BiW reversing - CoDe_InSiDe Crackme 1

CoDe_InSiDe Crackme#1

Intro
Find the crackme here. Difficulty : 2/10 Tools used: IDA Why IDA? Because it isn't fooled that easily by interleaved jumps ;) First, you will need to unpack the crackme (if you want a deadlisting). It's not really necessary, SoftIce will do just fine too :) I will not discuss the unpacking in detail, this is not an unpack tutorial ;) To dump it, trace till 'jump OEP' (= JMP 00401000h) and dump the entire crackme. Or just run the crackme, and dump the first section (=Hello). Change the OEP in the PE header to 1000h and we have a working dump :) If you used the first method (with SoftIce), mind the Softice detection code just after unpacking! Ok, now we can take a look at the code :)
The code
First let's check out the DialogMainProc : 00401028 ; --------------------------------------------------------------------------- 00401028 mov eax, [esp+8] 0040102C cmp eax, 111h ; WM_COMMAND ? 00401031 jz short loc_40104C 00401033 cmp eax, 10h ; WM_CLOSE ? 00401038 jz short loc_40103D 0040103A xor eax, eax 0040103C retn 0040103D ; --------------------------------------------------------------------------- 0040103D 0040103D loc_40103D: ; CODE XREF: Hello:00401038j 0040103D push 0 0040103F call ds:EndDialog 00401045 call ds:ExitProcess 0040104B retn If a button is pressed we jump to the code below : 0040104C ; --------------------------------------------------------------------------- 0040104C 0040104C loc_40104C: ; CODE XREF: Hello:00401031j 0040104C mov eax, [esp+0Ch] 00401050 cmp eax, 3E8h 00401055 jz short loc_4010D0 00401057 cmp eax, 100h 0040105C jz short loc_4010D5 0040105E cmp eax, 101h 00401063 jz short loc_4010DA 00401065 cmp eax, 102h 0040106A jz short loc_4010DF 0040106C cmp eax, 103h 00401071 jz short loc_4010E4 00401073 cmp eax, 104h 00401078 jz short loc_4010E9 0040107A cmp eax, 105h 0040107F jz short loc_4010EE 00401081 cmp eax, 106h 00401086 jz short loc_4010F3 00401088 cmp eax, 107h 0040108D jz short loc_4010F8 0040108F cmp eax, 108h 00401094 jz short loc_4010FD 00401096 cmp eax, 109h 0040109B jz short loc_401102 0040109D cmp eax, 10Ah 004010A2 jz short loc_401107 004010A4 cmp eax, 10Bh 004010A9 jz short loc_40110C 004010AB cmp eax, 10Ch 004010B0 jz short loc_401111 004010B2 cmp eax, 10Dh 004010B7 jz short loc_401116 004010B9 cmp eax, 10Eh 004010BE jz short loc_40111B 004010C0 cmp eax, 10Fh 004010C5 jz short loc_401120 004010C7 cmp eax, 110h 004010CC jz short loc_401125 004010CE jmp short loc_40112A 004010D0 ; --------------------------------------------------------------------------- 004010D0 004010D0 loc_4010D0: ; CODE XREF: Hello:00401055j 004010D0 jmp loc_4012A4 ; We take this jump if ; check button is pressed 004010D5 ; --------------------------------------------------------------------------- The identifiers of the buttons are checked. If equal with the button pressed, it jumps to an address below accordingly. 00401199 ; --------------------------------------------------------------------------- 00401199 00401199 loc_401199: ; CODE XREF: Hello:004010D5j 00401199 mov edi, 401F00h 0040119E jmp loc_401298 004011A3 ; --------------------------------------------------------------------------- 004011A3 004011A3 loc_4011A3: ; CODE XREF: Hello:004010DAj 004011A3 mov edi, 401F01h 004011A8 jmp loc_401298 004011AD ; --------------------------------------------------------------------------- 004011AD 004011AD loc_4011AD: ; CODE XREF: Hello:004010DFj 004011AD mov edi, 401F02h 004011B2 jmp loc_401298 004011B7 ; --------------------------------------------------------------------------- 004011B7 004011B7 loc_4011B7: ; CODE XREF: Hello:004010E4j 004011B7 mov edi, 401F03h 004011BC jmp loc_401298 004011C1 ; --------------------------------------------------------------------------- 004011C1 004011C1 loc_4011C1: ; CODE XREF: Hello:004010E9j 004011C1 mov edi, 401F04h 004011C6 jmp loc_401298 004011CB ; --------------------------------------------------------------------------- 004011CB 004011CB loc_4011CB: ; CODE XREF: Hello:004010EEj 004011CB mov edi, 401F05h 004011D0 jmp loc_401298 004011D5 ; --------------------------------------------------------------------------- 004011D5 004011D5 loc_4011D5: ; CODE XREF: Hello:004010F3j 004011D5 mov edi, 401F06h 004011DA jmp loc_401298 004011DF ; --------------------------------------------------------------------------- 004011DF 004011DF loc_4011DF: ; CODE XREF: Hello:004010F8j 004011DF mov edi, 401F07h 004011E4 jmp loc_401298 004011E9 ; --------------------------------------------------------------------------- 004011E9 004011E9 loc_4011E9: ; CODE XREF: Hello:004010FDj 004011E9 mov edi, 401F08h 004011EE jmp loc_401298 004011F3 ; --------------------------------------------------------------------------- 004011F3 004011F3 loc_4011F3: ; CODE XREF: Hello:00401102j 004011F3 mov edi, 401F09h 004011F8 jmp loc_401298 004011FD ; --------------------------------------------------------------------------- 004011FD 004011FD loc_4011FD: ; CODE XREF: Hello:00401107j 004011FD mov edi, 401F0Ah 00401202 jmp loc_401298 00401207 ; --------------------------------------------------------------------------- 00401207 00401207 loc_401207: ; CODE XREF: Hello:0040110Cj 00401207 mov edi, 401F0Bh 0040120C jmp loc_401298 00401211 ; --------------------------------------------------------------------------- 00401211 00401211 loc_401211: ; CODE XREF: Hello:00401111j 00401211 mov edi, 401F0Ch 00401216 jmp loc_401298 0040121B ; --------------------------------------------------------------------------- 0040121B 0040121B loc_40121B: ; CODE XREF: Hello:00401116j 0040121B mov edi, 401F0Dh 00401220 jmp loc_401298 00401225 ; --------------------------------------------------------------------------- 00401225 00401225 loc_401225: ; CODE XREF: Hello:0040111Bj 00401225 mov edi, 401F0Eh 0040122A jmp loc_401298 0040122F ; --------------------------------------------------------------------------- 0040122F 0040122F loc_40122F: ; CODE XREF: Hello:00401120j 0040122F mov edi, 401F0Fh 00401234 jmp loc_401298 00401239 ; --------------------------------------------------------------------------- 00401239 00401239 loc_401239: ; CODE XREF: Hello:00401125j 00401239 mov edi, 401F10h 0040123E jmp loc_401298 00401243 ; --------------------------------------------------------------------------- 00401243 00401243 loc_401243: ; CODE XREF: Hello:0040116Cj 00401243 mov edi, 401F11h 00401248 jmp loc_401298 0040124D ; --------------------------------------------------------------------------- 0040124D 0040124D loc_40124D: ; CODE XREF: Hello:00401171j 0040124D mov edi, 401F12h 00401252 jmp loc_401298 00401257 ; --------------------------------------------------------------------------- 00401257 00401257 loc_401257: ; CODE XREF: Hello:00401176j 00401257 mov edi, 401F13h 0040125C jmp loc_401298 00401261 ; --------------------------------------------------------------------------- 00401261 00401261 loc_401261: ; CODE XREF: Hello:0040117Bj 00401261 mov edi, 401F14h 00401266 jmp loc_401298 0040126B ; --------------------------------------------------------------------------- 0040126B 0040126B loc_40126B: ; CODE XREF: Hello:00401180j 0040126B mov edi, 401F15h 00401270 jmp loc_401298 00401275 ; --------------------------------------------------------------------------- 00401275 00401275 loc_401275: ; CODE XREF: Hello:00401185j 00401275 mov edi, 401F16h 0040127A jmp loc_401298 0040127F ; --------------------------------------------------------------------------- 0040127F 0040127F loc_40127F: ; CODE XREF: Hello:0040118Aj 0040127F mov edi, 401F17h 00401284 jmp loc_401298 00401289 ; --------------------------------------------------------------------------- 00401289 00401289 loc_401289: ; CODE XREF: Hello:0040118Fj 00401289 mov edi, 401F18h 0040128E jmp loc_401298 00401293 ; --------------------------------------------------------------------------- 00401293 00401293 loc_401293: ; CODE XREF: Hello:00401194j 00401293 mov edi, 401F19h 00401298 00401298 loc_401298: ; CODE XREF: Hello:0040119Ej 00401298 ; Hello:004011A8j ... 00401298 xor eax, eax 0040129A cmp al, [edi] ; Compare byte with zero 0040129C jz short loc_4012A1; If so, jump 0040129E dec byte ptr [edi] ; else change in zero 004012A0 retn ; return 004012A1 ; --------------------------------------------------------------------------- 004012A1 004012A1 loc_4012A1: ; CODE XREF: Hello:0040129Cj 004012A1 inc byte ptr [edi] ; Byte to 1 004012A3 retn ; return 004012A4 ; --------------------------------------------------------------------------- 004012A4 004012A4 loc_4012A4: ; CODE XREF: Hello:004010D0j 004012A4 xor eax, eax ; Move 0 to eax 004012A6 jmp short loc_4012AC; We take this jump if ; check button is pressed 004012A6 ; --------------------------------------------------------------------------- 004012A8 dd 21796548h 004012AC ; --------------------------------------------------------------------------- 004012AC 004012AC loc_4012AC: ; Begin Check routine 004012AC mov edi, 401F00h ; Move address of array in edi 004012B1 cmp byte ptr [edi], 1 ; Compare first byte with 1 004012B4 jz short sub_4012D0 ; If so, continue routine 004012B6 004012B6 loc_4012B6: ; CODE XREF: sub_4012D0+8j 004012B6 call sub_40134C ; Reset Array 004012BB push 0 ; Badguy Message 004012BD push 401400h 004012C2 push 401409h 004012C7 push 0 004012C9 jmp loc_40138C ; MessageBoxA 004012C9 ; --------------------------------------------------------------------------- The above code checks if the byte in the array that is linked to the button you pressed, is zero. If it is the byte is 'activated'. If it is already activated it gets deactivated again ;) Ok, now we know how the buttons we pressed are stored. A 26 bytes long array. They are stored alfabetically :) (A = 401F00h --- Z = 401F26h ) The only thing left is to check the routine that is executed when we press the check-button : ; Check routine 004012D0 sub_4012D0 proc near ; CODE XREF: Hello:004012B4j 004012D0 call near ptr 400FF8h ; Move pointer () 004012D5 cmp byte ptr [edi], 1 ; Compare a 2th byte in array 004012D8 jnz short loc_4012B6 ; Bad guy jump 004012DA call near ptr 400FFAh ; Move pointer () 004012DF cmp byte ptr [edi], 1 ; Compare a 3th byte in array 004012E2 jnz short loc_4012B6 004012E4 call near ptr 400FFEh ; Move pointer () 004012E9 cmp byte ptr [edi], 1 ; Compare a 4th byte in array 004012EC jnz short loc_4012B6 004012EE inc edi ; inc pointer 004012EF cmp byte ptr [edi], 1 ; Compare a 5th byte in array 004012F2 jnz short loc_4012B6 004012F4 inc edi ; inc pointer 004012F5 cmp byte ptr [edi], 1 ; Compare a 6th byte in array 004012F8 jnz short loc_4012B6 004012FA call near ptr 400FFBh ; Move pointer () 004012FF cmp byte ptr [edi], 1 ; Compare a 7th byte in array 00401302 jnz short loc_4012B6 00401304 mov edi, 401F01h ; Check all other bytes if zero... 00401309 xor eax, eax 0040130B cmp [edi], eax 0040130D jnz short loc_4012B6 0040130F add edi, 7 00401312 cmp [edi], eax 00401314 jnz short loc_4012B6 00401316 mov edi, 401F03h 0040131B cmp [edi], eax 0040131D jnz short loc_4012B6 0040131F mov eax, 1000000h 00401324 add edi, 0Dh 00401327 cmp [edi], eax 00401329 jnz short loc_4012B6 0040132B add edi, 4 0040132E xor eax, eax 00401330 cmp [edi], eax 00401332 jnz short loc_4012B6 00401334 add edi, 4 00401337 cmp [edi], eax 00401339 jnz loc_4012B6 0040133F add edi, 4 00401342 cmp [edi], eax 00401344 jnz loc_4012B6 0040134A jmp short loc_401379 ; Goodguy Message 0040134A sub_4012D0 endp If we press the check button, we arrive in the above code. The pointer is set to the first byte of the array, and tested.Then the pointer is moved one byte a couple of times, and the next byte is tested,...and so on till all 7 bytes are checked. Next, all the other bytes are checked if they are zero. (To prevent that pressing all keys would give a valid solution) ; (*) Code used for the 4 calls above to move the pointer in edi 00400FF8 inc edi 00400FF9 inc edi 00400FFA inc edi 00400FFB inc edi 00400FFC inc edi 00400FFD inc edi 00400FFE inc edi 00400FFF ret
Calculation
The first byte tested is at address 401F00h -> A The 2nd byte is at address 401F00 + 7 -> H The 3th byte is at address 401F00 + 7 + 5 -> M The 4th byte is at address 401F00 + 7 + 5 + 1 -> N The 5th byte is at address 401F00 + 7 + 5 + 1 + 1 -> O The 6th byte is at address 401F00 + 7 + 5 + 1 + 1 + 1 -> P The 7th byte is at address 401F00 + 7 + 5 + 1 + 1 + 1 + 4 -> T 'A' + 'H' + 'M' + 'N' + 'O' + 'P' + 'T' or PHANTOM Try it, it works, we found it ;) If you don't understand how to figure out the valid buttons in the calculation above, go through the code with SoftIce, it will become clear :) Each 'inc edi' moves the pointer in the array one byte.
Final notes
With a correct PE header, this crackme is very straight forward ;) Although the way of checking the buttons has nothing to do with a matrix! CoDe_InSiDe tried to put us on the wrong track, I suppose ;)) If you have questions or remarks about this tutorial, mail me at : Detten@eudoramail.com Greetz, Detten
Back to tutorials www.biw-reversing.cjb.net