********************************************************************************************************************************************* Official CFF CrackMe #3 ********************************************************************************************************************************************* Author: Acid Bytes Protection: Name / Serial URL: http://www.mesa-sys.com/~eternal/a-d/cffo-3.zip Tools: SoftICE v4.05 ProcDump v1.6.2 Hex-Editor W32Dasm v8.93 ---> Intro... Welcome to my next Tutorial !!! Ok, first i'm going to find the Name/Serial with SoftICE :) Then i'm going to Manually Unpack it (it's UPX, you can use the program UPX itself to Unpack but why should I ;P). And then i'll patch it in some ways. ---> Let's Begin... *** SoftICE *** Ok, open the CrackMe and it asks us for a Name and Serial, enter anything you want i've used: Name: CoDe_InSiDe Serial: 1234567890 Then get into SoftICE (CTRL+D) and type "bpx hmemcpy", then press (CTRL+D) to get out of SoftICE and now press the button "Register now !" and SoftICE should popup. Ok, now type "BC *" to clear the breakpoint and press (F12) 12 times and you'll see this: --------------------------------------------------------------------------------------------------------------------------------------------- :00440ED4 837DFC00 cmp dword ptr [ebp-04], 00000000 <--- Check if we entered a Name :00440ED8 7518 jne 00440EF2 <--- Jump if we entered a Name, else show a Message Box :00440EDA 6A00 push 00000000 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00440E6B(C) | :00440EDC B9C80F4400 mov ecx, 00440FC8 <--- String: No Name entered :00440EE1 BAD80F4400 mov edx, 00440FD8 <--- String: Enter a Name! :00440EE6 A1442C4400 mov eax, dword ptr [00442C44] :00440EEB 8B00 mov eax, dword ptr [eax] :00440EED E876C1FFFF call 0043D068 <--- Call Message Box * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00440ED8(C) | :00440EF2 8D55FC lea edx, dword ptr [ebp-04] :00440EF5 8B83C8020000 mov eax, dword ptr [ebx+000002C8] :00440EFB E820FFFDFF call 00420E20 <--- Not important --------------------------------------------------------------------------------------------------------------------------------------------- In here it simply checks if we entered a Name, if so it jumps over the Message Box, let's see what's next: --------------------------------------------------------------------------------------------------------------------------------------------- :00440F00 837DFC00 cmp dword ptr [ebp-04], 00000000 <--- Check if we entered a Serial :00440F04 7518 jne 00440F1E <--- Jump if we entered a Serial, else show a Message Box :00440F06 6A00 push 00000000 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00440E99(C) | :00440F08 B9E80F4400 mov ecx, 00440FE8 <--- String: No Serial entered :00440F0D BAFC0F4400 mov edx, 00440FFC <--- String: Enter a Serial! :00440F12 A1442C4400 mov eax, dword ptr [00442C44] :00440F17 8B00 mov eax, dword ptr [eax] :00440F19 E84AC1FFFF call 0043D068 <--- Call Message Box * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00440F04(C) | :00440F1E 8D55FC lea edx, dword ptr [ebp-04] :00440F21 8B83C4020000 mov eax, dword ptr [ebx+000002C4] :00440F27 E8F4FEFDFF call 00420E20 <--- Not important --------------------------------------------------------------------------------------------------------------------------------------------- And here it simply checks if we entered a Serial :), if so it jumps over the Message Box, let's see what's next: --------------------------------------------------------------------------------------------------------------------------------------------- :00440F2C 8B45FC mov eax, dword ptr [ebp-04] <--- EAX now points to our Name :00440F2F BA14104400 mov edx, 00441014 <--- Hmmm.... the String: Registered User :00440F34 E8F32BFCFF call 00403B2C <--- Compare those 2 :00440F39 7551 jne 00440F8C <--- If not equal jump to Bad Message Box, else continue :00440F3B 8D55FC lea edx, dword ptr [ebp-04] :00440F3E 8B83C8020000 mov eax, dword ptr [ebx+000002C8] :00440F44 E8D7FEFDFF call 00420E20 <--- Not important --------------------------------------------------------------------------------------------------------------------------------------------- Hmm... you see that :) it Compares the String: Registered User with our Name, if not equal it jumps to the Bad Message Box. So instead of entering our Name in the first Edit Box we need to place there: Registered User :) Ok change your Name into: Registered User and get back to this place or when your on the "jne 00440F8C" type "r fl z" so we can continue to see what's next, so let's check what's next: --------------------------------------------------------------------------------------------------------------------------------------------- :00440F49 8B45FC mov eax, dword ptr [ebp-04] <--- EAX now points to our "Fake" Serial :00440F4C BA2C104400 mov edx, 0044102C <--- Hmmm.... the String: GFX-754-IER-954 :00440F51 E8D62BFCFF call 00403B2C <--- Compare those 2 :00440F56 751A jne 00440F72 <--- If not equal jump to Bad Message Box, else continue :00440F58 6A00 push 00000000 <--+ :00440F5A B93C104400 mov ecx, 0044103C <--- String: CrackMe cracked successfully | :00440F5F BA5C104400 mov edx, 0044105C <--- String: Congrats! You cracked this CrackMe! | :00440F64 A1442C4400 mov eax, dword ptr [00442C44] | Good Message Box :00440F69 8B00 mov eax, dword ptr [eax] | :00440F6B E8F8C0FFFF call 0043D068 | :00440F70 EB32 jmp 00440FA4 <--+ * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00440F56(C) | :00440F72 6A00 push 00000000 <--+ :00440F74 B980104400 mov ecx, 00441080 <--- String: Beggar off! | :00440F79 BA8C104400 mov edx, 0044108C <--- String: Wrong Serial,try again! | :00440F7E A1442C4400 mov eax, dword ptr [00442C44] | Bad Message Box :00440F83 8B00 mov eax, dword ptr [eax] | :00440F85 E8DEC0FFFF call 0043D068 | :00440F8A EB18 jmp 00440FA4 <--+ --------------------------------------------------------------------------------------------------------------------------------------------- Hey you see that Serial ;P instead of entering some Serial we need to enter the String: GFX-754-IER-954 :) to make us Registered. Ok, now you can get out of SoftICE and enter those 2 Strings and your Registered :) but remember these Offsets for Patching purposes: 00440ED8 Check if we entered a Name 00440F04 Check if we entered a Serial 00440F39 Compare 1 (Name: Registered User) 00440F56 Compare 2 (Serial: GFX-754-IER-954) 00440F5A We're gonna replace this String with "Registered User" 00440F5F We're gonna replace this String with "GFX-754-IER-954" Also remember these two Offsets to Strings: 00441014 the String: Registered User 0044102C the String: GFX-754-IER-954 But now let's first Unpack this CrackMe :) ---> Let's Begin... *** Manually Unpack *** Ok, like i said above in the file you can Unpack UPX easily with it's own Program :) but i don't like that so i'm doing it Manually... Open ProcDump and click on the button "PE Editor" then select the CrackMe and click "Open". Now you'll see: Entry Point: 00055BB0 This is the "Virtual Offset" and we need to find the "Raw Offset" so click on "Sections" and look at the "Virtual Offsets". As you can see this Entry Point belongs to the Middle Section called "UPX1" (Btw it's actually always the middle Section in UPX ;). So how are we going to figure out the "Raw Offset" ? Entry Point = 00055BB0 - (00037000 - 00000400) Entry Point = 0001EFB0 So, open the CrackMe in your Hex-Editor and go to Offset "0001EFB0" now press one time "Page-Down" and you should see somewhere where the Code ends something like this: 61E964B5FEFF Replace "E9" with "CC" and save the File. Then get into SoftICE (CTRL+D) and type "bpint 3" get out of SoftICE (CTRL+D) and run the CrackMe, now SoftICE should break. And we're landing on a "jmp" to the OEP :) So press one time (F10) and we're at the OEP, write down the "Virtual Offset" it's "00441270" and now put the "EBFE" trick at the OEP. Then out of SoftICE and open ProcDump. Right click on the CrackMe and choose "DUMP (full)" then save it to anywhere you want. Now open the saved file in "PE Editor" (In ProcDump and change the Entry Point to "00041270" press "Ok" and we're done :) Now you can run and disassemble the file =) Now to the Patching part. ---> Let's Begin... *** Patching *** Ok, remembered the Patching points ? let me refresh your mind ;P (or just scroll up...): 00440ED8 Check if we entered a Name 00440F04 Check if we entered a Serial 00440F39 Compare 1 (Name: Registered User) 00440F56 Compare 2 (Serial: GFX-754-IER-954) 00440F5A We're gonna replace this String with "Registered User" 00440F5F We're gonna replace this String with "GFX-754-IER-954" Also remember these two Offsets to Strings: 00441014 the String: Registered User 0044102C the String: GFX-754-IER-954 Ok, open W32Dasm and Disassemble the saved File. Then get to the Offset "00440ED8" and write down the offset you see on the bottom of W32Dasm it's "000404D8". Then get to the Offset "00440F04" and write down the offset you see on the bottom of W32Dasm it's "00040504". Then get to the Offset "00440F39" and write down the offset you see on the bottom of W32Dasm it's "00040539". Then get to the Offset "00440F56" and write down the offset you see on the bottom of W32Dasm it's "00040556". Then get to the Offset "00440F5A" and write down the offset you see on the bottom of W32Dasm it's "0004055A". Then get to the Offset "00440F5F" and write down the offset you see on the bottom of W32Dasm it's "0004055F". Ok, now close W32Dasm and open the Saved file in your Hex-Editor. Change the first 2 Offsets in "jmp" (EB) (I assume you know how to do that :). And you can NOP out the next 2 Offsets (90). or "inc eax, dec eax" something to that effect ;) As long as they don't jump. now go the Offset "0004055A" and change it into this: :0004055A B93C104400 into :0004055A B914104400 (String to Registered User) And at Offset "0004055F" change it into this: :0004055F BA5C104400 into :0004055F BA2C104400 (String to GFX-754-IER-954) Save the file and run it, now every Serial works and you'll get a Message Box popping up with the Correct Name and Serial ;P That's all... ---> Greetings... To be honest i'm getting a bit sick of these greetings everytime ;P So i'll just say: Greetings to everyone i know, and to everyone who knows me, and You... ;P Don't trust the Outside, trust the InSiDe !!! Cya... CoDe_InSiDe Email: code.inside@home.nl