	  Ŀ
	                                                                 Ŀ
	                             
	                  
	                              
	                                 
	                             
	                                      
	                                                
	                                           
	                                        
	                                 
	                                 
	                                   
	                                     
	                                  
	                                                      
	                                                                     
	                            
	                  p r o u d l y     p r e s e n t s                  
	                            
	Ŀ                                              www.tscube.cjb.net 
	  


                      ͻ
                       Tutorial for |Neo|-mAn crackme #1 
                      ͼ



Ŀ
1.Intro 


I met |Neo|_mAn for the first time on #c4n yesterday : "Who wants my first win32ASM crackme ?".
He sent it to me... and I don't regret it :)

For this tutorial, I'll assume that you know how packers/decrypters work. If it's not the case,
you should first read R!SC tuts.



Ŀ
2. A few words on this crackme 


This is rather a 'patchme' : we must patch it to make the NAG disappear. Of course, the crackme
is encrypted, otherwise it would be too easy ;)

- This crackme is composed of 3 sections : WELCOME, CRACKME and NEOMAN. This last section is the
  one which decrypts the crackme's main code before execution.
- The decrypter's code is also crypted, to make disassembling a little more difficult. 
- There are also fake opcodes (that means that when you trace with a debugger, it looks like the 
  code changes after every instruction).



Ŀ
3. Useful softice commands & tools 


- When dealing with self-modifying code, you have to know that's it's not always possible to set
  a breakpoint with 'BPX <address>', you should rather use 'BPM <address> X'

- Use conditional breakpoints when you want SICE to pop when a register is equal to a certain
  value : 'BPX <address> IF EAX==123456'

- If the code decrypts itself at runtime, it's not possible to have a clean dead listing by
  using a disassembler. Instead, use 'U <address> L <length_of_code>' then choose 'Save SoftICE
  History As' in the file menu from SoftICE loader. You can know edit this history to get your
  partial dead listing.

- If you're not an IDA aficionado, I suggest using a small tool by Net Walker named 'Getload'. 
  This tool extracts the unpacker/decrypter section of any packed/crypted PE file so that you 
  can disassemble it with WDASM (yeah, I use WDASM, so what ? ;).

- When using SICE loader, if SICE doesn't pop on the entrypoint, take Procdump and change the
  first section caracteristics to E0000020 (if you're too lazy, go to my homepage and download
  'E0000020.EXE' which does this automaticaly)



Ŀ
4. Where to patch ? 


As you can see, the nag is a MessageBox, so 'BPX MESSAGEBOXA', then run the crackme. When SICE 
pops, hit F12 and you'll see the main code of the crackme, which is very short :

0137:00401093  6A00                PUSH      00
0137:00401095  8D0552304000        LEA       EAX,[00403052]
0137:0040109B  50                  PUSH      EAX
0137:0040109C  8D1D00304000        LEA       EBX,[00403000]
0137:004010A2  53                  PUSH      EBX
0137:004010A3  6A00                PUSH      00
0137:004010A5  8D3DEE104000        LEA       EDI,[USER32!MessageBoxA]
0137:004010AB  81C7801A0600        ADD       EDI,00061A80

0137:004010B1  83EF01              SUB       EDI,01 <-----------------+
0137:004010B4  81FFEE104000        CMP       EDI,USER32!MessageBoxA   | wtf is this loop for ???
0137:004010BA  75F5                JNZ       004010B1 ----------------+

0137:004010BC  FFD7                CALL      EDI -> the nag appears here

0137:004010BE  6A00                PUSH      00
0137:004010C0  8D055D304000        LEA       EAX,[0040305D]
0137:004010C6  50                  PUSH      EAX
0137:004010C7  8D1D1E304000        LEA       EBX,[0040301E]
0137:004010CD  53                  PUSH      EBX
0137:004010CE  6A00                PUSH      00
0137:004010D0  8DBBEE104000        LEA       EDI,[EBX+USER32!MessageBoxA]
0137:004010D6  81EF1E304000        SUB       EDI,0040301E

0137:004010DC  FFD7                CALL      EDI -> this is the second msgbox

0137:004010DE  6A00                PUSH      00
0137:004010E0  8D3DE8104000        LEA       EDI,[KERNEL32!ExitProcess]
0137:004010E6  FFD7                CALL      EDI


Once we land here, patching is easy, we just NOP the call :

4010BC : CALL EDI (FFD7) => NOP,NOP (9090)



Ŀ
5. How to patch ? 


The fun part begins, because if you take your favorite hexeditor, you won't find the 'FF D7' 
bytes we want to NOP ... remember : the crackme is encrypted !!!

We have 3 solutions :

1) Use a loader... DON'T DO IT ! Only newbies and Eminence guys do that ;)

2) If you have already patched a packed proggy, you already know how to do it : you wait for
   the end of the unpacking routine, then you insert a JMP to your code, you patch the 
   proggy in memory, then you jump back to the proggy's main code

3) We do a classic 'hard patch'

The best way, is of course the last one. but to do this, we must understand HOW the decrypter
works.



Ŀ
6. The decrypter's main code 


To find the decrypter's main code, I did a 'BPM 4031A0' to see when the NAG code (@4010BC)
was decrypted


0137:00403100  8B9D11274000        MOV       EBX,[EBP+00402711] -> EBX = 0x33D90D
0137:00403106  F8                  CLC
0137:00403107  83E904              SUB       ECX,04

The following lines will decrypt the code starting at RVA @401000 (main crackme code)

0137:0040310A  AD                  LODSD <-------------------+
0137:0040310B  03C3                ADD       EAX,EBX         |
0137:0040310D  33C3                XOR       EAX,EBX         |
0137:0040310F  D1CB                ROR       EBX,1           |
0137:00403111  81EB66708090        SUB       EBX,90807066    |
0137:00403117  03DB                ADD       EBX,EBX         |
0137:00403119  AB                  STOSD                     |
0137:0040311A  83E904              SUB       ECX,04          |
0137:0040311D  73EB                JAE       0040310A -------+

To land here directly : 'BPM 4031A0 X'

If you want SICE to pop EXACTLY when the NAG code is going to be decrypted, disable the
previous breakpoint and : 'BPX 4031A0 if ESI==4010BC'

Now, do a 'E 4010BC' (a 'PAGEIN 4010BC' might help first), execute the loop one time and you'll
see the code changing from :
4010BC : CF B0 55 00 (crypted code)
to :
4010BC : FF D7 6A 00 (now you see the FF D7 bytes that we want to NOP)



Ŀ
7. Patching the crypted crackme 


the idea is simple : we WANT 'FF D7 6A 00' to be replaced with '90 90 6A 00', so we must find
the new crypted code 

CF B0 55 00 ----> FF D7 6A 00
?? ?? ?? ?? ----> 90 90 6A 00

Look at these 3 lines :

LODSD        }
ADD EAX,EBX  } decrypted_bytes = (crypted_bytes + magic_value) XOR magic_value
XOR EAX,EBX  }

All we have to do is do a 'BPX 4031A0 if ESI==4010BC' then note the value of EBX to get the
magic_value.... EBX = 0xF10A9398

=> decrypted_bytes = (crypted_bytes + 0xF10A9398) XOR 0xF10A9398

original_crypted_bytes : 0x6AD7FF = (0x55B0CF + 0xF10A9398) XOR 0xF10A9398
new_crypted_bytes      : 0x6A9090 = (0x?????? + 0xF10A9398) XOR 0xF10A9398

0x?????? = (0x6A9090 XOR 0xF10A9398) - 0xF10A9398 = 0x556F70


CF B0 55 00 ----> FF D7 6A 00
70 6F 55 00 ----> 90 90 6A 00

now take your hexeditor, look for 'CF B0 55 00' and replace these bytes by '70 6F 55 00'.



Ŀ
8. Outro 


Isn't this better that a loader ?

Note to Eminence guys : PrincessSandy is cool anyway ;)


    ________     _______     _______
   /__   __/\   /  ____/\   /  ____/\
   \_/  /\_\/  /  /\___\/  /  /\___\/
    /  / /    /  /_/_     /  / / 
   /  / /    /____  /\   /  / /
  /  / /     \___/ / /  /  / /
 /  / /     ____/ / /  /  /_/_
/  / /     /_____/ /  /______/\
\__\/      \_____\/   \______\/ 29/06/2000


www.tscube.cjb.net