HELLFORGE 2000 |
| Author | Falcon |
| Target | The+Q crackme 2 |
| Public Release | Sunday,26 of March,2000 |
| Author Contact | falcon_geno@mail.ru |
| Dedication | Irwin Shaw |
| Difficulty Level (1..7) | 3-4 (HARD) |
| Tools Required | SortIce 3.xx. |
Disclaimer: Please note, the information
herein is copyright to Hellforge. No portion of this text may be duplicated. Furthermore,
damage or problems arising after reading this text is left to the users disposal. Neither
Hellforge, nor its members can be held responsible for any direct or indirect result of
following this text. The full liability of following this text is on the reader (YOU). The
information is provided for educational purposes, misuse of this information is strictly
prohibited. If you do not agree with this agreement, then please hit the "back"
button on your browser, and go to hell. - Mercution.
Introduction |
Today I wanted to share with the algorithm that I have created for registering this program. But, firstly I wanted to thank again the author, because it was real pleasure cracking this program. All the calculations will be according to my name, using this information will can try it with your own.
Some information about the program:
The code consist two parts-the first one is for generating
some numbers according to your name and the second, main, calculations and then checking
whether our serial is right. Here we are going to use some RORs and ROLs, addition and
XORing. Preparation of the small table will be also necessary; about it we will speak
later.
Tutorial |
Now, let’s try to get the idea what happens in the first part of the code.
1:-Execute the program and enter my name in the first dialog box.
2:-Enter something as serial too. Now, it is not important what it will be, just enter something. Firstly, We are going to get the idea what the program makes there and then think about the right code.
3:-Activate SoftIce and setbpx getdlgitemint breakpoint.
4:-Return to Win and Press Ok button. SoftIce reacts…
5:-Press F11 and you should be here:00401205 MOV [004021D2], EAX {Hex equivalent of your serial goes at 04021D2..}
0040120A CMP AL, 00 {CoMParing whether AL register is equal to zero or not. It will be equal to 0 when you enter nothing as serial or the numbers like 256, or any number that is divisible by 256.}
0040120C JZ 0040134D {If no then Jump to bad cracker…}
0040120E NOP
0040120F NOP
00401210 NOP
00401211 NOP
00401212 CALL 00401375 {First important call….}
00401217 CALL 004013C1 {Second important call…}
0040121C TEST EAX, EAX {Test if EAX=0…}
0040121E JZ 0040134D {If EAX equals to zero then Jump to bad cracker…}There is nothing to say about this piece of the code. The program checks whether you have entered something as a serial {see explanation in that line, where it compares AL with 0}, if yes then goes further. Now, we are going to go in the first Call. There program will generate some numbers that will be used in the second call. Press F8 when you reach that call and you will be here:
00401375 XOR ECX, ECX {ECX is equal to zero…}
00401377 MOV ESI, 004021A9 {Your name with addition 01 is moved to ESI..}
0040137E LODSB {First char of your name is moved to EAX, ESI=ESI+1…}
0040137F NOT ECX {Changes all the bits of value that is stored in ECX…}
00401381 MOV BL, [ECX+004021B1] {Last char of ‘Falcon01’ is MOVed to BL….BL=31… Next time, in this loop the program will take 0 and will add it with ‘a’. Zero is 30 and ‘a’ is 61, the sum is 91…}
00401387 NOT ECX {Again changes….}
00401389 ADD AL, BL {ADDition of the name’s first char and 1.AL=AL+BL=77…}
0040138B STOSB {Loads the new number instead of your first char. It will be walcon01. While tracing this loop the program will change 4 of your first chars in the name.}
0040138C INC CL {CL=CL+1…CL-loop counter….}
0040138E CMP CL, 04 {Compares CL and 4. If they are equal then zero flag is 0}
00401391 JNZ 0040147E {Jump if zero flag is Not Zero….}
00401393 MOV ECX, 04 {It was not necessary to make this operation, ‘coz the ECX=4 already. Anyway, 4 is MOVed to ECX register…}
00401398 MOV ESI, 004021A9 {The address where your new name is located is MOVed to ESI..}
0040139D MOV EDI, ESI {EDI=ESI…}
0040139F ADD EDI, 04 {EDI=EDI+4…}
004013A2 REPNZ MOVSB {This command will copy your new name and will paste it just next to it. You will get two identical changed names….}
004013A4 MOV ESI, 004021A9 {MOVes the address, where your new name is, to ESI….}
004013A9 MOV EDI, ESI { EDI=ESI….}
004013B0 LODSB {This time, after this program, the first new char is moved to AL, ESI=ESI+1…}
004013B1 NOT ECX {Again the same operation, that was used before….}
004013B3 MOV BL, [ECX+004021DF] {At this address another name is located, that is 'PhroZenQ' . The first char is MOVed to BL.... BL= 50. As a new name was formed, with help of addition, the author takes another name, whose chars are going to be XORed with the new name. The loop counter will be equal to the length of your new name...}
004013B9 NOT ECX
004013BB XOR AL, BL { XORing of two number. AL=AL xor BL… the result is in AL…}
004013BD STOSB {Instead of ‘w’, that was first new char in last loop, the program will insert another one (the result after xor operation..). So, you will again get another name. These numbers will be used in the next Call….}
004013BE LOOP 004014B0 {Reaching this line you can deactivate the breakpoint and set another one, to follow the XORing process. This command will Xor all the char from you name, with ‘ PhroZenQ’, pressing F5 you can see what is happening….}
Summary after first Call:
The author made this call to get some numbers that will be used in second call. All the numbers that were obtained in this call are going to participate in the calculating process of the second call. This was nothing with comparison what is going to be now. Just some addition, xoring. This numbers will be constant every time you trace first call, and you somehow should obtain the serial that after a lot of calculations should match with the number that is calculated according to your name. So, let get started…After this CALL, the numbers you are going to use should be like this (if you used my name first. 27 F9 A8 BD 2D F4 B4 83…
After entering in the second call (you can do that by pressing F8) you should be here….
004013C1 MOV EAX,
[004021D2] {The hexadecimal equivalent of the serial is MOVed to
EAX…}
004013C6 MOV CL,
[004021A9] {The first number that you got according to
name to ECX, ECX=27....}
004013CC ROL EAX,
CL
{Rotates Operand (EAX) Left by CL units. Every bit of the serial is going to be
rotated left by 39-decimal…}
004013CE MOV ECX,
[004021AE] {Last 3 numbers that you got by name, to ECX.
ECX=0083B4F4...}
004013D4 XOR EAX,
ECX
{XORing of two operands, EAX and ECX, result goes to EAX…}
004013D6 MOV EBX,
[004021AA] {Numbers, that you got by name, from 2nd to 5th
go to EBX=2DBDA8F9. As you can see they all were in reverse mode. From last to first
number…....}
004013DC MOV CL, AL
{ MOV AL to CL…CL= AL…}
004013DE ROR EBX,
CL
{Rotates Operand (EBX) Right by AL units…}
004013E0 XOR EAX,
EBX
{Xoring of two operands, EAX and EBX, to get good message box these two operands should be
equal, and zero flag will take the value zero (0)…. We have to find the serial that
we enable us getting good message…}
004013E2 MOV EAX,
00
{EAX=0…}
004013E7 JNZ
004012EF
{Jump (to bad cracker) if zero flag is Not equal to zero….}
004013E9 NOP
004013EA NOP
004013EB NOP
004013EC NOP
004013ED INC
AL
{AL= AL+1….}
004013EF
RET
{Exit from the call….}
.
.
0040131C TEST EAX, EAX
{If EAX is not equal to zero then you are good cracker…}
Calculations of the serial, using info from second CALL:
Some people could think that it is small part of the code and it would be vary easy to calculate the serial, believe me it is not so. The program uses very complicated commands, and to get the real serial you have to know Math {to create your own Algo to register this program}, and free time to spend on this crackme. Here I am going to give you the Method I used to get the serial. First thing we should do is to examine carefully what we have to do to get the right message box. From the previous Call we can see that in order to crack this program EAX and EBX registers should be equal before XORing. Let’s see where they come from. EAX-ROLed (serial, it was roled by 39 units), then it will be xored; EBX-RORed (2DBDA8F9). So, we must equalize them, you should get this:
ROLed (Serial) Xor (0083B4F4)=RORed (2DBDA8F9),
according this formula we are going to seek for the right serial. Now, I will place all
the bits of the RORed (2DBDA8F9) in this table and we will see what is happening. The
numbers that are in the left part are the units, by which I rotate the number….
Without rotating it is equal to:
0010 1101 1011 1101 1010 1000 1111 1001
1. 1001 0110 1101 1110 1101 0100 0111 1100
2. 0100 1011 0110 1111 0110 1010 0011 1110
3. 0010 0101 1011 0111 1011 0101 0001 1111
4. 1001 0010 1101 1011 1101 1010 1000 1111
5. 1100 1001 0110 1101 1110 1101 0100 0111
6. 1110 0100 1011 0110 1111 0110 1010 0011
7. 1111 0010 0101 1011 0111 1011 0101 0001
8. 1111 1001 0010 1101 1011 1101 1010 1000
9. 0111 1100 1001 0110 1101 1110 1101 0100
A. 0011 1110 0100 1011 0110 1111 0110 1010
B. 0001 1111 0010 0101 1011 0111 1011 0101
C. 1000 1111 1001 0010 1101 1011 1101 1010
D. 0100 0111 1100 1001 0110 1101 1110 1101
E. 1010 0011 1110 0100 1011 0110 1111 0110
F. 0101 0001 1111 0010 0101 1011 0111
1011
10. 1010 1000 1111 1001 0010 1101 1011 1101
11. 1101 0100 0111 1100 1001 0110 1101 1110
12. 0110 1010 0011 1110 0100 1011 0110 1111
13. 1011 0101 0001 1111 0010 0101 1011 0111
14. 1101 1010 1000 1111 1001 0010 1101 1011
15. 1110 1101 0100 0111 1100 1001 0110 1101
16. 1111 0110 1010 0011 1110 0100 1011 0110
17. 0111 1011 0101 0001 1111 0010 0101 1011
18. 1011 1101 1010 1000 1111 1001 0010 1101
19. 1101 1110 1101 0100 0111 1100 1001 0110
1A. 0110 1111 0110 1010 0011 1110 0100 1011
1B. 1011 0111 1011 0101 0001 1111 0010 0101
1C. 1101 1011 1101 1010 1000 1111 1001 0010
1D. 0110 1101 1110 1101 0100 0111 1100 1001
1E. 1011 0110 1111 0110 1010 0011 1110 0100
1F. 0101 1011 0111 1011 0101 0001 1111 0010
20. 0010 1101 1011 1101 1010 1000 1111 1001
Now, let’s assume that as serial you have entered
something like that {in binary system…}
Your Serial: a1a2a3a4 b1b2b3b4 c1c2c3c4 d1d2d3d4
e1e2e3e4 f1f2f3f4 h1h2h3h4 i1i2i3i4
Every letter is representing the bit of the serial that you
have to enter. Let’s rotate in by 39, you will get this:
ROLed (Serial): b4c1c2c3 c4d1d2d3 d4e1e2e3 e4f1f2f3
f4h1h2h3 h4i1i2i3 i4a1a2a3 a4b1b2b3
Xor (0083B4F4): 0000 0000 1000 0011 1011 0100 1111 0100
And it must be equal to RORed (2DBDA8F9)
We do not know by which value (2DBDA8F9) will be
rotated, according to the program code, it takes the value of AL and rotates it, so we
must use only last two numbers {the AL register consist of 2 numbers}. So, we should make
this
operation:
i4a1a2a3 a4b1b2b3
XOR
1111 0100
You have to find the first XORing element( i4a1a2a3
a4b1b2b3 ), that after this operation will give you the coincidence of the ROTATING
UNIT and the NUMBERS THAT ARE IN 7TH AND 8TH COLUMNS. That is
the main point in the program, these things must be equal, otherwise no luck to you. Using
this table you will find the Rotating unit, then you will do the job {you will take all
the bits that are in that line that is next to the rotating unit and you will XOR it with
0083B4F4}….
Again, using this table you have to find the coincidence
with Rotating unit and number that are in 7TH and 8TH columns.
If you have problems, I would suggest reviewing the last
part of the tutorial, if you got the idea let’s go on…
Now, we have to find this coincidence. As you can see the table consist of the bits. There are 32 bits in each string, so we can conclude that after each 32 of rotations we will have the same table just the rotating unit will be changed. When I began to scan the table for coincidence, {it for sure was not easy, but anyway who tries that wins.} I found the Rotating unit for my name to be 6A. In the table it is in the line of A. You see, decimal 32=20 hexadecimal, so if you add A+20+20+20=6A, so I had to scan 3 times the entire table till I got the result. You can see now, it is in blue color, 0110 =6 and 1010=A, both they give 6A, the result that I was looking for.
Now we take whole string from the table:
A. 0011 1110 0100 1011 0110 1111 0110 1010
And XOR it with:
0000 0000 1000 0011 1011 0100 1111 0100
You should get something like that:
0011 1110 1100 1000 1101 1011 1001 1110
It looks like it is our real serial, but it is not, did not you forget that it was ROLed first. Nothing to do now, just rotate this number by 39 and you will get the serial.
Serial: 0011 1100 0111 1101 1001 0001 1011 0111
Transform it to decimal number using hex calculator that is all. Thanks for reading, I hope it was not too hard to understand, but if you {after reading many times} could not get the idea, mal me and tell what exactly you did not get.
Name: Falcon
Serial: 1014862263
Final Thoughts |
No comments.
Greetings to... |
All members from Genocide Crew,
{czDrillard congrats with receiving Council status; Gandalf thanks for .gif}
http://www.genocidecrew.cjb.net/
All members from Hellforge {
LaZaRuS, Acid_Cool_178, Ac|dfusion, Dark_Wolf, Mercution…}
Enormous thanks goes to Acid_Cool_178 and
Mercution {his design of this tut}for providing me with LOGOs
http://www.kickme.to/Hellforge
tHe CrEaM members { For their good intend to help everybody }
To every one who makes tutorials…
Cool coders:
Terminal Cilla, AntiXrist, Chafe, The+Q, LaZaRuS, defiler, Lucifer48,
CzDrillard { he is great in making good Math algos}
Reversers :
SiFLyiNG, mIST, zvem, TSCube, Marton, and everybody I forgot to add..
The end. |
Any mistakes, corrections, or comments may be mailed to the members individually, or to the group : hellforge@hellforge.org.