Acid_Cool_178
presents he's
| #6 Tutorial |
| Athour Information |
| acid_cool_178@hotmail.com | ||
| Age | 17 | |
| Web Page | http://acidcool.cjb.net/ | |
| Member in | Hellforge | Flying Horse Cracking Force |
| Groups Web Page | Hellforge Login | FHCF Login |
| Program Infromation |
| Name | File Name | Protection | ||||||
| Crackme1 | Crackme.exe | Serial | ||||||
| Crackme1a | Crackme1.exe | Serial | ||||||
| Crackme1c | n0p3x.exe | Serial | ||||||
| Crackme2 | Crackme.exe | NAG/Name/Serial | ||||||
| Crackme2a | Crackme2a.exe | NAG | ||||||
| Crackme2a1 | n0p3x.exe | NAG and CRC | ||||||
| Crackme3 | Crackme3.exe | Keyfile | ||||||
| Crackme4 | Crackme4.exe | CD-Check | ||||||
| Crackme4a | Crackme4a.exe | CD-Check | ||||||
| Crackme5 | Crackme3.exe | Date Check | ||||||
| Crackme6 | Crackme6.exe | Soft Ice Check | ||||||
| Athour | n0p3x | |||||||
| Where to Downlaod | nOp3X' Homepage | |||||||
| Tools used | W32Dasm SoftIce Hiew |
Downlaod At | ||||||
| 1. Programmer Tools | ||||||||
| 2. Player Tools | ||||||||
| Size | Crackme1 | 32 | ||||||
| Crackme1a | 31 | |||||||
| Crackme1c | 16 | |||||||
| Crackme2 | 32 | |||||||
| Crackme2a | 69 | |||||||
| Crackme2a1 | 48 | |||||||
| Crackme3 | 35 | |||||||
| Crackme4 | 31 | |||||||
| Crackme4a | 31 | |||||||
| Crackme5 | 32 | |||||||
| Crackme6 | 35 | |||||||
| What kind of a program | Crackme | Shareware | ||||||
| Skill | Easy | Not so easy | Hard | X-pert | ||||
| Information about the protection |
See the table above, i won't tell ya it twice ;)
| Before we start |
This are my biggest tutorial for Hellforge now, and i have the target to patch alot of
n0p3x crackmes. Sience i am beginning to be better in patching and not so good in
softive so will i try my best to use SoftIce in this text.
When i MEAN to NOP something så must ya open Hiew.exe ang goto ASM code (Press enter
twice) Find the offset bu looking in the statusbar at W32dasm marked @Offset xxxxxxxxh
The h means Hex. And the offset shall we goto in Hiew by pressin F5
(GoTo) offset and enter. Now you shoud be at the offset and you can see comething like
this.
00401114 7518 jne 0040112E
Ehe only thing that we will edit are the code in this case 7518. So I will in this case
press F3 (Edit) and pressing 9090 (NOP) and Update The File (F9) And Exit (F10 and Esc)
Tasks
Task1 <-- Crackme1
Task2 <-- Crackme1a
Task3 <-- Crackme1c
Task4 <-- Crackme2
Task5 <-- Crackme2a
Task6 <-- Crackme2a1
Task7 <-- Crackme3
Task8 <-- Crackme4
Task9 <-- Crackme4a
Task 10 <-Crackme5
Task11 <-Crackme6
| The Process |
Task1
Protection
One single serial NOT encrypted ;)
Prosess
I did open crackme.exe in W32Dasm and on "String Data References" i found this
string.Congrats
* Reference To: cw3220._atol, Ord:0000h
|
:00401109 E8D4030000 Call 004014E2
:0040110E 59 pop ecx
<-- EAX = Your code
:0040110F 3DA93E0F00 cmp eax, 000F3EA9
<-- F3EA9 =
999081 in Dec
:00401114 7518 jne 0040112E
<-- IF EAX not are 999081 then jump over the to bad message else goto good
message
:00401116 6800100000 push 00001000
* Possible StringData Ref from Data Obj ->"Congrats"
|
:0040111B 68F2204000 push 004020F2
<-- You land here
* Possible StringData Ref from Data Obj ->"Well done, You cracked this -EASY-
"
->"crackme"
|
:00401120 68C7204000 push 004020C7
:00401125 6A00 push 00000000
* Reference To: USER32.MessageBoxA, Ord:0000h
|
:00401127 E8E6030000 Call 00401512
<-- The Good message windows creation
:0040112C EB16 jmp 00401144
Well, just open the crackme.exe and enter 999081 and ya will get the god message box :)
Else you can NOP the jump and ALL CODES ARE GOOD!!
JNE Means Jump If Not Equal
Task2
Protection
One single serial encrypted
Prosess
I did open crackme1.exe in W32Dasm and in "String Data References" i founded
this string Well Done
:004010A8 83C258 add edx, 00000058
:004010AB 83C1A9 add ecx, FFFFFFA9
:004010AE 3BD1 cmp edx, ecx
<-- EDX are the correct code, ECX are your's code
:004010B0 7518 jne 004010CA
<-- IF not equal then jump to the bad boy
:004010B2 6800100000 push 00001000
* Possible StringData Ref from Data Obj ->"Well Done"
|
:004010B7 68AB204000 push 004020AB
* Possible StringData Ref from Data Obj ->"Congratulations. You successfully
"
->"cracked this program"
|
:004010BC 6874204000 push 00402074
:004010C1 6A00 push 00000000
* Reference To: USER32.MessageBoxA, Ord:0000h
|
:004010C3 E872040000 Call 0040153A
<-- Call the Good messagebox
:004010C8 EB16 jmp 004010E0
*
*
*
* Possible StringData Ref from Data Obj ->"Bad luck. You have failed to crack
"
->"this program"
|
:004010D4 68B5204000 push 004020B5
:004010D9 6A00 push 00000000
* Reference To: USER32.MessageBoxA, Ord:0000h
|
:004010DB E85A040000 Call 0040153A
<-- Call the bad messagebox
Well, Try to NOP the jump at 004010B0 Woala, the bas
messagebox are replazed with a good one ;)
JNE Means Jump If Not Equal
Task3
Protection
One single Serial, encrypted
Prosess
I did open crackme1.exe in W32Dasm and in "String Data References" i
founded this string Crackme
1-C
* Reference To: USER32.SendMessageA, Ord:0000h
|
:0040130E E80B010000 Call 0040141E
:00401313 B8A6214000 mov eax, 004021A6
:00401318 33DB xor ebx, ebx
:0040131A 33D2 xor edx, edx
:0040131C 803DA621400000 cmp byte ptr [004021A6], 00
:00401323 0F847D000000 je 004013A6
<-- If Not Correct Password then GoTo Bad Messagebox
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401334(C)
|
:00401329 8A18 mov bl, byte ptr [eax]
:0040132B C1C308 rol ebx, 08
:0040132E 03D3 add edx, ebx
:00401330 40 inc eax
:00401331 803800 cmp byte ptr [eax], 00
:00401334 75F3 jne 00401329
<-- Jump If Not Correct Sign
:00401336 8915D9214000 mov dword ptr [004021D9], edx
:0040133C 68A00F0000 push 00000FA0
* Reference To: KERNEL32.Sleep, Ord:0000h
|
:00401341 E8A2000000 Call 004013E8
:00401346 803DD921400038 cmp byte ptr [004021D9], 38
:0040134D 7557 jne 004013A6
<-- Jump If Not Correct Sign
:0040134F 803DDA21400044 cmp byte ptr [004021DA], 44
:00401356 754E jne 004013A6
<-- Jump If Not Correct Sign
:00401358 803DDB21400043 cmp byte ptr [004021DB], 43
:0040135F 7545 jne 004013A6
<-- Jump If Not Correct Sign
:00401361 803DDC21400041 cmp byte ptr [004021DC], 41
:00401368 753C jne 004013A6
<-- Jump If Not Correct Sign
:0040136A 803DDD21400046 cmp byte ptr [004021DD], 46
:00401371 7533 jne 004013A6
<-- Jump If Not Correct Sign
:00401373 803DDE21400033 cmp byte ptr [004021DE], 33
:0040137A 752A jne 004013A6
<-- Jump If Not Correct Sign
:0040137C 803DDF21400036 cmp byte ptr [004021DF], 36
:00401383 7521 jne 004013A6
<-- Jump If Not Correct Sign
:00401385 803DE021400038 cmp byte ptr [004021E0], 38
:0040138C 7518 jne 004013A6
<-- Jump If Not Correct Sign
:0040138E 6800100000 push 00001000
* Possible StringData Ref from Data Obj ->"Crackme 1-C"
|
:00401393 6800204000 push 00402000
This crackme was some hard coded for the crackers. But i managed to patch it ;) All what i did was to NOP all the JNE's and JE's. BTW; JNE Means Jump If Not Equal and JE means Jump If Equal And all the JNE's are jumping to 004013A6, and there are the bad messagebox.
Task4
Protection
One NAG at the startup, and Name/serial
Prosess
I did open crackme1.exe in W32Dasm and in "String Data References" i
founded this string NAG
NAG NAG
* Possible StringData Ref from Data Obj ->"Nag Nag Nag!"
|
:004011B6 688C214000 push 0040218C
<-- The NAG Call
Just NOP the NAG Call and the NAG are gone ;)
I did open crackme1.exe in W32Dasm and in "String Data References" i founded
this string Yeah
* Reference To: KERNEL32.lstrcmpA, Ord:0000h
|
:004010B1 E8C0040000 Call 00401576
:004010B6 85C0 test eax, eax
:004010B8 7518 jne 004010D2
<-- Jump to the Bad code if not equal
:004010BA 6800100000 push 00001000
* Possible StringData Ref from Data Obj ->"Yeah!"
|
:004010BF 68B3204000 push 004020B3
* Possible StringData Ref from Data Obj ->"Well Done, maybe you can work "
<-- Good Code Start ;)
->"out the algorithm aswell?"
|
:004010C4 687B204000 push 0040207B
:004010C9 6A00 push 00000000
Just NOP the JNE at 004010B8 and you can enter all the names and codes you want. The
crackme now accept all what ya enter :)
JNE Means Jump If Not Equal
Task5
Protection
A NAG
Prosess
I wont lie to ya, I a newbie and dhon't have one bloddu clue on how to remove this NAG.
When i now that i will update this text.. Sorry
Task6
Protection
Well, this NAG are incredible good protected. As you can see so are n0p3x good in ASM, so
i will skip this task for now.
Task7
Protection
This crackme has a Keyfile protection and that will sat that i have to create a file with
my password and the crackme will check the file and compare.
Prosess
Now i got blood on my hands and will try my best with the other crackmes. Lets go on..
I did open crackme1.exe in W32Dasm and in "String Data References" i founded
this string KeyFile.dat
* Possible StringData Ref from Data Obj ->"KeyFile.dat"
|
:00401097 6881204000 push 00402081
* Reference To: cw3220._open, Ord:0000h
|
:0040109C E857040000 Call 004014F8
:004010A1 83C408 add esp, 00000008
:004010A4 8BD8 mov ebx, eax
:004010A6 40 inc eax
:004010A7 7433 je 004010DC
<-- Jump If Not Equal, But what ?
:004010A9 6A0B push 0000000B
:004010AB 8D55F4 lea edx, dword ptr [ebp-0C]
:004010AE 52 push edx
:004010AF 53 push ebx
* Reference To: cw3220._read, Ord:0000h
|
:004010B0 E831040000 Call 004014E6
:004010B5 83C40C add esp, 0000000C
:004010B8 8BF8 mov edi, eax
:004010BA 40 inc eax
:004010BB 741F je 004010DC
<-- Jump If Not equal, but what ?
* Possible StringData Ref from Data Obj ->"n0p3x in 99"
|
:004010BD 688D204000 push 0040208D
:004010C2 8D55F4 lea edx, dword ptr [ebp-0C]
:004010C5 52 push edx
* Reference To: KERNEL32.lstrcmpA, Ord:0000h
|
:004010C6 E851040000 Call 0040151C
:004010CB 85C0 test eax, eax
:004010CD 750D jne 004010DC
<-- Jump if serial are not equal
* Possible StringData Ref from Data Obj ->"Registered"
<-- Here starts the good code
|
:004010CF 6899204000 push 00402099
What i did here was to NOP all the jumps and i have patched the crackme.
JE Means Jump If Equal
JNE Means Jump If Not Equal
Task8
Protection
This crackme needs a special CD to be registred. And we don't have that CD.
Prosess
I did open crackme1.exe in W32Dasm and in "String Data References" i founded
this string Well Done
* Reference To: KERNEL32.GetDriveTypeA, Ord:0000h
|
:00401085 E876040000 Call 00401500
:0040108A 83F805 cmp eax, 00000005
<-- Checks the CD
:0040108D 7526 jne 004010B5
<-- Jump if BAD CD
:0040108F 6800100000 push 00001000
* Possible StringData Ref from Data Obj ->"Well Done"
<-- The Good Code ;)
|
:00401094 6898204000 push 00402098
* Possible StringData Ref from Data Obj ->"This program is being run from "
->"a CD"
|
:00401099 6874204000 push 00402074
:0040109E 6A00 push 00000000
* Reference To: KERNEL32.GetDriveTypeA, Ord:0000h
|
:00401087 E884040000 Call 00401510
:0040108C 8BC8 mov ecx, eax
:0040108E BBAE3E0F00 mov ebx, 000F3EAE
:00401093 90 nop
:00401094 40 inc eax
:00401095 42 inc edx
:00401096 47 inc edi
:00401097 90 nop
:00401098 48 dec eax
:00401099 4A dec edx
:0040109A 4F dec edi
:0040109B 90 nop
:0040109C 3BD9 cmp ebx, ecx
<-- Checks the CD-ROM
:0040109E 7525 jne 004010C5
<-- If Bad CD, Jump to bad code, If Good CD then move on.
:004010A0 6800100000 push 00001000
* Possible StringData Ref from Data Obj ->"Well Done"
<-- The Good Code ;)
|
:004010A5 6898204000 push 00402098
I did nop the Jump and the CD check are okay :)
JNE Means Jump If Not Equal
Task10
Protection
Finally a Data check to patch ;)
Prosess
I did open crackme1.exe in W32Dasm and in "String Data References" i
founded this string Within
Demonstration Time
* Reference To: cw3220._getdate, Ord:0000h
|
:0040108A E83F040000 Call 004014CE
:0040108F 59 pop ecx
:00401090 817DF8CD070000 cmp dword ptr [ebp-08], 000007CD
<-- Checks the date
:00401097 7F0F jg 004010A8
<-- Jump the date are greater than the experition period, else go on.
* Possible StringData Ref from Data Obj ->"Within Demonstration Time"
<-- The Good Code
|
:00401099 6874204000 push 00402074
Just nop the jump and everything are cool ;)
JG Measn Jump If Greater
Task11
Protection
Anti SoftIce
Prosess
This crackme was a bit tricky, i had to change a command.and i was noping all the
calls and jumps that i coud find. So this crackme have i learnd something i hope.
I did open crackme1.exe in W32Dasm and in "String Data References" i
founded this string Note
* Reference To: USER32.SetDlgItemTextA, Ord:0000h
|
:004010F5 E89E040000 Call 00401598
:004010FA E87DFFFFFF call 0040107C
:004010FF 85C0 test eax, eax
<-- Check if SI are installed
:00401101 7419 je 0040111C
<-- If yes, then move on. If not then jump to good code
:00401103 6800100000 push 00001000
* Possible StringData Ref from Data Obj ->"Note"
<-- the Bad messagebox
|
:00401108 68EA204000 push 004020EA
* Possible StringData Ref from Data Obj ->"SoftICE has been detected. Please
"
->"remove SoftICE before running "
->"this software"
|
:0040110D 689C204000 push 0040209C
:00401112 6A00 push 00000000
Just change JE to JMP at 00401101
JE means Jump If Equal
JPM Means Jump
| Ending |
Well, now i'm finally finished. I won't write anymore Code Reverse Engineering text for
some weeks now, because i want to write on my C lessions and that NAG lession for
hellforge.
AND as ya can see so are im using alot of code. well,, I can't explain all of it because
i'm not so good yet, but this essay will be updated in about 6 months when i'm some skills
better ;) and then i will try serial shising in SoftIce..
BTW; I have started on an ASM book, Turbo TASM 2.0 :) All i need now are motivation to
read it.
| Greetings flyes to; |
LaZaRuS, Wajid, Borna Janes, ManKind, Eddie Van Camper, ACiD BuRN, KoRnFLeX, Eternal_Bliss, Potsmoke and all the other i have forgotten