Acid_Cool_178
presents he's
| #23 Tutorial |
| For Hellforge |
This Text Are Only Ment To Edcucational Purpose And Not To Be Used Illegaly, I Take No Response For Illegal Use Of This Text. Move On On Your Risc.
| Athour Information |
| acid_cool_178@hotmail.com | ||
| Age | 17 | |
| Web Page | http://acidcool.cjb.net/ | |
| Date | Febuary 2K | |
| Member in | Hellforge | Flying Horse Cracking Force |
| Groups Web Page | Hellforge Login | FHCF Login |
| Program Infromation |
| Name | Tryme2 | |||
| tryme2.exe | ||||
| Athour | Gandalf | |||
| Where to Downlaod | The Crackmes Webpage and Genocide Crew - Cracking Page | |||
| Size | 108 KB (Only the EXE file) | |||
| Tools used | Hex Editor (I Use Ultra Edit V7.00A) Proc Dump W32Dasm Hiew Soft Ice |
Downlaod At | ||
| 1. Player Tools | ||||
| 2. Programmer Tools | ||||
| What kind of a program | Crackme | Shareware | ||
| Skill | Easy | Not so easy | Hard | X-pert |
| Information about the Protection I |
This protection only got one unlock code and no name and that shit
| Before we start |
NOP means No OPertion and are 90 in HEX
| The Process |
Open tryme2.exe in a Hex Editor and you can somewhere see UPX, that means that the
crackme are packed with UPX.
Now, fire up Proc Dump and select Unpack-->UPX and follov the instructions.
I saved my file as tryme2_unpacked.exe and the file was 309KB big.
Open the unpacked file in W32Dasm and in "String Data References" can you find
this string. "Success!" dubble click on thet string and you
will land here.
* Possible StringData Ref from Data Obj ->"Success!"
<-- The caption og the messagebox
|
:004014C3 680F144300 push 0043140F
<-- You land here | Here are "Success!" string born :)
* Possible StringData Ref from Data Obj ->"Good work!"
<-- The
string on the messagebox
|
:004014C8 6804144300 push 00431404
<-- Properties for the string
:004014CD 6A00 push 00000000
:
Scroll some up and you can see this code
:00401473 E80CDC0000 call 0040F084
<-- The real code are generated here
:00401478 59 pop ecx
:00401479 84C9 test cl, cl
<-- Testing codes
:0040147B 7412 je 0040148F
<-- If wrong code then jump to bad messagebox else move on to good messagebox
Solution1
Now i will patch the crackme so that i can enter any dummy serial as i want.
Scroll up to the jump, in W32Dasm's statusbar can you see this @Offset 00000A7B. That
means that the location 40147B har the offset A7B and that's good to now.
Open the unpackes crackme in W32Dasm and press enter until you can see ASM code. (Press 2
times) In Hiew you can read a file in only text, HEX and Decode mode. We are using
Decode..
Goto (F5) now you must press in the offset to the jump. You can try to enter the location
but thet wont work. I have tried that many times already :)
Edit the code and chande the orginal bits with 90.
Before: : 0040147B 7412 je 0040148F
After: 0040147B 9090 je 0040148F
and now you have NOP'en the jump.
Update the file by pressing F9 and Exit by pressting F10 og Escape.
run tryme to and enter any dummy serial as you want, it's a Success!
Solution2
Now i will try to get the real code by serial sniffing
:00401473 E80CDC0000 call 0040F084
<-- The real code are generated here
:00401478 59 pop ecx
:00401479 84C9 test cl, cl
<-- Testing codes
:0040147B 7412 je 0040148F
<-- If wrong code then jump to bad messagebox else move on to good messagebox
Now we must get to the call in Soft Ice because it's there were the code are generated.
I have already traced the call in W32Dasm and ther i could see this code
:0040F084 55 push ebp
:0040F085 8BEC mov ebp, esp
:0040F087 51 push ecx
:0040F088 53 push ebx
:0040F089 56 push esi
:0040F08A 8BF2 mov esi, edx
:0040F08C 8945FC mov dword ptr [ebp-04], eax
:0040F08F 837DFC00 cmp dword ptr [ebp-04], 00000000
:0040F093 7419 je 0040F0AE
:0040F095 8B45FC mov eax, dword ptr [ebp-04]
:0040F098 E8C7230100 call 00421464
<-- One important Call
:0040F09D F7C601000000 test esi, 00000001
:0040F0A3 7409 je 0040F0AE
:0040F0A5 FF75FC push [ebp-04]
:0040F0A8 E813FA0100 call 0042EAC0
:0040F0AD 59 pop ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040F093(C), :0040F0A3(C)
|
:0040F0AE 5E pop esi
:0040F0AF 5B pop ebx
:0040F0B0 59 pop ecx
:0040F0B1 5D pop ebp
run thae crackme and dont enter any code yet.
Open Soft Ice CTRL+D and do an BPX HMEMXPY and close
Soft Ice by pressing CTRL+D again.
BTW: you can open and close Sift Ice by pressing CTRL+D and in Soft ICe
try to press X [ENTER] what happend :)
Now try to write in 2 in the code fiels and you shall now be in Soft Ice Code :)
Press F11 x 1
Press F12 x 9
Type in G 401473 and now you are on the first call.
Trace the call by pressint F8 or just type in T [ENTER]
Ftace down the code by pressing F10 until you are on the seccond
important Call, now trace that call too.
And now you can see this code
:00421464 8B10 mov edx, dword ptr [eax]
:00421466 85D2 test edx, edx
<-- D EDX here and you can see the code it was 666. Here are alsi
the real code compared to the fake one.
Do and D EDX at 421466 and you can see the code in the code window. I
could see 666.
Break al breakpoints by entering BC * [ENTER]
and exit Sift Ice by pressing CTRL+D
Write in 666 and the "OK" button are enabled.
| Ending |
cool crackme and i have used Proc Dump again. The grew are using UPX alot have i
founded out.
Sience i hace read LaZaRuS tutorial in Cracking CiA Trial Crackme 0.99 and how he did find
out if the file was packed or now, so was cracking alot easier.
| Information about the Protection II |
this protection got one code and the entred code are compared with this code.
Fake code = every code that not begins with 666
True code = every code that begins with 666
So you can also write this 666FuckOff and it works just fine :)
| Greetings |
LaZaRuS, Wajid, Borna Janes, ManKind, Eddie Van Camper, ACiD BuRN, KoRnFLeX, Eternal_Bliss, Potsmoke, DiABLO. Torn@do, ^AlX^ and all the other i have forgotten