L ZZZZZZ RRRRR SSSSS L Z R R S L aaa Z aaa R R u u S L a Z a RRRRR u u SSSSS XX L aaaa Z aaaa R R u u S XXXX L a a Z a a R R u u S XXXXXX LLLLLLL aaaaa ZZZZZZZ aaaaa R R uuuuu SSSSSS XXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXX XXXXXX XXXX proudly presents his 21.Cracking Tutorial (04.07.1999) XX Cruehead's CrackMe 3.0 I. Introduction I.1 Tools you need for my tutorial II. The Crack VI. BTW VII. All Tutorials by LaZaRuS I. Welcome to my 21st cracking tutorial. This time I will describe my first Keyfile crack :) Though it was quite easy, I am still happy about it :))) I.1 W32Dasm 8.9 Cruehead's CrackMe 3.0 II. The crack When you disassemble (Sorry, Crue - I still have no SICE here) you will easily see a string that looks like a filename for a keyfile: Crackme3.key - Luckily this is really the correct keyfile name. So let's start - You should see this: :00401021 6A03 push 00000003 :00401023 68000000C0 push C0000000 * Possible StringData Ref from Data Obj ->"CRACKME3.KEY" | :00401028 68D7204000 push 004020D7 * Reference To: KERNEL32.CreateFileA, Ord:0000h | :0040102D E876040000 Call 004014A8 ;; search for a file called "CRACKME3.KEY" :00401032 83F8FF cmp eax, FFFFFFFF ;; if file does exist :00401035 750C jne 00401043 ;; jump --- snip --- ;; else show "Uncracked" message :00401052 6A00 push 00000000 :00401054 68A0214000 push 004021A0 :00401059 50 push eax :0040105A 53 push ebx :0040105B FF35F5204000 push dword ptr [004020F5] * Reference To: KERNEL32.ReadFile, Ord:0000h | :00401061 E830040000 Call 00401496 ;; start reading from file :00401066 833DA021400012 cmp dword ptr [004021A0], 00000012 ;; size = 12h bytes? :0040106D 75C8 jne 00401037 ;; if not, then jump to "Uncracked" :0040106F 6808204000 push 00402008 ;; save contents of file :00401074 E898020000 call 00401311 ;; calculate a value :00401079 8135F920400078563412 xor dword ptr [004020F9], 12345678 ;; XOR it with 12345678 :00401083 83C404 add esp, 00000004 :00401086 6808204000 push 00402008 :0040108B E8AC020000 call 0040133C :00401090 83C404 add esp, 00000004 :00401093 3B05F9204000 cmp eax, dword ptr [004020F9] ;; compare two values :00401099 0F94C0 sete al ;; if same, then set flag :0040109C 50 push eax ;; save eax :0040109D 84C0 test al, al ;; flag set? :0040109F 7496 je 00401037 ;; if not, then jump Don't wonder where I got this information. I found all this out during my cracking approach. Later you will get it, too. OK, create a file CrackMe3.key with a size of 18 bytes. I just wrote 666999666999666999 in a plain text file. Then let's have a look at the call at :00401311 which is taken when the file has the correct size. * Referenced by a CALL at Address: |:00401074 | :00401311 33C9 xor ecx, ecx ;; erase ecx :00401313 33C0 xor eax, eax ;; erase eax :00401315 8B742404 mov esi, dword ptr [esp+04] ;; esi = contents of file :00401319 B341 mov bl, 41 ;; bl =41h * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401333(C) | :0040131B 8A06 mov al, byte ptr [esi] ;; al = 1st byte letter of file :0040131D 32C3 xor al, bl ;; XOR 1st byte with 41h :0040131F 8806 mov byte ptr [esi], al ;; replace 1st byte with XORed v. :00401321 46 inc esi ;; point to next byte :00401322 FEC3 inc bl ;; bl = bl + 1 :00401324 0105F9204000 add dword ptr [004020F9], eax ;; add XORed value :0040132A 3C00 cmp al, 00 ;; still bytes to go ? :0040132C 7407 je 00401335 ;; if not, then jump :0040132E FEC1 inc cl ;; cl = cl + 1 :00401330 80FB4F cmp bl, 4F ;; bl = 4F? :00401333 75E6 jne 0040131B ;; if bl < 4F, then loop * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040132C(C) | :00401335 890D49214000 mov dword ptr [00402149], ecx ;; save ecx :0040133B C3 ret ;; return from call This passage does nothing but XORing the first 14 bytes of your file with 41 for the first byte to 4F for the last byte and adds all these XORed values. For 666999666999666999 this would be: 36 XOR 41 + 36 XOR 42 + 36 XOR 43 + 39 XOR 44 + 39 XOR 45 + 39 XOR 46 + 36 XOR 47 + 36 XOR 48 + 36 XOR 49 + 39 XOR 4A + 39 XOR 4B + 39 XOR 4C + 36 XOR 4D + 36 XOR 4E + 36 XOR 4F = 693h This value is XORed with 12345678h at :00401079 when we leave the Call. This will be: EB503412. This value is compared to the last 4 bytes of our keyfile at adress :00401093. If they are the same you have cracked it. When you start the CrackMe a messagebox will appear saying that you cracked it :) Sadly, your name is not yet displayed in this messagebox, but only some crappy characters. The first 14 bytes that are not needed for the validation check of the keyfile are reserved for the name. You know that these 14 bytes are decrypted before they are displayed. So we have to save them encrypted in the keyfile. We do it in this way for the name LaZaRuS. L = 4Ch XOR 41h = 0D a = 61h XOR 42h = 23 Z = 5Ah XOR 43h = 19 a = 61h XOR 44h = 25 R = 52h XOR 45h = 17 u = 75h XOR 46h = 33 S = 53h XOR 47h = 14 These are the bytes you have to enter in the keyfile at the beginning. I added 00000000000000h to fill the space. Next time I started it, I saw nothing. Shit, the last four bytes must have another value, now. So breakpoint on :00401093 and F7523412 was the next value. When I started now, I saw: "Cracked by LaZaRuSHIJKLMN!" - Now we know that the 00 we entered were (obviously) wrong and the correct keyfile looks like this: 0D23 1925 1733 1448 494A 4B4C 4D4E F752 3412 btw: If you don't know how I came to the values 48494A4B4C4D4E, know a value XORed with itself is *always* 0. H XOR H = 0 / 48 XOR 48 = 0 (Hope you got it now) Actually this is not quiet the correct keyfile. We have to recalculate the last four bytes again. But this should be no problem. 0D23 1925 1733 1448 494A 4B4C 4D4E FA54 3412 is the correct keyfile that will show the "Cracked by LaZaRuS!" message. (note: These are hex-values, no ASCII values; in ASCII it looks like this: #%3HIJKLMNúT4). I. BTW Greets to: tKC, Ed!son, Moral Insanity, +Sandman, Fravia+ and everyone at #cracking4newbies, +Sandman's forum and Fravia+'s forum. VII. All tutorials by LaZaRuS