Acid_Cool_178
presents he's
| #15 Tutorial |
| For Hellforge |
This Text Are Only Ment To Edcucational Purpose And Not To Be Used Illegaly, I Take No Response For Illegal Use Of This Text. Move On On Your Risc.
| Athour Information |
| acid_cool_178@hotmail.com | ||
| Age | 17 | |
| Web Page | http://acidcool.cjb.net/ | |
| Date | Febuary 2K | |
| Member in | Hellforge | Flying Horse Cracking Force |
| Groups Web Page | Hellforge Login | FHCF Login |
| Program Infromation |
| Name | koRnFLeX Crackme | crkme2 | ||
| koRnFLeX VB6 Crackme #1 | kornflex - vbccrackme1 | |||
| Athour | koRnFLeX | |||
| Where to Downlaod | KoRnFLeX | |||
| Size | 20KB | |||
| Tools used | W32Dasm with SDR Patch enabled Hiew |
Downlaod At | ||
| 1. Player Tools | ||||
| 2. Programmer Tools | ||||
| What kind of a program | Crackme | Shareware | ||
| Skill | Easy | Not so easy | Hard | X-pert |
| Before we start |
Task1 <-- Patching
koRnFLeX Crackme
Task 1.1 <-- Serial Sniffing
Task2 <-- Cracking
koRnFLeX VB6 Crackme #1
Task2.1 <-- Serial Fishing
NOP meand No OPeration and are 90 in hex
You can go in and your from softice by pressing CRTL+D
| Information about the Protection I |
Task1
Name and Serial to write in. Takes one part from the Name and are generating i serial and
comparing it with theone you did write in
Task2
Looks like one coded serial
| The Process |
Task1.1
Process
Fire up the Crackme in W32Dasm and goto Refs-->String Data References and select
"good job mother fucker"
Now you can se this code:
* Reference To: MSVBVM60.__vbaStrCmp, Ord:0000h
|
:00401F21 FF154C104000 Call dword ptr [0040104C]
:00401F27 85C0 test eax, eax
<-- Testing Serial
:00401F29 B904000280 mov ecx, 80020004
:00401F2E B80A000000 mov eax, 0000000A
:00401F33 894D9C mov dword ptr [ebp-64], ecx
:00401F36 894594 mov dword ptr [ebp-6C], eax
:00401F39 894DAC mov dword ptr [ebp-54], ecx
:00401F3C 8945A4 mov dword ptr [ebp-5C], eax
:00401F3F 894DBC mov dword ptr [ebp-44], ecx
:00401F42 8945B4 mov dword ptr [ebp-4C], eax
:00401F45 7543 jne 00401F8A
<-- If correct serial then move on, else jump to bad messagebox
:00401F47 8D5584 lea edx, dword ptr [ebp-7C]
:00401F4A 8D4DC4 lea ecx, dword ptr [ebp-3C]
* Possible StringData Ref from Code Obj ->"good job mother fucker"
<-- You land here
|
:00401F4D C7458C901B4000 mov [ebp-74], 00401B90
:00401F54 C7458408000000 mov [ebp-7C], 00000008
What we have to do here are to NOP the JNE to hell, so mark the place in W32Dasm and in
W32Dasm's statusbar can you see the offset. Note it down.
Open the crackme in Hiew and press Enter twice so you are en "Decode Mode"
Press F5 (Goto) and enter the offset.
Press F3 (Edit) and change 7543 to 9090
Update the file (F9) and exit Hiew (F10 or Esc)
Run the crackme an all serials are accepted :)
Task1.1
Process
00401F21 FF154C104000 Call dword ptr [0040104C]
<-- Serial generated
:00401F27 85C0 test eax, eax
<-- Serial tested with the fake one
We have to trace that call to see what it's doing.
Fire up the crackme and write down the your Name and Serial
I wrote
Name: Acid_Cool_178
Serial: 2951
And go into SoftIce and put an bpx on hmemcpy (exit softice) click on the
"Check" button
And *BOOM* youre in SoftIce
Now press F11 once and F12 six times. Lets try to goto the call location, enter "G
401F21" [ENTER]
And what the fuck, you're back in the beginning.
Press F11 once and F12 six times and lets take another try to get to the call. Write
"G401F21" [ENTER]
Adn you are now standing at 00401F21 FF154C104000 Call dword ptr [0040104C]
Trace the call by pressing T og F8
And now you have to press F10 twice and do a "D EDX" and in the
code window you can see your code and the messagebox that will appear when you have the
correct serial. For me the code was @.b.h.c.^.B.n.n.k.^.0.6.7 but this
are wrong, Visual basic are using some strange stringformat so the real serial are @bhc^Bnnk^067
So just remove 2951 with @bhc^Bnnk^067 and the program are registerd :)
Task2
Process
Open up the crackme in W32Dasm go to "String data References" and
dubbleclick on the string "good job cracker!"
and now you can see the code
:00401CD7 894DC4 mov dword ptr [ebp-3C], ecx
:00401CDA 8945BC mov dword ptr [ebp-44], eax
:00401CDD 7543 jne 00401D22
<.. If correct serial then good msg box else jump to bad msg box
:00401CDF 8D558C lea edx, dword ptr [ebp-74]
:00401CE2 8D4DCC lea ecx, dword ptr [ebp-34]
* Possible StringData Ref from Code Obj ->"good job cracker!"
|
:00401CE5 C74594601A4000 mov [ebp-6C], 00401A60
<-- You land
here/The start og the good code
:00401CEC C7458C08000000 mov [ebp-74], 00000008
In W32Dasm so scroll up to 00401CDD and at W32Dasm's statusbar can you see the offset,
note it down.
Open the crackme in Hiew and goto (F5) the offset you did write down and now you are
standing at
:00401CDD 7543 jne 00401D22
change it to
:00401CDD 9090 jne 00401D22 by editing (F3)
Update the file (F9) and exit (F10 or Esc)
end enter any dummy serial you want, it's OK :)
Else scroll up to this
* Possible StringData Ref from Code Obj ->"12-21-34-43"
<-- ???
|
:00401CA3 BA441A4000 mov edx, 00401A44
:00401CA8 8D4DE8 lea ecx, dword ptr [ebp-18]
Try to write 12-21-34-43 as a serial and it's registred :)
THAT WAS EASY!!
Task2.1
Process
Fire up the crackme and enter any dummy serial as you want.
The goal are to get to the call at 00401CB9 and that's easy
Press CTRL+D adn type BPX HMEMCPY [ENTER] and CTRL+D again
What you have done now are to set a breakpoint at hmemcpy and i don't now exacly what it
is. Read my Ending :) I have asked it in the #C4N chan
Now lets continue
Press on the "check" button and you will now stand in Soft Ice code. Fuck!!
ehrm, it's not Fuck but YES!!
Press F11 Once and F12 Six times adn now you will be in the good code.
lets try to goto the call by entering "G 401CB9" [ENTER]
And now you are standing at the call, trace into it by pressrin F8 adn F10 twice. Do an
"D EDX" and you can see this in the code window . 1.2.-.2.1.-.3.4.-.4.3.
Everybody now's that Visual Basic are using some strange string format si the real code
are 12-21-34-43 :)
And that's the end of my Tutorial
| Ending |
What are hmemcpy ?
Answers:
[ManKind] <-- IRC
<[AC_178]> how will you explain box hmemcpy ?
<[ManKind]> hmm
<[ManKind]> i can't explain in detail
<[ManKind]> it breaks whenever a text is copied into memory
<[ManKind]> for more info, read tornado's cracker's notes
[E_Bliss] <-- IRC
<[AC_178]> hi there. i have one question. :How will you explain BPX Hmemcpy ?
<[E_Bliss]> hmmm... explain?
<[AC_178]> yes, try
<[AC_178]> in one string
<[E_Bliss]> It's a window API that is used to copy a string into memory
<[E_Bliss]> ?
<[AC_178]> thats good enough
<[AC_178]> will use it im my tut, soon finished with it.
Volatility: <-- founded
on the cracker nOTES
HMEMCPY is a Windows API call, which uses memory (RAM) to read, manipulate, compare and
store strings (text you've entered into a program). The function takes the information
you've entered (such as name and serial number in a registration screen) and puts them
into memory. The function then proceeds to manipulate these strings, by moving and
comparing them (for example, comparing the serial number you entered to the correct one),
and then decides wether your string is correct or incorrect. The function then sends this
information back to the application, and you proceed as good guy, or bad guy.
| Information about the Protection II |
Task1
This crackme did tahe the name and will generate a gode, it's comparing the generated code
with the entred code.
Acid_Cool_178 = @bhc^Bnnk^067
@bhc^Bnnk^067 compared to 2951 will gova an false result
Task2
This crackme got one serial coded, not so hard to find. It was realy easy :)
| Greetings |
LaZaRuS, Wajid, Borna Janes, ManKind, Eddie Van Camper, ACiD BuRN, KoRnFLeX, Eternal_Bliss, Potsmoke, DiABLO. Torn@do, ^AlX^ and all the other i have forgotten