…}
Comments about last Loop:
The last loop, was created to check whether your first
chars were numbers or not. They they were not, then it jumps to the bad message. The
program does not care what chars were after first 4. Another point we have to consider, it
calculates the length of the serial. Later you are going to see what should be.
Let’s continue tracing…We get here:
004011E6 JCXZ
0040125C
{ This command is checking the value of ECX register. If it is equal to zero then it jumps
to ‘bad’ message that informs you that you did not enter anything, if it is
different than zero then goes to next operation…}
004011E9 TEST
EBX, EBX
{ Checks the value of EBX…}
004011EB
JZ 00401230
{ If EBX=0 then Jumps to ‘bad’ message..}
004011ED CMP
ECX, 08
{ CoMPares the length of the serial. So, if you want to pass to the main calculations-the
length of the serial must be 8…}
004011F0
JNZ 00401230
{ JuMP if [(length of serial)-8] is Not equal to Zero..}
004011F2 MOV EBX,
0040309C
{ Loads the address with string ‘Bjanes’ to EBX…}
004011F7 MOV EBX,
[EBX]
{ It takes the hexadecimal value of this string in reverse manner. Let’s see.
1:-Reverse manner, that is ‘najB’ (only 4 bytes)
2:-Hex value, is hex
equivalents of the given chars, for ‘najB’ is 6E616A42. You will see this number
in the register as you pass this command…}
004011F9 MOV ECX,
004030F4
{ Our serial is now in ECX as you pass…}
004011FE MOV ECX,
[ECX]
{ The same thing here. It takes first 4 chars in reverse and loads it in ECX. If you have
entered as serial 11115432, you will see this….ECX=31313131…}
00401200 ROL
ECX, 08
{ Rotates Operand Left. All bits are rotated by 8 units, as you pass this command
you will see that ECX=31313131 ( nothing changed )…}
00401203 ROR EBX, 08
{ Rotates Operand Right. All bits ar erotated by 8 unit to right. As you pass through this
command you will see that EBX=426E616A. You see 42 is gone from last position to the
first….}
00401206
IMUL EBX, ECX
{ MULtiplication of two operand’s values…EBX:=EBX*ECX…}
00401209 SHL
EBX, 02
{ EBX:=EBX*2^2..}
0040120C MOV ECX, 004030F4
{ Our serial’s address is in ECX…}
00401211 MOV ECX, [ECX+04]
{ Moves next last 4 chars in the ECX, and again in reverse manner. In the end when we find
the real serial we will have to reverse it back…Let’s assume that as serial you
have entered 1 1 1 1 X1 X2 X3 X4 , so after this command ECX=X4X3X2X1…}
00401214 MOV EDX,
0040309C
{ loads again address with string ‘Bjanes’ in EDX…}
00401219 MOV EDX, [EDX]
{ MOVs 6E616A42 to EDX { you see it is again in reverse…}
0040121B ADD ECX, EDX
{ ADDition of 2 operand ECX:=ECX+EDX…}
0040121D SHR ECX, 02
{ ECX:=ECX div 2^2…}
00401220 PUSH 004030F4
{ Push the serial in the stack…Interesting why he did it??? }
00401225 PUSH 004030A3
0040122A CALL 0040129B
{ CoMParing CALL…Let’s see what happens there…}
0040129B XOR EBX, ECX
{ XORing of EBX and ECX….}
0040129D JNZ
00401230
{ If you want to have a good message the values of EBX and ECX must be equal before the
xoring…}
Comments:
That was our last part of the code we had to
trace…Here we have calculations of the serial. Almost all Math commands here. Our aim
is to find the second part of the serial. It is calculated according to first, so the
first can be left constant. Let’s see next part of tutorial to get the serial…
Strategy for getting the serial:
Let us see the information we have gathered until now.
We have reached the code where the serial is calculated. Firstly, I am going to use the
names of registers { they will represent values }, then we will use calculator to get the
serial.
Serial calculation can be written like that:
EBX*ECX_1*4=( EDX+ECX_2 ) / 4
ECX_1:- here represents our ROLed first part of the
serial. That is 31313131
EBX :- here represents 426E616A. { This
is our RORed ‘najB’ }
EDX :- here represents 6E616A42. {
‘najB’ }
ECX_2:- here represents our second part of the serial. That
is X4X3X2X1.
Let’s use some Math to simplify somehow this formula:
4 can be moved to other side. But do not forget we are dealing with hex numbers and 4*4=10h
So, we get:
EBX*ECX_1*10= ( EDX+ECX_2 )
EBX*ECX_1*10-EDX=ECX_2
Do you see how easy I reached the last step. Now,
let’s put some values and get the ECX_2
(426E616A)*(31313131)*10-(6E616A42)=ECX_2
Use a calculator to get the value of ECX_2. Check it with
mine. It should be 029D8A5E
Remember we were talking about reverse manner. That is it: 029d8A5E represents X4X3X2X1, but we have to find X1X2X3X4, as you understood we have to make it reverse like that: 5E8A9D02
It is time to use a hex editor:
Open any text file you want and replace 8 bytes with our
final number. Save the changes and open that file where you did them. Copy those bytes
that you have obtained after replacing and near 1111 paste them and press ‘Check
it’ button. Nothing can be good then seeing a good message.