Tutorial for B Janes Crk v.1.0

(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-47423994-1', 'fortunecity.ws'); ga('send', 'pageview');

Saturday, May 06, 2000

falcon1.gif (81587 bytes)
Tutorial written by Falcon

Target: Borna Janes crackme v1.0
Tools : SoftIce
Calculator
Hex Editor ( I used Hex WorkShop )
Where: http://www.crackmes2.cjb.net
Level : 3

Essay:
Today we will examine another crackme that will require from us a little bit of thinking, One formula to reverse this program will be enough. Certainly, the protection is good, so we will have to concentrate our attention on commands like ROL, ROR, and XOR;
We have to find the right serial to get good message box; the whole protection consist of couple of small loops. For those people who are new ones, I recommend to print this tutorial.

Let’s begin….

1:-Execute the program and type 8 numbers in the edit box. { Why 8? The reason will be explained after we reach the first loop. As serial you can type 11115432, type the same numbers…}
2:-Activate SoftIce and type bpx getdlgitemtexta { On this breakpoint SoftIce reacts…}
3:- Press Enter and then F5 and you again in Windows.
4:- Press ‘Check it’ button and you will be in SoftIce immediately.
5:- Press F11 and you should to the following position…

0040119F CALL 004011D7

What goes after this call does not matter at this moment, so Pressing F8 you should enter in this Call. Press and you will see the following code…

004011D7    MOV    ESI, ESP                   { The value od ESP is MOVed to ESI…}
004011D9    XOR    EAX, EAX                   { Xor EAX and EAX =>EAX=0..}
004011DB    XOR    EBX, EBX                   { Xor EBX and EBX =>EBX=0..}
004011DD    XOR    ECX, ECX                    { Xor ECX and ECX =>ECX=0..}
004011DF    XOR    EDX, EDX                    { Xor EDX and EDX =>EDX=0..}
004011E1    CALL 00401272                   { Important Call, to go there press again F8 and you will see: }

00401272    MOV    EDX, 004030F4                            { The address where you serial is, MOVed to EDX }
00401277    CMP    BYTE PTR [EDX+ECX], 00               { Takes char and compares each byte with 0h }
0040127B     JZ      00401295                                      { Jump if there are no chars left }
0040127D    CMP    ECX, 03                                      { After it check first 4 chars, it jumps over the piece of program that checks if your char is in the range of [30-39]h=[0-9] decimal }
00401280      JG      0040128E                                       { Jumps is value of ECX is Greater than 3 }
00401282    CMP    BYTE PTR [EDX+EDX], 30                { CoMPare byte with 30…}
00401286      JB      00401291                                       { Jump (to bad message ) if Below…}
00401288    CMP    BYTE PTR [EDX+EDX], 39                { CoMPare byte with 39…}
0040128C      JA     00401291                                       { Jump (to bad message ) if Above…}
0040128E     INC     ECX                                             { Increase ECX…ECX=ECX+1…}
0040128F     JMP    00401277                                      { JuMP to the beginning of the loop…}
00401291     INC     ECX                                             { Bad routine…Increases ECX by 1 }
00401292     XOR    EBX, EBX                                      { Xor EBX and EBX…=> EBX=0…}
00401294      RET                                                   { Exit from CALL…}
00401295      MOV   EBX, 01                                       { EBX takes value of 1…}
0040129A      RET                                                   { Exit from CALL…}

Comments about last Loop:
The last loop, was created to check whether your first chars were numbers or not. They they were not, then it jumps to the bad message. The program does not care what chars were after first 4. Another point we have to consider, it calculates the length of the serial. Later you are going to see what should be.

Let’s continue tracing…We get here:

004011E6   JCXZ     0040125C                     { This command is checking the value of ECX register. If it is equal to zero then it jumps to ‘bad’ message that informs you that you did not enter anything, if it is different than zero then goes to next operation…}
004011E9    TEST     EBX, EBX                      { Checks the value of EBX…}
004011EB     JZ        00401230                         { If EBX=0 then Jumps to ‘bad’ message..}
004011ED   CMP      ECX, 08                         { CoMPares the length of the serial. So, if you want to pass to the main calculations-the length of the serial must be 8…}
004011F0    JNZ      00401230                       { JuMP if [(length of serial)-8] is Not equal to Zero..}
004011F2   MOV     EBX, 0040309C               { Loads the address with string ‘Bjanes’ to EBX…}
004011F7   MOV     EBX, [EBX]                   { It takes the hexadecimal value of this string in reverse manner. Let’s see. 1:-Reverse manner, that is ‘najB’ (only 4 bytes)
       2:-Hex value, is hex equivalents of the given chars, for ‘najB’ is 6E616A42. You will see this number in the register as you pass this command…}
004011F9   MOV     ECX, 004030F4              { Our serial is now in ECX as you pass…}
004011FE   MOV     ECX, [ECX]                   { The same thing here. It takes first 4 chars in reverse and loads it in ECX. If you have entered as serial 11115432, you will see this….ECX=31313131…}
00401200   ROL      ECX, 08                        { Rotates Operand Left. All bits are rotated by 8 units, as you pass this command you will see that ECX=31313131 ( nothing changed )…}
00401203 ROR EBX, 08                        { Rotates Operand Right. All bits ar erotated by 8 unit to right. As you pass through this command you will see that EBX=426E616A. You see 42 is gone from last position to the first….}
00401206   IMUL    EBX, ECX                      { MULtiplication of two operand’s values…EBX:=EBX*ECX…}
00401209    SHL     EBX, 02                         { EBX:=EBX*2^2..}
0040120C   MOV    ECX, 004030F4              { Our serial’s address is in ECX…}
00401211    MOV   ECX, [ECX+04]               { Moves next last 4 chars in the ECX, and again in reverse manner. In the end when we find the real serial we will have to reverse it back…Let’s assume that as serial you have entered 1 1 1 1 X1 X2 X3 X4 , so after this command ECX=X4X3X2X1…}
00401214 MOV EDX, 0040309C               { loads again address with string ‘Bjanes’ in EDX…}
00401219   MOV   EDX, [EDX]                    { MOVs 6E616A42 to EDX { you see it is again in reverse…}
0040121B   ADD    ECX, EDX                       { ADDition of 2 operand ECX:=ECX+EDX…}
0040121D   SHR    ECX, 02                         { ECX:=ECX div 2^2…}
00401220 PUSH    004030F4                     { Push the serial in the stack…Interesting why he did it??? }
00401225 PUSH    004030A3
0040122A CALL    0040129B                     { CoMParing CALL…Let’s see what happens there…}

0040129B XOR EBX, ECX { XORing of EBX and ECX….}
0040129D JNZ 00401230 { If you want to have a good message the values of EBX and ECX must be equal before the xoring…}

Comments:
That was our last part of the code we had to trace…Here we have calculations of the serial. Almost all Math commands here. Our aim is to find the second part of the serial. It is calculated according to first, so the first can be left constant. Let’s see next part of tutorial to get the serial…

Strategy for getting the serial:

Let us see the information we have gathered until now. We have reached the code where the serial is calculated. Firstly, I am going to use the names of registers { they will represent values }, then we will use calculator to get the serial.
Serial calculation can be written like that:

EBX*ECX_1*4=( EDX+ECX_2 ) / 4

ECX_1:- here represents our ROLed first part of the serial. That is 31313131
EBX :- here represents 426E616A. { This is our RORed ‘najB’ }
EDX :- here represents 6E616A42. { ‘najB’ }
ECX_2:- here represents our second part of the serial. That is X4X3X2X1.

Let’s use some Math to simplify somehow this formula:

4 can be moved to other side. But do not forget we are dealing with hex numbers and 4*4=10h

So, we get:
EBX*ECX_1*10= ( EDX+ECX_2 )
EBX*ECX_1*10-EDX=ECX_2
Do you see how easy I reached the last step. Now, let’s put some values and get the ECX_2
(426E616A)*(31313131)*10-(6E616A42)=ECX_2
Use a calculator to get the value of ECX_2. Check it with mine. It should be 029D8A5E

Remember we were talking about reverse manner. That is it: 029D8A5E represents X4X3X2X1, but we have to find X1X2X3X4, as you understood we have to make it reverse like that: 5E8A9D02

It is time to use a hex editor:
Open any text file you want and replace 8 bytes with our final number. Save the changes and open that file where you did them. Copy those bytes that you have obtained after replacing and near 1111 paste them and press ‘Check it’ button. Nothing can be good then seeing a good message.

Serial: 1111^Š
End.

Greetings:

All members from Genocide Crew, {czDrillard congrats with receiving Council status; Gandalf thanks for .gif}
http://www.genocidecrew.cjb.net/

        All members from Hellforge { LaZaRuS, Acid_Cool_178, Ac|dfusion, Dark_Wolf, Mercution…}
        Enormous thanks goes to Acid_Cool_178 and Mercution for providing me with LOGOs
       http://www.kickme.to/Hellforge

tHe CrEaM members { For their good intend to help everybody }

    To every one who makes tutorials…
Cool coders:
        Terminal Cilla, AntiXrist, Chafe, The+Q, LaZaRuS, defiler, Lucifer48,
        CzDrillard { he is great in making good Math algos}
Reversers :
        SiFLyiNG, mIST, zvem, TSCube, Marton, and everybody I forgot to add..

If you have any questions mail me: [email protected]