آموزش کرک و قفل شکنی ( انگلیسی ) از بهترین کرکرهای روس و ...

[Morteza_SOS]

Level : newbie

Writing a basic keygen in MASM for Phlux keygenme 1.



Tools used: MASM32 and OllyDBG for debugging if necessary.

Good day to you all who are reading this first, we'll discuss the basic opcodes such as MOV, ADD or other opcodes that are used in the algo I'll explain.

After my last tutorial about the 'Can you CrackMe', I said I'd rate myself 0/10 in keygens, heh, well that's not 0/10 anymore otherwise I couldn't write this tutorial. But because I'm not an expert too, if somebody has ideas to add something or found some serious mistakes contact me.

Okay, I'm hoping you read this thorougly so you can learn something :-)

We'll not go into further details about the full ASM source, or are we? Okay for the ones who really want that too, I'll include a total source at the bottom of this tutorial.

Look at the following algorithm:
--------------------------------------------------------------------------------
generate proc ; indicates a procedure is started
PUSH EBX ; saves the EBX value to the stack because we are going to use EBX, and EBX is a register that needs to be saved (often).
PUSH OFFSET szUser
CALL lstrlen
MOV EDX, EAX
XOR ECX, ECX
XOR EBX, EBX
@@:
movzx eax, byte ptr [szUser+ECX]
xor eax, 31337h
add eax, 0DEADBEEFh
imul eax, 666h
sub eax, 1BADBAB3h
shl eax, 3h
xor eax, 0D34DD00Dh
add ebx, eax
INC ECX
CMP ECX,EDX
JNZ @B
invoke wsprintf, ADDR BUFFER, ADDR PREFIX, ebx ; look at API of wsprintf some lines below
; basically, it turns the hex value into an
; ASCII value, because we use the %X prefix.
;int wsprintf( ; this is the API wsprintf as you might understand :-)
;
; LPTSTR lpOut, ; LPCTSTR lpFmt, ; ... ; other optional arguments ; ); POP EBX
ret
generate endp
--------------------------------------------------------------------------------

I've commented the ASM opcodes of the algorithm, look at them :-). First of all, I also want to say this, EAX and EDX are used for dividing, EAX is the quotient result and EDX is the remainder (you learnt this on school I hope, except for the registers :P). Next, EBX, EBP, ESI, EDI are registers that often need to be saved. If something is in it before you start using them, always use PUSH, and after you are finished use POP to retrieve it again from the stack, but beware: if you use another POP instruction in the thing you are busy on, then that POP gets the value of the PUSH, so you could also POP your PUSHED (the saved register) first and then later on PUSH and POP it again. This can be confusing, therefore I'll comment a little example below:

Look at this piece of code with PUSHES and POPS.
--------------------------------------------------------------------------------
generate proc ; indicates a procedure is started PUSH EBX ; saves the EBX value to the stack
PUSH ESI ; saves the EDI value to the stack

; some code now
XOR ESI,ESI ; clears it, we use the last ESI (XOR destination,source) as 0,
; because that takes less bytes, it's just a fact that it's used
; as 0, nothing more, nothing less
; XOR sets the output bit if the source bit is different from the
; destination bit. So that's why it becomes 0.

XOR EBX,EBX ; clears EBX too, so we can start using it
ADD ESI,539h ; this adds the decimal value 1337 to ESI, 1337d is 539h, 539h = 539 HEX :-)
MOV EBX,9865h ; this adds the decimal value 2689 to EBX, it's 9865h and 2689d. You can use
; windows calculator for this, use the SCIENTIFIC view

POP EBX ; gets the last value in the stack and saves it to EBX, see?
; that's a mistake that could be taken
; therefore, ignore this opcode

POP ESI ; gets the last value (that was ESI, therefore this is right) and saves it into ESI
POP EBX ; gets the value after the last POP, so that's EBX, see? first in / first out system
ret
generate endp
--------------------------------------------------------------------------------

Okay, so this are some basics :-), MOV puts a value somewhere, ADD adds a value, XOR is explained in the comments above. I strongly recommend that you get 'win32asmtutorial.zip'. It is a HLP file in HTML style, you could also print it to read them somewhere in ease :-), I did put it on my MP3 player because I can view text-files on it :-) saves me some ink.

So, this commands like MOV (is put), DIV (is /, divide), MUL (is *, multiply), there do exist other opcodes of course, that you will often meet in algorithms, therefore I recommend the 'win32asmtutorial.zip' to find out what these things do exactly, if you still don't understand them after reading the Win32 ASM Tutorial, contact me or some experienced cracker at BiW Forum. If you want 'win32asmtutorial.zip' and you REALLY can't find it (would surprise me) you may contact me.

Now I'll include the full ASM, and I'll comment some things too, because that'll make things easier to understand maybe, I'll only comment things that have to do with displaying the serial or getting the username and the algo, I assume you know the other stuff, if not, then please have a break and read the Win32 ASM Tutorial (the 'win32asmtutorial.zip' of course). Or you could just continue and read that tutorial later :-)

Source for the Key Generator (keygen.asm for example):
--------------------------------------------------------------------------------
.686
.mmx
.model flat, stdcall
option casemap:none
include masm32includewindows.inc
include masm32includeuser32.inc
include masm32includekernel32.inc
includelib masm32libuser32.lib
includelib masm32libkernel32.lib

assume fs:flat

WndProc PROTO WORD,WORD,WORD,WORD

.data hEdit1 dd 0
hEdit2 dd 0

hInstance dd 0
hIcon dd 0

dlgname db "keygen",0
Format db "%0.8X%0.8X",0

Caption db "About",0

MsgAbout db "Key Generator by TDC",13,10,10
db "..: Cracked by : nick? :.. ",13,10
db "..: Also known as : ur alias? :.. ",13,10
db "..: Protection : Custom :.. ",13,10
db "..: Contact info : mail? :.. ",13,10
db "..: Release date : date? :.. ",13,10
db "..: Date format : dd-mm-yyyy :.. ",13,10
db " ",13,10
db "Greetings to : BiW Reversing members",13,10
db "Special thanks to : usernames here",13,10,0

UserName db "username displayed when start", 0
UserKey db "serial displayed when start", 0


szMsgMinLetter db "Please enter more than 3 characters...",0

BUFFER db 32 dup(0)
PREFIX db "%X", 0 ; important, sets the PREFIX for later use in wsprintf API, %X indicates we are going to use wsprintf for conversion of HEX to ASCII


.data?
szUser db 90 dup (?)
szSerial db 90 dup (?)

.code

start:
invoke GetModuleHandle, NULL
mov hInstance, eax
invoke DialogBoxParam,hInstance,ADDR dlgname,NULL,ADDR WndProc,NULL
invoke ExitProcess,eax
WndProc proc hWin WORD, uMsg WORD, wParam WORD, lParam WORD

.if uMsg == WM_INITDIALOG

invoke LoadIcon,hInstance,100
invoke SendMessage,hWin,WM_SETICON,0,eax invoke GetDlgItem,hWin,107
mov hEdit1, eax
invoke GetDlgItem,hWin,108
mov hEdit2, eax
invoke SetDlgItemText,hWin,107,offset UserName
invoke SetDlgItemText,hWin,108,offset UserKey

.elseif uMsg == WM_COMMAND

.if wParam == 109 ; if Generate button is pressed, remember parameter 109 was set in rsrc.rc
invoke GetDlgItemText,hWin,107,offset szUser,90
cmp eax,3 ; checks if username = 3 characters, you can change this to whatever you want the user to require at least
jl error ; if less ( JL = Jump less ) then goto error and display please enter.... blabla..
call generate ; call the actual generating process with the algo
invoke SetWindowText,hEdit2, offset BUFFER ; sets the new serial generated in the hEdit2 box, (the second box)
jmp exit

error: invoke SetDlgItemText,hWin,108, offset szMsgMinLetter ; puts the szMsgMinLetter value in the read-only box, check the box in rsrc.rc (the one with 108 as parameter)
jmp exit
.elseif wParam == 110

invoke MessageBox, hWin,addr MsgAbout, addr Caption,MB_ICONINFORMATION or MB_OK

.elseif wParam == 111

invoke EndDialog,hWin,NULL

.endif


.elseif uMsg == WM_CLOSE

invoke EndDialog,hWin,NULL
.endif exit: xor eax, eax
ret


WndProc endp

generate proc PUSH EBX ; save EBX
PUSH OFFSET szUser ; the push for the call :-)
CALL lstrlen ; checks username length (often used), then it's stored in EAX
MOV EDX, EAX ; in this example we move the EAX value to EDX, EAX was the length.
XOR ECX, ECX ; clear ECX
XOR EBX, EBX ; clear EBX

@@: ; indicates a point in the program, to jump to :-)
movzx eax, byte ptr [szUser+ECX] ; gets next character from szUser
xor eax, 31337h ; XORs that with 31337h
add eax, 0DEADBEEFh ; ADDs DEADBEEFh (we included a 0 before DEADBEEF, that's always necessary when a value begins with a A, B, C, D, E or F, when beginning with a number it's not necessary to put a 0 in front of it.
imul eax, 666h ; we use IMUL because our eax is a signed byte, (more about signed and unsigned bytes in the Win32 ASM Tutorial that I'm pointing much to in this tutorial)
sub eax, 1BADBAB3h ; substracts eax with BADBAB3h
shl eax, 3 ; SHLs the bytes 3, shifts it left by 3
xor eax, 0D34DD00Dh ; XORs that with D34DD00Dh
add ebx, eax ; adds EAX to EBX, ebx is the value that will be the total serial at the end of this loop
INC ECX ; increases the value to pick the next character from szUser in the next jump to @@
CMP ECX,EDX ; checks if we are at the end of the username, if so the jump next is ignored
JNZ @B ; means jump one back, so thats jumping to @@, JMP @F means jump forward

invoke wsprintf, ADDR BUFFER, ADDR PREFIX, ebx ; convert it to an ASCII string for displaying, the PREFIX is set above under the '.data' section.

POP EBX ; get original EBX value back
ret ; return from call (remember the call generate when Generate is pressed?)
generate endp
end start
--------------------------------------------------------------------------------
END OF SOURCE



Source for the resource file (rsrc.rc):
--------------------------------------------------------------------------------
#include "masm32includeresource.h" keygen DIALOGEX 0, 0, 196, 93
STYLE DS_3DLOOK | DS_CENTER | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_MINIMIZEBOX | WS_SYSMENU
CAPTION "Brought to you by ?nick-in-rsrc.rc?, 2005"
FONT 8, "Tahoma" BEGIN

CTEXT "Key Generator by ?nick-in-rsrc.rc?",101,6,7,184,11,SS_CENTERIMAGE ,WS_EX_STATICEDGE
CONTROL "",103,"Static",SS_BLACKFRAME | SS_SUNKEN,6,22,184,2
GROUPBOX "",104,6,24,184,45
LTEXT "Name:",105,11,35,22,8
LTEXT "Serial:",106,11,51,21,8
PUSHBUTTON "&Generate",109,140,74,50,14,0,WS_EX_STATICEDG E
PUSHBUTTON "&About",110,86,74,50,14,0,WS_EX_STATICEDGE
PUSHBUTTON "&Close",111,6,74,50,14,0,WS_EX_STATICEDGE
EDITTEXT 107,36,33,147,13,ES_AUTOHSCROLL
EDITTEXT 108,36,49,147,13,ES_AUTOHSCROLL | ES_READONLY

END
--------------------------------------------------------------------------------
END OF SOURCE



Hopefully, you have learned something of the comments, it's not that hard to understand, the parameter for the Generate button is set in the 'rsrc.rc' file, and it's set to 109 in this case. I've done as much as I could to help you understanding it all better, and again I strongly recommend you to take a look at the 'win32asmtutorial.zip', because it gives much information about calculation opcodes and about how memory works in 32-bits.

If you want to compile this all (of course you want :P), then also make a little batch program that automatically makes an .EXE file, it's not hard to do. Heres the MS-DOS batch program I made for the job:


Batch program (let's call it make.bat):
--------------------------------------------------------------------------------


@echo off

REM change the keygen.* to whatever you want to name your keygen.asm, .obj and .exe files.

if exist keygen.exe del keygen.exe
if exist keygen.obj del keygen.obj
if exist rsrc.res del rsrc.res
if exist rsrc.obj del rsrc.obj

masm32binml /c /coff keygen.asm
masm32binrc rsrc.rc
masm32bincvtres /machine:ix86 rsrc.res
masm32binLink /SUBSYSTEM:WINDOWS keygen.obj rsrc.obj

if exist keygen.obj del keygen.obj
if exist rsrc.obj del rsrc.obj


if exist rsrc.res del rsrc.res

[Morteza_SOS]

Level : beginner

How to halt the timer in the solitaire cardgame.



Dedication: My best friend Error_Vir
Food: Ruffles and nectarine juice
Music: Falcon - Cosmic outflow.xm

This tutorial I dedicate especially to my old friend Error_Vir.

And as one of the famous quote follows:
"one time of time on the time at of the time i dont remember it"

For more information on my friend you can find on the following webpage
here; that is dedicated to him.

Enough blabla's. Proceed to tutorial.

Ok. The tool that we will to use is OllyDbg. (Ollydbg)

Alright, sol.exe can be found (obviously, if you didn't need to free
some space up on your HDD by deleting it) in %windir%system32sol.exe.
(on my computer it's C:WINNTsystem32sol.exe)

So let's debug this tiny little app.

Oh, if you're asking why I chose sol.exe I simply find it the best
game for the boring days. Try to combine it with some demoscene music
(scenemusic, ojuice).
Fits perfectly for boring and raining days :-)

BY THE WAY, I won a game in 51 seconds (without any time hacks).
That's my highest score, I also had scores like 71 seconds, 78, 82, ...

Open ollydbg, File->Open and type "%windir%system32sol.exe" there.

Press F9 to run Solitaire.

***TIMER ACTIVATION***
As you might have(n't) noticed, the timer starts when you click anywhere
on the game. Example click on a card. Cool, the timer started!
***TIMER ACTIVATION***

To restart the timer, goto ollydbg Debug->Restart->Yes->Press F9.
We restarted the game.

uh.
Sometimes in cracking,

(as my old friend says,
"in the cracking = idont have time to write all thinges")

I dont have the time to explain all things.

So don't ask me why I picked this way. There are (probably) other ways for
cracking this application, but I prefer the ninja-style.

HOWEVER, back to work. The ninja-style is the following.
We must defeat Solitaire in the easiest way. How do we do that?
Simply. Notice the string "Time: %d" ? :-)

In Ollydbg, View->Memory. Right click anywhere, click Search.

Search for HEX val: 54 00 69 00 6D 00 65 00 3A
(meaning "Time:" with a zero in between every char)

This is very important. Before setting a breakpoint make sure you activate the
timer first, because if you don't activate it Olly will break all the time
and the Timer will be =0 so NO use.

Anyway, we found it. While the text we searched for is highlighted,
right click on it and set a breakpoint on memory access.

Ollydbg IMMEDIATELY breaks, this is a good sign.

Once ollydbg lands us on the physical memory, press ALT+F9 to get back
to the user's memory.

We are here:

0100243B . C2 0800 RETN 8

Now as we step out from this procedure this is what we see:

01005372 |. 8DB445 48FFFFF>LEA ESI,DWORD PTR SS:[EBP+EAX*2-B8]
01005379 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0100537C |. 8B40 34 MOV EAX,DWORD PTR DS:[EAX+34]
0100537F |. C1F8 02 SAR EAX,2
01005382 |. 50 PUSH EAX ; /Arg2
01005383 |. 56 PUSH ESI ; |Arg1
01005384 |. E8 4ECFFFFF CALL sol.010022D7 ; sol.010022D7

As you can notice (by looking at the code a bit), this procedure sets up the string
like "Text: %d". That means that %d is received in some other procedure (e.g. previous).

You can notice that this works out the text by entering that call at 01005384
and by scrolling down a bit you can find the next API as well:

010053B9 |. FF15 04110001 CALL DWORD PTR DS:[] ; DrawTextW

This procedure starts at 01005349 /$ 55 PUSH EBP.
That means that our previous procedure ends on
01005347 .^EB E5 JMP SHORT sol.0100532E and starts on 010052CF /$ 56 PUSH ESI

You can notice this easily by looking at Olly's arrows.

Good looking procedure is:

010052CF /$ 56 PUSH ESI
010052D0 |. 57 PUSH EDI

.....

010052EF |. 75 3B JNZ SHORT sol.0100532C
010052F1 |. 8B46 34 MOV EAX,DWORD PTR DS:[ESI+34]
010052F4 |. 68 FE7F0000 PUSH 7FFE
010052F9 |. 40 INC EAX
010052FA |. 50 PUSH EAX
010052FB |. E8 CCD0FFFF CALL sol.010023CC

.....

0100533F |. E8 770A0000 CALL sol.01005DBB
01005344 |> 6A 01 PUSH 1
01005346 |. 58 POP EAX
01005347 .^EB E5 JMP SHORT sol.0100532E

Not the whole though, its big enough.

Anyway, about the ninja-style, here we go.
Instead of looking at the code you simply check every opcode and hunt it.
Something like a manual brute-force or so. That's just my way.

So, we set a breakpoint on 010052F1 and press F9 to run. Once we landed there,
in the DUMP Window right click then Goto->Expression and then type ESI+34.

Remove the breakpoint and press F9. Cool, the value in the Dump window changes on every
second, which means that that is our counter :-)

But how is it getting increased? Well, simple enough.

010052F1 |. 8B46 34 MOV EAX,DWORD PTR DS:[ESI+34]
010052F4 |. 68 FE7F0000 PUSH 7FFE
010052F9 |. 40 INC EAX

in EAX, Bill Gates puts the address of the counter and then he increases EAX.

How to stop this? Replace "INC EAX" with "NOP" (40h->90h)

Time hast been stopped! (no, "hast" is not a mistake, its the German way!)

Well, that is all for now my friend, I hope you understood something from this tutorial.
Or maybe not? Who cares anyway, it's already written

[Morteza_SOS]

Level : newbie

Patching Nagscreens in this target here

Gathering Information
---------------------------
Ok as always you should run the target first to see how the program works before diving into the code. We are presented with a nag when the target is run.
Important thing to notice is this is a message box with the text "Oh, do you like this program?" Also, if you press exit you are presented with another message box nag screen stating "Oh, did you forget this one?"


Finding where the nags are called
----------------------------------------
Instead of just scrolling through the code for MessageBoxA calls, we are going to set a breakpoint. Reasoning? A program could have the text encrypted, etc so the mentioned method of scrolling simply won't fly for many programs. MessageBoxA incase you didn't know is located within USER32.dll, so Alt-E to view executable modules. Right click on USER32.dll and choose "View Names". In this new window, locate MessageBoxA, click on it once, and hit F2 (toggle breakpoint). Press F9 to run the program and we end up landing in USER32.dll. If you look a little below you can see the following line:

77D8052A E8 2D000000 CALL USER32.MessageBoxExA

This guy is responsible for the message box, however we are within USER32.dll and want to find how we got here. A nice trick we can do is to look at the call stack (Alt-k) to see how we got here. After pressing Alt-k we see at the top where this was called from and details about this message box including the title, text, etc. It says that MessageBoxA was called from KillNag.00401085. So if we double click that line we will be brought to this location.

Patching the Nags
---------------------
Now that we are in the right location take a look around. If you look above you will notice this line:

00401074 > 8B4C24 04 MOV ECX,DWORD PTR SS:[ESP+4]

The '>' indicates that this location was reached by a jump. If you click/highlight this line, the small pane below will say "Jump from 00401012". You can also view this information by right clicking on the code and selecting "Find references to"->"selected command" which is Ctrl-R. You can reach this mentioned jump location by right clicking on the pane and selecting "Go to JE from..." or double clicking on the line in the window from Ctrl-R. Just to make sure we are all on the same page we should be here:

00401012 74 60 JE SHORT KillNag.00401074

Now, we don't want to jump, otherwise we get that stupid nag. So what we can do is NOP the line of code so that we never have to worry about this. So right click -> "Binary" -> "Fill with Nops". Ok the first nag is taken care of. Now we have to get rid of the message box that is on exit. If you look right below where we are at we can see it:

00401051 . 68 78514000 PUSH KillNag.00405178 ; |Title = "Nag!"
00401056 . 68 58514000 PUSH KillNag.00405158 ; |Text = "Oh, did u forget this one? :P"
0040105B . 56 PUSH ESI ; |hOwner
0040105C . FF15 C8504000 CALL DWORD PTR DS:[>; MessageBoxA

You could have also found this location by just pressing exit and letting Ollydbg break on MessageBoxA again. Anyhoo, if you look above this you will find the line:

0040104A > 56 PUSH ESI

Again, we arrive at this location by a jump. So we have to get rid of the jump to this nag screen. Apply the same methods we used before to reach the line of code with the jump. You should be at this location:

00401026 . 74 22 JE SHORT KillNag.0040104A

So just as we did to the other jump, NOP this line of code. Alright now save your patched program by right-click->"Copy to executable"->"all modifications" then click "copy all" on the messagebox. Then right-click in the new window -> "Backup"->"save data to file". If we run the program it has no first nag, that's good. But click the exit button... well there is no nag but we also don't exit the program!

I showed this because it is likely a mistake that many beginners will make on this program. So let’s reload the program into Olly. If you look right below the 2nd nag in Olly you will notice a "WM_CLOSE". Hmm think this is responsible for closing our application?

If you think for a little bit you will also notice that you can just jump to WM_CLOSE instead of jumping to that stupid nag code. So go back to the jump responsible for the exit nag. Now we want this NOT to jump to 0040104A (nag code), but to 00401093 (WM_CLOSE). So right click-> "assemble" and change 0040104A to 00401093.

Run the program and wallah! It works

Final thoughts: A little lengthy, but I put a lot of basic stuff in here to help out those who are new to Ollydbg.

[Morteza_SOS]

Level : newbie

A simple target to keygen, but beware the anti-debugging tricks
Includes explanation of all anti-debugging checks, and sourcecode for keygen in C.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

solution for detten's crackme7 - tutorial by haggar

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Greetings!


Detten has made small and not hard crackme to solve, but still very interesting. Our objective is to avoid any kind of anti-debug staff and to dig-up serial for our name. So let's begin.
Crackme here



1. TOOLS

- OllyDbg 1.10
- paper and pencile, some time and a will to do litlle Googling.




2. ANTI-DEBUG STUFF


2.1 First problem

Ok, first thing that happened to me is that crackme crashed while starting. Is this a bug or intended? Maybe both? That happend on my Windows XP Pro SP1, but I don't know for other systems. So lets open crackme in Olly and see what we have here. Right at the beginning you will see the reason for crushing:

00401000 >/$ B4 43 MOV AH,43
00401002 |. CD 68 INT 68
00401004 |. 66:3D 86F3 CMP AX,0F386
00401008 |. 74 2D JE SHORT crackme7.00401037

So right at the second line we have INT 68 interrupt and that is why crackme crashes. Let we try to analyze what is going on:
- first, to AH register is given 43 value
- then it's executed INT 68
- imagine that crackme doesn't crash at above inerrupt, but continues. Code is checking does AX contains now 0F386 value.
- if AX=0F386, conditional jump at 401008 will be executed and we will jump at 401037 offset where we can see message "Please unload debugger :("

So this is some check for debugger and crackme shouldn't crash but to work properly, or show that message if we run it in Olly. Since I never sow this trick before, I just used Google to find some info about INT 68 interrupt. I didn't find much, just some references that I don't quite understand, but one of listed links was to some Yates tutorial. To not make long story out of this (check yor self that article), this is SoftICE check. Crackme crashes because this trick works only on 9x systems, but in case that we have SI installed on our computer, INT 68 should return 0F386 to EAX, we should get error message and crackme should unload itself. If SI isn't installed, crackme should just procede to GetModuleHandle API and run normally. To solve this issue, just fill with NOP's all opcodes from 401000 to 401009 and save changes to crackme:

00401000 > $ 90 NOP
00401001 . 90 NOP
00401002 . 90 NOP
00401003 . 90 NOP
00401004 . 90 NOP
00401005 . 90 NOP
00401006 . 90 NOP
00401007 . 90 NOP
00401008 . 90 NOP
00401009 . 90 NOP
0040100A . 6A 00 PUSH 0 ; /pModule = NULL
0040100C . E8 A5020000 CALL <JMP.&KERNEL32.GetModuleHandleA> ; GetModuleHandleA

Now run crackme and you'll see that it works fine.



2.2 Junk code

Next thing to notice is that crackme has some small junky opcodes, mostly jumps like this one:

00401016 . EB 02 JMP SHORT crackme7.0040101A
00401018 68 DB 68 ; CHAR 'h'
00401019 A1 DB A1
0040101A > 6A 00 PUSH 0 ; /lParam = NULL
0040101C . 68 50104000 PUSH crackme7.00401050 ; |DlgProc = crackme7.00401050
00401021 . 6A 00 PUSH 0 ; |hOwner = NULL
00401023 . 68 0C304000 PUSH crackme7.0040300C ; |pTemplate = "MyDialog"
00401028 . FF35 C4314000 PUSH DWORD PTR DS:[4031C4] ; |hInst = NULL
0040102E . E8 65020000 CALL <JMP.&USER32.DialogBoxParamA> ; DialogBoxParamA

You see, jump at 401016 jumps above two bytes at 401018 and 401019. Those bytes will NEVER be executed and those jumps+bytes had acctually no purpose to our program. They are there just to confuse reverser and made reading of code a bit dificult. Most today's protectors have such code, only that they have realy harder patterns. What we can do is to patch those junky bytes with NOP's just to make code litlle cleaner, it's not acctually necesery but I like it that way. There is 11 such locations to patch (some jumps+bytes, or just bytes), so do it (if you want) and save changes to crackme.



2.3 Breakpoints directly on API's - check

Next check is common check in today's protectors too. It's checking did we put bp directly on some API function. I don't know how SoftICE is working with breakpoints, I assume that it's identicall as Olly, but I will explain this part on Olly. Also, you must have Windows XP for this kind of breakpoints if using Olly, because only XP is alowing seting bp directly on dll's.

Open "Executable Modules" window in Olly (Alt+E), left click select our crackme, right click on it and "view names". There you have for example this API which our crackme uses to get input from window:

00402014 .rdata Import USER32.GetDlgItemTextA

If you right click on it, you see option "Toggle breakpoint on import". That option will not put bp in our crackme, but in USER32.DLL on address where GetDlgItemTextA API function starts. This is very usefull option so select it. Now run crackme enter name haggar and serial 12345 and click check button. Boom! You get "Please unload debugger :(" message and crackme exits.

Let me explain you what happened, but first set same bp again on same API. Now open again "Executable Modules", but this time click on USER32.DLL and "view names". Find our API:

77D665FE .text Export GetDlgItemTextA

If you placed toggle bp on that import, then 77D665FE address should be marked with red colour now (maybe 77D665FE will be different on your system). Double click on that address and you'll find your self in user32.dll right where GetDlgItemTextA API starts:

77D665FE > 55 PUSH EBP
77D665FF 8BEC MOV EBP,ESP
77D66601 FF75 0C PUSH DWORD PTR SS:[EBP+C]
77D66604 FF75 08 PUSH DWORD PTR SS:[EBP+8]
77D66607 E8 BF1AFEFF CALL USER32.GetDlgItem
77D6660C 85C0 TEST EAX,EAX
77D6660E 0F84 162C0200 JE USER32.77D8922A
77D66614 FF75 14 PUSH DWORD PTR SS:[EBP+14]
77D66617 FF75 10 PUSH DWORD PTR SS:[EBP+10]
77D6661A 50 PUSH EAX
77D6661B E8 DB19FEFF CALL USER32.GetWindowTextA
77D66620 5D POP EBP
77D66621 C2 1000 RETN 10

First line should be red and that means that Olly had put bp on that address.

How Olly sets breakpoints? What is breakpoint at all? Olly uses INT3 = CC (hex) interrupt to put bp (probably others debuggers too), so Olly substitutes byte at 77D665FE (which is original 55) with CC in memory. When program reaches CC byte, it stops and windows give control to debugger. So altough you see 55 in Olly, actualy in memory is on that place CC.

So our crackme somehow checks did we placed bp on some API functions. How? Reastart crackme in Olly and find this place:

00401124 . 68 97314000 PUSH crackme7.00403197 ; /ProcNameOrOrdinal = "GetDlgItemTextA"
00401129 . FF35 30324000 PUSH DWORD PTR DS:[403230] ; |hModule = NULL
0040112F . E8 88010000 CALL <JMP.&KERNEL32.GetProcAddress> ; GetProcAddress
00401134 . 8038 CC CMP BYTE PTR DS:[EAX],0CC
00401137 . 75 05 JNZ SHORT crackme7.0040113E
00401139 .^E9 F9FEFFFF JMP crackme7.00401037

You see, crackme will call GetProcAddress APA. That API will return address of "GetDlgItemTextA" API function to EAX register. Then, at line 401134, it will compare BYTE value at [EAX] address (our API) with CC. If Olly has placed bp on our API, on this place will be then CC byte value (which is INT3=our breakpoint) and crackme will know that so it will procede to JMP crackme7.00401037 that throw us to BadBoy message. Check others usable API's like, GetDlgItemInt and MessageBoxA, and you'll see that crackme checks them too.



There is one more interesting thing here: check where bad jump JMP crackme7.00401037 is throwing us:

00401035 . 68 056A0068 PUSH 68006A05
0040103A . 15 30400068 ADC EAX,68004030 ; |
0040103F . 76 31 JBE SHORT crackme7.00401072 ; |
00401041 . 40 INC EAX ; |
00401042 . 006A 00 ADD BYTE PTR DS:[EDX],CH ; |
00401045 . E8 60020000 CALL <JMP.&USER32.MessageBoxA> ; MessageBoxA
0040104A > 50 PUSH EAX ; /ExitCode
0040104B . E8 60020000 CALL <JMP.&KERNEL32.ExitProcess> ; ExitProcess

As you can see, there are no address 401037 ?!? Ansver is simple and it's called "obfuscation". That is one more trick that modern protectors use, of course in much bigger rate. First two bytes at 401035 are usles and they will never be executed too, so replace them with 9090 so you can get clear picture:

00401035 90 NOP
00401036 90 NOP
00401037 > 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
00401039 . 68 15304000 PUSH crackme7.00403015 ; |Title = "Crackme 7"
0040103E . 68 76314000 PUSH crackme7.00403176 ; |Text = "Please unload debugger :("
00401043 . 6A 00 PUSH 0 ; |hOwner = NULL
00401045 . E8 60020000 CALL <JMP.&USER32.MessageBoxA> ; MessageBoxA
0040104A > 50 PUSH EAX ; /ExitCode
0040104B . E8 60020000 CALL <JMP.&KERNEL32.ExitProcess> ; ExitProcess

Is this better ?

There is simple way to bypass this checks. You can set in Command Line plugin "bp GetDlgItemTextA+1" breakpoint. That will set bp on 77D665FE+1=77D665FF address in memory, ie. on second instruction in API.




2.4 Breakpoints in crackme - check

If you set bp in crackme, for example, on this line

0040123C > 6A 64 PUSH 64 ; /Count = 64 (100.)
0040123E . 68 CC314000 PUSH crackme7.004031CC ; |Buffer = crackme7.004031CC
00401243 . 68 BB0B0000 PUSH 0BBB ; |ControlID = BBB (3003.)
00401248 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
0040124B . E8 54000000 CALL <JMP.&USER32.GetDlgItemTextA> ; GetDlgItemTextA

you will also get bad message when you enter name/serial and press check button. Reason is here:

004010DD . 60 PUSHAD
004010DE . BF 11114000 MOV EDI,crackme7.00401111
004010E3 . B9 92124000 MOV ECX,<JMP.&USER32.DestroyWindow> ; Entry address
004010E8 . 2BCF SUB ECX,EDI
004010EA . B0 CC MOV AL,0CC
004010EC > F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004010EE . 75 0F JNZ SHORT crackme7.004010FF
004010F0 . FF05 00304000 INC DWORD PTR DS:[403000]
004010F6 . B9 92124000 MOV ECX,<JMP.&USER32.DestroyWindow> ; Entry address
004010FB . 2BCF SUB ECX,EDI
004010FD .^EB ED JMP SHORT crackme7.004010EC
004010FF > 833D 00304000 >CMP DWORD PTR DS:[403000],5
00401106 . 74 05 JE SHORT crackme7.0040110D
00401108 .^E9 2AFFFFFF JMP crackme7.00401037

This algo will count how many there are CC bytes from 401111 to 401292 address and if there are different number of them than 5, it will jump at JMP crackme7.00401037 bad massage. That means, that in code between those addresses there are 5 CC bytes by default. Their purpose is not important to us (3 of them are parts of that breakpoints checks, 2 are used in some addresses), but if we place bp in that range, this algo will find it and count it, so final number will be bigger than 5 and crackme will find that something is wrong. To trick this check, just patch last bad boy jump JMP crackme7.00401037 with NOP's.


There is one more debugger check, but we will meet it while traing to find serial number, so we are going to keygening now.




3. KEYGENING


Crackme has two well known API's which uses to get informatin from user: GetDlgItemTextA and GetDlgItemInt.

GetDlgItemTextA - this one will take our name from window.

GetDlgItemInt - this one will take our serial. This API purpose is to retrieve numeric value from window so our serial must have only decimal digits. That API will return that number to EAX register. Also, if numeric value is greater that 4294967295 (that is in hex FFFFFFFF, one double word - size of one register) , to EAX register will be returned zero value. Conclusion is that serial must be some numeric value betveen 0 and 4294967295.


Address 40123C is place where crackme reads serial and name so place bp on 40123C, run crackme, enter haggar/12345 for name/serial and press check button. Olly will stop on our bp and now we can analyze what crackme is doing:

00401261 MOV DWORD PTR DS:[403008],EAX ; EAX=3039(hex)=12345(dec) - our serial number is placed in memory
00401266 XOR ECX,ECX
00401268 MOV ESI,0DEE1 ; To ESI is given some initial value.
0040126D XOR EAX,EAX
0040126F MOV AL,BYTE PTR DS:[ECX+4031CC] ; AL= char from our name which is placed on 4031CC address.
00401275 OR AL,AL
00401277 JNZ SHORT crackme7.0040128A ; If AL<>0 it will jump to some calculations below.
00401279 OR ECX,ECX
0040127B JNZ SHORT crackme7.0040127F ; In case that we didn't enter name,
0040127D JMP SHORT crackme7.00401215 crackme will show no message box.
0040127F MOV DWORD PTR DS:[403004],ESI ; Placing calculated value to this address.
00401285 JMP crackme7.00401181 ; After algo is over, it jumps to last debug check.
0040128A ADD ESI,EAX ; It will add char value to initial value in ESI (some sum).
0040128C INC CL ; CL is counter of characters.
0040128E XOR ESI,EAX ; summ=summ xor char
00401290 JMP SHORT crackme7.0040126F ; Loop again.


Algorithm is:

1. ESI= 0DEE1
2. ESI= (ESI + character) XOR character
3. Loop to 2. for all name characters.

This is the first part of algo. After all characters are procesed, algo is continuing at 401181:

00401181 PUSH crackme7.00403244 ; /pSystemTime = crackme7.00403244
00401186 CALL <JMP.&KERNEL32.GetSystemTime> ; GetSystemTime
0040118B MOV EAX,crackme7.00403252
00401190 MOV BX,WORD PTR DS:[EAX]
00401193 MOV EAX,crackme7.00403242
00401198 MOV CX,WORD PTR DS:[EAX]
0040119B SUB BX,CX
0040119E CMP BX,5
004011A2 JBE SHORT crackme7.004011BE
004011A4 MOV EBX,DWORD PTR DS:[403008]
004011AA XOR EBX,ESI
004011AC SUB ESI,EBX
004011AE OR ESI,ESI
004011B0 JNZ SHORT crackme7.004011B7
004011B2 MOV EAX,1
004011B7 JMP crackme7.00401037

This is the last anti-debug check and I'll explain it after serial, so for now just pass it, be sure to execute JBE at 4011A2 or you will fail to pass this check. You will jump at second part of algo:

004011BE MOV EAX,DWORD PTR DS:[403008] ; EAX=my serial 12345, only in hex form 3039h
004011C3 SHL EAX,4 ; EAX=EAX*10
004011C6 ADD EAX,0DEAD ; EAX=EAX+DEAD
004011CB ROL EAX,2 ; EAX=EAX ROL 2
004011CE CMP EAX,DWORD PTR DS:[403004] ; compare EAX with that value calculated from name
004011D4 JNZ SHORT crackme7.004011DD ; If values are not equal, jump to bad boy
004011D6 MOV EAX,1
004011DB JMP SHORT crackme7.004011DF ; else jump/procede to good one
004011DD XOR EAX,EAX
004011DF CMP AL,1
004011E1 JNZ SHORT crackme7.004011FE

Crackme calculates some sums from name and serial,then it compares them and if they are equal, we have good serial. How we going to get right serial? We have two choices; to reverse it, or to brute it. Both are very easy, but for some names serial numbers doesn't exist. That includes my nickname "haggar". Now, let we see how keygen algorithm should go:


[1] First we take name algo:

1. x= 0DEE1
2. x= (x + character) XOR character
3. Loop to 2. for all name characters.

[2] Then we reverse serial algo:

4. x= x ROR 2
5. x= x - 0DEAD
6. x= x/10
7. x= serial in hex, just transform it to decimal.


That's it! x is size of one register.

This is C++ source for simple keygen. If serial given by this kegen doesn't work, that's because serial doesn't exist for that name.


#include<iostream>
#include<stdlib.h>
#include<string.h>
using namespace std;
int main()
{
unsigned long int i,l,x,y;
char Name[200];
cout<<" User name: ";
cin.get(Name,200);
l=strlen(Name);
x=57057;
for(i=0;i<l;i++){ x=(x+Name[i])^Name[i]; }
x=(x/4)+(x<<30);
x=x-57005;
x=x/16;
cout<<" User code: "<<x<<"nn ";
system("pause");
return 0;
}




And finally, we have to analyze last anti-debug check, but let this be for your homework. I will just give you a tip: crackme checks time before taking user information from dialog box, it calculate ESI value from our name, then again checks time and calculates how big is difference, and if it's bigger than he expects, it will find out that somebody has been checking it's code.


That's all from me.

[Morteza_SOS]

Level : newbie

Dumping a process and rebuilding the IAT with ImpRec.

Hello all!

I know this isn't the last version of this packer but... I think v0.75 is out.

Anyway, here we go:

Tools needed:

- OllyDbg v1.10 + OllyDump
- ImpRec 1.6 FiNAL

**********************************
UNPACKING
**********************************

After we load packed app in Olly we're here:



00408000 > 60 PUSHAD
00408001 E8 00000000 CALL packed.00408006
00408006 5D POP EBP
00408007 81ED F31D4000 SUB EBP, packed.00401DF3
0040800D B9 7B090000 MOV ECX, 97B
00408012 8DBD 3B1E4000 LEA EDI, DWORD PTR SS:[EBP+401E3B]
00408018 8BF7 MOV ESI, EDI
Now we set a BP on .code section of our process and we press Shift+F9. We are here:
004086CD 8B17 MOV EDX, DWORD PTR DS:[EDI]
004086CF 81F2 13151415 XOR EDX, 15141513
004086D5 8917 MOV DWORD PTR DS:[EDI], EDX
004086D7 83C7 04 ADD EDI, 4
004086DA 83C0 FC ADD EAX, -4
004086DD ^ EB E9 JMP SHORT packed.004086C8
004086DF C9 LEAVE
004086E0 C2 0400 RETN 4
Now we set a BP on RETN and press F9. Execute RETN and we are here:
00408312 E8 01000000 CALL packed.00408318
00408317 6A 8B PUSH -75
00408319 75 68 JNZ SHORT packed.00408383
0040831B 8B5D 3C MOV EBX, DWORD PTR SS:[EBP+3C]
0040831E 03F3 ADD ESI, EBX
00408320 33C0 XOR EAX, EAX
00408322 50 PUSH EAX
Now we again set BP on .code section and press Shift+F9. We should be here:
00401416 55 DB 55 ; CHAR 'U'
00401417 8B DB 8B
00401418 EC DB EC
00401419 6A DB 6A ; CHAR 'j'
0040141A FF DB FF
0040141B 68 DB 68 ; CHAR 'h'
0040141C E0 DB E0
0040141D 50 DB 50 ; CHAR 'P'
0040141E 40 DB 40 ; CHAR '@'
After we press Ctrl+A we get this code:
00401416 . 55 PUSH EBP
00401417 . 8BEC MOV EBP, ESP
00401419 . 6A FF PUSH -1
0040141B . 68 E0504000 PUSH packed.004050E0
00401420 . 68 0C204000 PUSH packed.0040200C ; SE handler installation
00401425 . 64:A1 0000000>MOV EAX, DWORD PTR FS:[0]
0040142B . 50 PUSH EAX
0040142C . 64:8925 00000>MOV DWORD PTR FS:[0], ESP
Yup, looks like standard VC++ progie.

Anyway, we dump the process WITHOUT import rebuilding option checked.
We have to do fix IAT manually.

Now, i think u all know how to work with ImpRec.

After we clicked on Show Invalid button, Imprec gives us this info:
Current imports:
0 (decimal:0) valid module(s)
35 (decimal:53) imported function(s). (added: +35 (decimal:+53))
(1A (decimal:26) unresolved pointer(s)) (added: +1A (decimal:+26))
So, we have 26 invalid pointers.

Easy way to fix:

Rightclick on first invalid pointer, select Dissasemble / HEX View:

00173517 68 F294E677 PUSH kernel32.GetEnvironmentStringsA
0017351C ^ E9 CFFFFFFF JMP 001734F0
Heh, so the first import is GetEnvironmentStringsA.

Repeat the above procedure untill u have fixed all bad pointers.

Save the new IAT in dumped file and run it!.

It WORX!

Have phun!

[Morteza_SOS]

Level : newbie

Serial fishing for kito's keygenme2 using Ollydbg. (Breaking on API call)

Well this is about the fastest way that you can get a serial for the name that you input (well, shy of using a keygen). Now, that being said I am only writing the tutorial on getting the key for your name, not writing a keygen as I have never done that... yet.

I used two programs:
PEiD
OllyDbg

Download the KGNME2-KiTo.rar from this site, coded by Kito here

Step One:
Unzip it onto your desktop (in a folder), and make a backup in a new folder. Open PEiD and drag the exe file onto it to see what kind of protection that we are dealing with... Looks like there is none, coded in VC++, so that is good.

Step Two:
Go ahead and right click on the file and open in OllyDbg (if you don't have this option open OllyDbg and goto Option->add to Explorer). Once in OllyDbg hit F9 to run the exe, it asks for a name and a serial, enter anything into those textareas and then hit check... "Bad Boy!" message comes up. Hmmm... what do we do now? Go ahead and close the exe file (not OllyDbg, though) and then hit CTRL+F2 (this will reload the exe file).

Now go down to the Executeable modules window (the one with the blue E in the upper left corner) if you don't see it click on the "E" in the toolbar to open that window. Find the exe file in that list (should have about five things in it for this exe: KGNME2-K, USER32, GDI32, kernel32, and ntdll). You are looking for KGNME2-K. Right click on that name and select view names (or hit Ctrl+n). The names window will pop up and this time (not always this many names, but oh well) now I know from experience that lstrpcmpA will almost always give me the inputed bad key that I put in, and the real one that the computer generates based on the name that I put in. I go through the list and find it about 42 lines down... good. Right click on it and select: Toggle Breakpoint on Import.

Now hit F9 to run the program... it opens up behind OllyDbg, so Alt+Tab to pull it to the front. Enter the username of your choice, I will use warezhog. Now enter a fake Serial: I will use 123456.

Now hit the check button and see where the program breaks: COOL!!! if you look in the CPU main thread window (with the blue C in the upper left corner) down in the lower right side of that window you will see:

0012F974 004010E9 /CALL to lstrcmpA from KGNME2-K.004010E3
0012F978 0012F9C8 |String1 = "1164527"
0012F97C 0012F9A8 String2 = "123456"

Hmmm... as I told you before, was going to use 123456 as my fake serial, what is the other one that is sitting there? I would be willing to bet that it is the serial that the computer generated based on the name that I put in. Go ahead and copy down what it says in the String1 space (1164527 in my case).

Now hit CTRL+F2 to reload the exe file (it should pop-up saying that a Process is still active, that's fine, just click Yes). Let's try to run this without breakpoints to see how it runs. Hit F9 to run it and enter the same username as last time: warezhog (for me) and the serial that you found: 1164527 (in my case) now hit check... HELL YEAH!!! that is cool, it worked!

Well, I have never written a keygen so I am going to look into that now.

I hope that you have learned something from this. Not sure about you but I really just enjoy cracking keygenme's and crackme's I am not interested in the non-legal side of it. So, have fun and learn learn learn.

Warezhog

[Morteza_SOS]

Level : newbie

Serial fishing using Ollydbg. (For absolute newbies only)

Well, this whole crackme should take you about one minute to crack.

I used two programs:
PEiD
OllyDbg

I remeber doing this crackme a while ago when I first started screwing around with debuggers and such. I think it was harder for me then, but who knows.

Well, download the vault.exe here and save it to your desktop (that is where I usually work on files because of its ease of location). Then make a backup in another folder (always make a backup).

Step One:
Drag the exe file into PEiD to see if there is any sort of protection... Nope, it is pure Assembly so we are good to go.

Step Two:
Right click on the vault.exe file and select open with OllyDbg (if you don't have this option, then open OllyDbg and go to Options->Add to Explorer)
This will open the exe in the program. Hit F9 to run the program (you may need to Alt+Tab to pull the program to the front after it is run), it will ask you for the name and the key. Enter anything in there and you will see it says: "No Access!"
Well, that is no good. Go ahead and close the exe and hit Alt+F2, this will reload the program. Now go to the CPU menu in OllyDbg (that is the big one with the Blue C in the upper left hand corner of it) and right click anywhere and go to: Search for-> All referenced text strings.

That should pop up a window that shows about 6 strings total. The first two seem interesting:

Robin Banks
8dS#9d2?@$

Hmmm... that seems odd. The first one looks like a name and the second one looks like a key.

Let's copy those down on a piece of paper or copy and paste them into a notepad file. Then hit F9 to run the program again, put: Robin Banks in the name area and: 8dS#9d2?@$ in the key area. What do you know?!! It Worked!!

I know that this is about as easy as we can get, but hey, you gotta start somewhere. There is an even easier way to get the serial and name, but I will save that one for my next tutorial on an actual generated serial.

Warezhog






















Well warezhog beat me to it, but here is a little more detailed way of understanding where that code comes from and how its compared to user input:

You can get to the important code below by either just skimming the code (since the file is so small) or by breaking on GetDlgItemTextA, lstrcmpA, MessageBoxA, etc:

00401069 CALL <JMP.&USER32.GetDlgItemTextA> ; get input from name textbox
0040106E PUSH vault.00403000 ; push your inputted name
00401073 PUSH vault.00403040 ; push "Robin Banks"
00401078 CALL <JMP.&KERNEL32.lstrcmpA> ; compare 2 strings
0040107D OR EAX,EAX ; result = 0 if equal
0040107F JNZ SHORT vault.004010BA ; if not equal (EAX = 1) jump to 004010BA
00401081 PUSH 20 ;
00401083 PUSH vault.00403020 ;
00401088 PUSH 0BB9 ;
0040108D PUSH DWORD PTR SS:[EBP+8] ;
00401090 CALL <JMP.&USER32.GetDlgItemTextA> ; get input from key textbox
00401095 PUSH vault.0040304C ; push "8dS#9d2?@$"
0040109A PUSH vault.00403020 ; push your inputted key
0040109F CALL <JMP.&KERNEL32.lstrcmpA> ; compare 2 strings
004010A4 OR EAX,EAX ; result = 0 if equal
004010A6 JNZ SHORT vault.004010B1 ; if not equal (EAX = 1) jump to 004010B1

If you take the JNZ at 0040107F you land here

------------------------------------------------------
004010BA |> C605 9E304000 >MOV BYTE PTR DS:[40309E],0
004010C1 |> 803D 9E304000 >CMP BYTE PTR DS:[40309E],1
004010C8 |. 75 1D JNZ SHORT vault.004010E7

This verifies 0040107F is a badboy jump because it always moves 0 in and then compares to 1, which will never be equal, hence 004010C8 will always execute the jump to the badboy msg.

The same situation can be seen for the 004010A6 jump:

-------------------------------------------------------
004010B1 |> C605 9E304000 >MOV BYTE PTR DS:[40309E],0
004010B8 |. EB 07 JMP SHORT vault.004010C1

004010C1 |> 803D 9E304000 >CMP BYTE PTR DS:[40309E],1
004010C8 |. 75 1D JNZ SHORT vault.004010E7

This jump leads to another compare which will always never be equal and force 004010C8 to jump to the badboy message.

So we know that our username must be "Robin Banks" and our key "8dS#9d2?@$"

To verify this works (besides just entering it in and looking at the msgbox) you can look at the code:

004010A6 |. 75 09 JNZ SHORT vault.004010B1 ; not taken (look above)
004010A8 |. C605 9E304000 >MOV BYTE PTR DS:[40309E],1
004010AF |. EB 10 JMP SHORT vault.004010C1

004010C1 |> 803D 9E304000 >CMP BYTE PTR DS:[40309E],1
004010C8 |. 75 1D JNZ SHORT vault.004010E7

We see that yes 1 goes in, its compared to 1, and this JNZ will not JUMP! And guess what's below...

A messagebox asking us how we got in

Hope this helps some new people in the cracking world

-thorpe

[Morteza_SOS]

Level : beginner

Removing encrypted unregistered strings, and provide an inline patch for this target.



Multimedia Builder 4.9.0.1

Intro

Tools used:

SoftIce Driver Studio 2.6.0 under Windows 5.1,

WDasm 8.93,

Hiew 6.04 (can be any hexeditor),

UPX v.1.24 (for unpacking only)

Overview
A Windows-based multimedia authoring system that allows you to create autorun CD menus, Multimedia Applications on CD-ROM, Demos, Presentations, MP3 players and much more. The software is great for beginners as well as for advanced users. MB creates small stand-alone Windows exe applications and has all the bells & whistles you will ever need. You will love this easy-to-use, intuitive software.

Program homesite: hxxp://www.mediachance.com

Tutorial author: Wizard

Playing with registration information
Run MMB. Go into its menu Help/About... Push "Enter Reg Code" button. Now you can see three boxes: Name, Code, MP3 unlock code. Each of them must be filled with correct data. So, you can simple do a bpx GetWindowTextA and find out what all these Name & Codes are. You can make sure how simple to find them by yourself. The algorithm is quiet simple, even funny for such kind of program. Here it is:

1) The "Name" field may consist of any symbols, but it must contain "@" symbol anyway. It's for the first look only. But it must be exactly this: "cokebo@thebrabo" and no symbols more or less. Both those strings can be found in main MMB file (MMBuilder.exe) as "obarbeht" and "obekoc", the "@" symbol will be added in memory.

2) The "Code" field consists of next three things: "1-" + "xxxxxx" + "CRC", where first two symbols're constant, the next six're any numbers (you can use random generator), and the rest three're simple checksum, which is the sum of previous eight symbols, including "1-" and xes (six numbers). For example a valid code will be "1-123456-403", 403 is decimal representation of CRC: 31h+2Dh+31h+32h+33h+34h+35h+36h=193h=403.

3) The "MP3 unlock code" field. It's just a field on the form, which gets a string from user and it saves it registry. It doesn't even compare it with anything. That's a trick!


First impression
Having playing a while with these parameters I thought that I found a correct registration information. Yes it is so. But all that registration information I found is a fake. This conjecture can be proved very simple. Just click the icon second from the right of the panel, which's under the main menu. The hint of that icon says: "Compile and Run". As you can see the annoying string below the form, which says: "Created with unregistered version of Multimedia Builder". This's the first problem. The second problem is same, but for the final compilation, when you choose File/Compile... and then press Ok button & run it, we have the same bullshit.

All above said means that program ain't registered yet, maybe author too smart, maybe cracker too stupid, I don't know, anyway it generates executable files with yellow inscription. So, what we gonna do in this case? Let's look at directory, when the main program is situated in. After a little investigation we can see the program (MMBuilder.exe) is written in MS Visual C++ language and not packed. But one interesting we can look on, it's "Player" directory, where situated files "Player.bin", "Player.exe" and "ecard.bin". All those files're packed with UPX v.1.24. There's need to be a prophet to suppose that "Player.bin" file concatenates to each compiled executable. The other two files are also in use. "Player.exe" is just a stand-alone player, which plays .mbd-files from commandline. "ecard.bin" is for E-cards generation. E-Card is a smaller stand-alone executable, which you can send to somebody via e-mail. The most important thing for e-card is the size, because it takes a while when you download files with e-mail client. For more information you can refer to MMB help.


Keep on digging
Make a copy of the original file, e.g. do "copy autorun.exe autorun.old".
Let's find out how to remove this yellow string from a project form. Compile a new empty project (File/Compile.../Ok). Now we have a working executable file with yellow string at the bottom of the form. Unpack the exe file with "upx -d ", e.g. "upx -d autorun.exe". We do it, because disassembler won't work on a packed file. Disassemble it with WDasm. Look at the import functions list. What do you see, nothing interesting, except some functions from GDI32.dll (a cut from WDasm list):

Addr:0010DBCC hint(0000) Name: CreateFontA

Addr:0010DC8A hint(0000) Name: GetTextExtentPoint32A

Addr:0010DD52 hint(0000) Name: BitBlt

And many others. All they are seem so familiar to us, eah? First time I took BitBlt function, but after I traced the code once again, I saw there CreateFontA function. So do a "bpx CreateFontA". Run our unpacked project. SI will pop-up. Trace till this place:

00448F0F: 52 push edx
00448F10: 8BF8 mov edi,eax
00448F12: E87EF30800 call 004D8295
[1] 00448F17: 8D44241C lea eax, dword ptr [esp+1C]
00448F1B: 8BCE mov ecx,esi
00448F1D: 50 push eax
[2] 00448F1E: E89DFCFEFF call 00438BC0
00448F23: 8B00 mov eax,dword ptr [eax]
00448F25: 8D542424 lea edx,dword ptr [esp+24]
00448F29: 52 push edx

[1]: As you can see eax points to the crypted magic string, which looks exactly like this:

ASCII !thhqjwE$fjfhqnunxQ%gq#rtjuui{!fhvjuulkjspx$mukz$i fvdiwD"
HEX 21 74 68 68 71 6A 77 45 24 66 6A 66 68 71 6E 75 6E 78 51 25 67 71 23 72 74 6A 75 75 69 7B 21 66 68 76 6A 75 75 6C 6B 6A 73 70 78 24 6D 75 6B 7A 24 69 66 76 64 69 77 44 22


Trace along till [2], in here the magic string will be totally decrypted. Let's get into the call. Trace till here:


[1] 00438BDA: 33F6 xor esi,esi ; assigns zero to esi
... ... ... skipped
00438C04: 8B442428 mov eax,dword ptr [esp+28]
00438C08: BB01000000 mov ebx,00000001 ; starts from first symbol
[2] 00438C0D: 3970F8 cmp dword ptr [eax-08],esi ; compares a string length with 0, because esi here's ALWAYS zero
00438C10: 7E4F jle 00438C61 ; jumps over the decryption routine
00438C12: 8B0DACA05200 mov ecx,dword ptr [0052A0AC]
00438C18: 894C240C mov dword ptr [esp+0C],ecx
[3] 00438C1C: 8A0406 mov al,byte ptr [esi+eax] ; moves to al next symbol
00438C1F: 8D4C240C lea ecx,dword ptr [esp+0C]
[4] 00438C23: 2AC3 sub al,bl ; subtracts value from symbol code
... ... ... skipped
00438C39: E8FAFC0900 call 004D8938 ; adds symbol to the end of a new string
[5] 00438C3E: 43 inc ebx ; eax contains a pointer to a new string
00438C3F: 83FB05 cmp ebx,00000005 ; for each 5 symbols
[6] 00438C42: 7E05 jle 00438C49
00438C44: BB01000000 mov ebx,00000001 ; drops the value
... ... ... skipped
00438C5C: 3B70F8 cmp esi,dword ptr [eax-08]
[7] 00438C5F: 7CB1 jl 00438C12 ; is all symbols encrypted
00438C61: 8D4C2408 lea ecx,dword ptr [esp+08] ; [esp][8] cell contains a pointer to a new string
[8] 00438C65: E823FE0900 call 004D8A8D ; last decryption routine

The decryption algorithm of the magic string is simple. According to [3]..[7] it can be described as follow:

Original ASCII !thhqjwE$fjf... ...and so on till string ends
HEX 21 74 68 68 71 6A 77 45 24 66 6A 66...
Subtract HEX 01 02 03 04 05 01 02 03 04 05 01 02...
Result HEX 20 72 65 64 69 6C 75 42 20 61 69 64...

Now we have half decrypted string, which looks like this:

ASCII rediluB aidemitluM fo noisrev deretsigernu htiw detaerC
HEX 20 72 65 64 69 6C 75 42 20 61 69 64 65 6D 69 74 6C 75 4D 20 66 6F 20 6E 6F 69 73 72 65 76 20 64 65 72 65 74 73 69 67 65 72 6E 75 20 68 74 69 77 20 64 65 74 61 65 72 43 20


The last step of decryption is [8]. If you'll trace that call you find out what that routine reverses the whole string, e.g. was 'tset', will be 'test'. According to that rule our string now should look like this:

ASCII Created with unregistered version of Multimedia Builder
HEX 20 43 72 65 61 74 65 64 20 77 69 74 68 20 75 6E 72 65 67 69 73 74 65 72 65 64 20 76 65 72 73 69 6F 6E 20 6F 66 20 4D 75 6C 74 69 6D 65 64 69 61 20 42 75 6C 69 64 65 72 20


It's now fully encrypted and gonna be showed on the form. To predict it you can find the magic sequence in file and patch it according to algorithm like this:

Original Replaced
20 43 72 65 61 74 65 64 20 77... 00, 01, 02, 03, 04, 00, 01, 02, 03, 04, and so on for all 57 characters

But the most easiest way to do it is patch of [1]:

The patch table

Original Replaced
00438C0D: 3970F8 cmp dword ptr [eax-08], esi 8970F8 mov dword ptr [eax-08],esi
00438C10: 7E4F jle 00438C61 EB4F jmp 00438C61

This path allow the program to jump over decrypting routine, and also it replaces string length to zero, which's use in next routines after the last decryption call. The main part of cracking is over. All we have to do now is an executable patch. But don't forget about one little thing - the program is packed. This is not so terrible as it looks like, because executable packed with UPX and we can patch it very simple.

Making an inline patch
Overwrite backup copy to original file, e.g. autorun.old to autorun.exe. Now open file in your favourite hexeditor. We're gonna search the instructions, where the packer gives over the control to unpacked routine. But before it our patch will make our business.

Let's search for last unpacker code, it should look like this:

Operation code Mnemonics
61 popad
E9XXXXXXXX jmp XXXXXXXX
0000 add [eax],al
0000 add [eax],al
... ...

So, we're gonna search for two bytes: 61,E9. As a rule those bytes are always somewhere at the end, and you can search till your hexeditor won't say: "Target not found" (it's from Hiew) or something like that. After you find those two instructions you'll see a lot of zeroes below the last instruction. If they're there that means you found correct address, if they aren't there, then keep on searching.

I've found those bytes in autorun.exe at address: 00079C3B. By the way, if you're cracking version 4.9.0.1, then your autorun.exe must be exactly 509,545 bytes long and as follow all addresses will be the same.

The representation of what I've found in executable:

00079C2A: 09C0 or eax,eax
00079C2C: 7407 je 000079C35
00079C2E: 8903 mov [ebx],eax
00079C30: 83C304 add ebx,004
00079C33: EBD8 jmp 000079C0D
00079C35: FF96B8421800 call d,[esi][0001842B8]
00079C3B: 61 popad
00079C3C: E92DEAF3FF jmp 0FFFB866E
00079C41: 0000 add [eax],al
00079C43: 0000 add [eax],al
... ... ... and so on zeroes continue

Below the "popad" instruction you can see "jmp 0FFFB866E", remember or better write it address to a paper.

Now we're gonna add a patch to executable according to the patch table from address that I was marked with blue.

The final crack should look like this:

00079C3C: C6050D8C430089 mov b,[000438C0D],089 mov dword ptr [eax-08],esi
00079C43: C605108C4300EB mov b,[000438C10],0EB jmp 00438C61
00079C4A: E91FEAF3FF jmp 0FFFB866E jump to OEP

Now you can run the application. Behold! It runs without the annoying message. We did crack only for our project. And now we've to crack "Player.bin", because you can always find it in any generated file, e.g. our autorun.exe. So if we'll patch "Player.bin" file, all generated files run without the nag string.

Patching the program files
Let's go to the "Player" directory.

Player.bin.

Make a copy of "Player.bin". Unpack a copy. Find our magic bytes in it: 39,70,F8,7E, but without 4F. Those bytes're marked with red in the "Original" column of the patch table. I've found it at address 00038C0D in file, that means the address we're gonna specify as the memory patch address, it'll be 00038C0D + ImageBase = 00038C0D + 00400000 = 00438C0D. You can kill a copy. Now search in packed file another magic sequence, which is: 61,E9. The address is 00079C3B. Remeber the jump address, it's 0FFFB866E. Believe it or not, but the patch will be ABSOLUTELY THE SAME as the above table. Actually there's nothing amazing in that, because as I said already this file is a part of any compiled project.

Player.exe.

The address to patch in memory is 00038F0D + IB = 00438F0D.

All in patch will be the same, except addresses. Check it out:

00079AEC: C6050D8F430089 mov b,[000438F0D],089
00079AF3: C605108F4300EB mov b,[000438F10],0EB
00079AFA: E9AFEAF3FF jmp 0FFFB85AE

Comment: even if this ain't showing the nag, it contains it, so how do you think what for?

ecard.bin.

The address to patch in memory is 00024597 + IB = 00424597.

The inline patch:

00050DBC: C6059745420089 mov b,[000424597],089
00050DC3: C6059A454200EB mov b,[00042459A],0EB
00050DCA: E97171F8FF jmp 0FFFD7F40

Comment: to get this file type you've got to go to File/Compile.../Choose "E-card" radio button/press Ok.

The final step
Run MMB (if not running). Press "Compile and Run" button. It's still show the yellow string. Close MMB (if it runs). Open its executable (MMBuilder) with a hexeditor. Search 39,70,F8,7E. I've found those bytes at addresses 0002D5FA, 00031C0D and 000D438D.

Merde!!! The magic piece of code is in the three places and it's exactly the same. What does it mean? It means the program author did a smart move. He made three inline copies of the magic decryption procedure. So, patch them all directly to be sure no more thricks will arrive during the user work. As you can see the file is naked (it ain't packed at all), and we can patch it directly.

The patch itself:

0002D5FA: 8970F8
0002D5FD: EB51
00031C0D: 8970F8
00031C10: EB4F
000D438D: 8970F8
000D4390: EB4F

After you patch the program, run it. Press the sneaky button, I guess now it isn't sneaky anymore, because it runs well without any annoying message below the form. Also you can check File/Compile...(choose Full or E-card type), press Ok, run it. Everything runs well without nag.

Are we done? Yes we are! We finally did it. Welldone! That means our essay is over.

[Morteza_SOS]

Level : newbie

Patching the vault crackme that is meant for people just starting out with reversing.





Eiy0w Cr4ck3rs 0ut ThuR!!!

Yup, this tut came a little late..but I do believe that its not yet too late.
I know, by the time that Im typing this tute, there are still hopeful newbies out there who are aspiring to become Crackers,/Reversers.

The reason that I wrote this tute is because I find the solutions for vault.exe crackme thats currently available is quite difficult to understand for a newbie.. (Well.. Im also just a newbie..). Especially to those who are just starting, trying to look for nice crackme's to practice on. Instead of learning something, they find themselves lost not just in the codes but also in the tutorials as well, because the tuts were vaguely written and can only be understood by the experienced. Im not saying that i have the best tut for this cracme..and I have nothing against the authors of the previews tuts of the said crackme either.. Im just hoping to keep the Cracking/Reversing World alive and active by educating the starters in a more, at least, comprehensive way..

I do hope that I made a clear point here...

So I made my own version of the solution, made it more detailed, hoping that the newbies could easily get what I am saying in this tut.

So this tut is really intended for the newbies of the Cracking world. For advanced crackers... well...
You may not have the need to read this tut anymore..

Tools youll need:
* A Computer ---> (Of course... geez...)
* W32Dasm v. 8.xx or higher ---> (You can get this anywhere on the net...)
* Hackers View (Hiew) v. 6.xx or higher ---> (Theres plenty on the net too...)
* Your full attention.. Yup, give your attention to this tut till the end..

Knowledge on how to use W32Dasm and Hiew is a need. So I assume that you, well, at, least, have a little knowledge on how W32Dasm and Hiew work.

The CrackMe:
* vault
* The info.txt file says that we should find the correct Name and Key for this crackme.
But I made a little twist here. We are not goin to find the correct Name and Key, but make any Name and Key to be recognized as a correct Name and Key! & that is called Reversing the code.. Hehie.. confused already?! I hope not... ;-]

Well be dealing with Assembly codes here, so for you newbs, if you dont know nothin about it yet, I suggest you study about it first, so that we will have no difficulty in understanding the terms that Im gonna be using in this tut. Read more files about Assembly and related topics for your dose of infos. Yup, youll really have to read read read read read...
If youre too lazy for that, then cracking/reversing is not for you...

For those who already know, good for you.. youre one step closer to knowledge..
There are still hundreds and thousands of steps though.. ;-]

Okay.. Enough with the talking.. Lets Crack!

* We will be altering the codes of the crackme, so I personally suggest that you backup the original file so that you will still have a spare file just in case you messed with the default codes of the original file.
* Run "vault.exe".
* Enter any Name and Key...then click the Test button.
* An error message should pop up, saying "No Access!".
* Try to memorize that error message (Write it down in a piece of paper if you must... ;-] )
* Now run W32Dasm, and disassemble vault.exe.
* If its the first time using W32Dasm, the disassembled file will have garbage characters at first.
* To get away with this :
* In W32Dasms toolbar, click Disassemble/Font/Select Font
* I suggest Courier New, 10.
* Then save that font to default (You know how.. )
* In the toolbars of W32Dasm, click that button w/ a flashlight icon (Yup, you guessed it right...its the Find Text button.)
* Type the error message that popped up when you entered the invalid Name and Key ("No Access!").
* After pressing enter, you should land here:

Possible StringData Ref from Obj -> "No Access!"

:004010EE 6861304000 push 00403061
:004010F3 FF7508 push [ebp+08]

* Now..pay attention here.. We need to find ConditionalJumps here (Itll be quite long if I explain it here.. So as what Ive said, read more textfiles about Assembly language..).
Scroll up a few lines until you see something like this:

Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004010C8(C)

Saw that right..?

Good...

* Now scroll up a bit more and try to find the location of 004010C8.
You should stop right here:

:004010C8 751D jne 004010E7

An easier alternative for this is to click the GoTo Code Location button in the toolbars and enter the hex value.

* Notice that the clan colored highlight before now became green, that is because we are highlighting a jump.
While highlighting :004010C8 751D jne 004010E7, the status bar on the bottom part of W32Dasm should be:

Line:150 Pg 3 and 4 of 9 Code Data @:004010C8 @Offset 000004C8h in File:vault.exe

* The only thing we need to remember here is the Offset value, which is 000004C8h.
Recall: In hex notation, 000004C8h = 4C8 (I dont have to explain why right...?) ;-)
Copy that hex value on a piece of paper (..or memorize it..)..
It'll be used later..

* Now close W32Dasm (dont just minimize it, exit it! ;-] You will not be able to make changes with vault.exe if it is being used or being run by another program.. ;-] ) and run HackersView (Hiew for short..).
(I suggest you run Hiew on the same folder with the vault.exe, so that it would be easier to browse for vault.exe)

* After Hiew-ing vault.exe, you should of course see a garbage of characters. Press F4, and select Decode as your view mode. You can also press Enter to switch between the view modes. Now that you are in Decode mode, press F5 (GoTo), and type the Offset value that we got earlier. That is...4C8 (or just 4c8...its not case sensitive...)

Now lets go back to this:

:004010C8 751D jne 004010E7

Take note of the value, 751D. In Assembly language, the value 75, as well as jne, stands for jump if not equal. (1D is the number of bytes we ware going to jump down)
That means that if the Name and Key we entered is not equal to the correct one, the message box saying "No Access!" will appear, telling us that the Name and Key we entered was not the correct one. BTW: There is only one correct Name and one corresponding Key for the crackme.

* So what we are going to do is reverse the said code, we will reverse jump if not equal to jump if equal, or je.

In ASM Code:
75 = jne or jump if not equal
74 = je or jump if equal

* Using Hiew, we will replace 751D with 741D.

Doing so will make the vault recognize any Name and Key to be the correct one, and the error message will only appear if the correct Name and Key is entered.
Code Reversing...at its best! Hehie.. ;-]

Okay, back to Hiew and you (O.o? Hmm...)
Where are we again...?
Oh..Okay..

* Now on your Hiew window, press F3 (Edit), and replace 751D with 741D.
(Notice that after changing 75 to 74, jne became je...)
After typing and changing, press F9 (Update), to of course, update your new code for vault.exe.
Then press F10 (Quit), to exit Hiew. Note that you must press F10 after you are done or the changes will not take effect if you just merely clicked the X button to close Hiew.

* Awright... try to test vault.exe if our Reverse Code Engineering worked.. ;-]
Type any Name and Key.. like k5uvt0uk3 or 389utckt3u or b3re529f... etc...
You can even leave both of them blank...
Press Test...And WaLLa!! ;-]

There you go.. I hope I educated someone somewhere.. & I do hope so that you, as a newb, understood not just my instructions but as well as what was happening while we were trying to crack the vault.exe.. So that if there will be another program that uses similar protection scheme as this crackme, you will already know what to do...

And as Ive said, and what will always say, read read read read read read read...
Its one of the fastest way to learn, along with hands-on experience..

[Morteza_SOS]

Level : intermediate

Manually unpacking sdprotector 1.12 using OllyDbg.


%%%%%%%%%% SDprotector Pro Edition v1.12 Manually Unpacking Tutorial by KaGra %%%%%%%

Download SDPR at

کد:

برای مشاهده محتوا ، لطفا وارد شوید یا ثبت نام کنید

now is 1.12 pro edition the most recent ver.


Hallo,hallo.Nice talking with U again.Well,this time the victim is SDprotector.
Well,here I followed a little different approach to unpack this protector.What
I mean?HeRe it Comes...


Tools Used: Olly v1.10 and ImpRec v1.6f,Ollydump Plug,HideOlly Plug (I will not refer to it)


Well,I have checked all the Options of protection in SDprotector and protected the file.Those
options are in Options->Left part of the screen.I didn't touch anything else.

Load the exe target in Olly.In debugging options,check them all so that the execution
of the programm will not be interrupted by any exception (and then ask U to press Shift+F9
or Shift+F8 or Shift+F7 to continue).Run the exe.A messagebox appearz saying that debugger is
detected.Well it is hard to find what exactly protection against debugger this may has.
I found out that it detects a debbuger using CreateToolHelp32Snapshot to find out what windows
are open and compere them with a default string list (in the list is also Olly).It also uses
SetUnhandledException filter to find the debugger,but I really tried hard to find out how the
exception occured after the calling of this API.But I didnt find it.So I thought this:Why just
run the exe,not under Olly,and then just attach to the process?

Well,let's do so.I run the exe,a messagebox appears saying something of a demo version of
the packer (don't worry,the features we enabled for protecting this file work),and then the
screenbox of the exe process appears.Now,open Olly.Before U attach,a messagebox appears saying
that a debugger is detected,and closes the debugger.Run the exe again,and open LordPE to dump it.
Before U ever try to dump,it closes LordPE and exits.What is going on?

Well,it can't be using SetUnhandledExceptionFiler or any other kind of exception trick,because
it is not being debugged.So,the only thing that comes in my mind is that it has hardcoded
strings refering to processes or Window handles.It also has a loop that checks all the
running processes and windows handles with those strings,althought it is supposed to be
in the original exe's code section.Well,it is but the packer has given him some extra code
and this code still remains and makes this security check loop,althought we have passed the
OEP.

And my quess is true.Rename LordPE.exe to something else.Run the exe.Now run the renamed
LordPE.It does not closes LordPE.So,do the same with Olly.Damn,it still closes her.Well,this
happens because Olly has inside her .data and .edata section strings that start with "Olly"
chars,and all those are hardcoded in the security loop that I mentioned before.So,open Olly,and
load Olly (yes,U hear right) in the first Olly.Click the "M" button and see the section of the
loaded Olly,in first Olly:


Memory map
Address Size Owner Section Contains Type Access Initial Mapped as

00400000 00001000 OLLYDBG PE header Imag R RWE
00401000 000AF000 OLLYDBG .text code Imag R RWE
004B0000 0005B000 OLLYDBG .data data Imag R RWE
0050B000 00001000 OLLYDBG .tls Imag R RWE
0050C000 00001000 OLLYDBG .rdata Imag R RWE
0050D000 00002000 OLLYDBG .idata imports Imag R RWE
0050F000 00002000 OLLYDBG .edata exports Imag R RWE
00511000 00036000 OLLYDBG .rsrc resources Imag R RWE
00547000 0000C000 OLLYDBG .reloc relocations Imag R RWE


Go to the .idata section and search for the string Olly,withought having the case sensitive
checked.U find this:


0050F780 6F 6C 6C 79 64 62 67 2E 65 78 65 00 5F 41 64 64 ollydbg.exe._Add
0050F790 73 6F 72 74 65 64 64 61 74 61 00 5F 41 64 64 74 sorteddata._Addt
0050F7A0 6F 6C 69 73 74 00 5F 41 6E 61 6C 79 73 65 63 6F olist._Analyseco


Change ollydbg.exe to something else eg. fffffff.exe.Search again in this section.
We are lucky,because it is found just once.Go to the .data section and search again
for the same string.Damn,here the string exists in many places.Well,change all the
words that have this string inside them.

When done,dump with OllyDump the process,without checking the Import Rebuild Option on.
Well,Olly is now patched.Rename the dumped to anything that has not the string Olly in it.Now,
run the protected exe again till the main window of the crackme appearz.Now,run the dumped
new patched Olly.Wait a little (some seconds).

Well,it dooesn't detect Olly!Well,if in this part U have done something wrong,or make
something wrong in the following steps,next time will detect Olly,and U will need to change
the patched strings ALL to something else,again.I think that the protected exe,if once find
an exe string signature that may be a possible debugger or any other "hostile" program for
it,it put it somewhere (registry,memory,I don't know) and rembers it.So,just do the patch right
and follow every single instruction of the next linez.But there are pacthes that will patch Olly
against this protected exe once and for all.Such a patch is putting Fh 's in all strings that will
be replaced.I don't really know why this string makes this good thing for us,but it works.So,patch Olly
with Fh 's where U should patch (Hey,Fh ascii not chars!).

Now,in patched Olly that is running,check all the options of exceptions in Debugger Options,and in
option of Ignore also following custom exceptions should be nothing.

Now select the process of the protected exe that runs and attach to it.Do not open any other window
becuase the protected exe may detect Olly.Just the Debugging options and then the attach window.U are
HeRe:


77F767CE C3 RETN
77F767CF > CC INT3
77F767D0 C3 RETN
77F767D1 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
77F767D5 CC INT3
77F767D6 C2 0400 RETN 4
77F767D9 > 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
77F767DF C3 RETN
77F767E0 > 57 PUSH EDI
77F767E1 8B7C24 0C MOV EDI,DWORD PTR SS:[ESP+C]
77F767E5 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8]
77F767E9 C702 00000000 MOV DWORD PTR DS:[EDX],0
77F767EF 897A 04 MOV DWORD PTR DS:[EDX+4],EDI
77F767F2 0BFF OR EDI,EDI
77F767F4 74 11 JE SHORT ntdll.77F76807
77F767F6 83C9 FF OR ECX,FFFFFFFF
77F767F9 33C0 XOR EAX,EAX
77F767FB F2:AE REPNE SCAS BYTE PTR ES:[EDI]



Now,press the "M" button and set a memory breakpoint on access in .text section.In this section
is the original code of the protected exe.Go to your clock and change the hour.Make it one hour
less or one hour more.This is done,because changing it we stop the loop of the anti-debugging feature
that the running protected exe has.It seems that this loop checks periodicall the hour-mins-secs and
then performs the detection of debugger check.Really nasty,I made 2 hours to understand this!Now press
F9 to run the process.The debugger pauses at the breakpoint we have just set,HeRe:



0040111B C8 000000 ENTER 0,0
0040111F 53 PUSH EBX
00401120 56 PUSH ESI
00401121 57 PUSH EDI
00401122 817D 0C 11010000 CMP DWORD PTR SS:[EBP+C],111
00401129 0F84 AB000000 JE sdprotec.004011DA
0040112F 817D 0C 10010000 CMP DWORD PTR SS:[EBP+C],110
00401136 0F84 86000000 JE sdprotec.004011C2
0040113C 837D 0C 10 CMP DWORD PTR SS:[EBP+C],10
00401140 0F84 B5000000 JE sdprotec.004011FB
00401146 B8 00000000 MOV EAX,0




If u hadn't check the time of your clock,an exception that could not be handled would occur,and
after some tracing U would have made (u cann't stay in a place forever!) the exe would have traced
Olly and exit.If u fail and try again,change accordinglt the time clock every time U try.


Yes,we are at the unpacked,original code of the exe.But where is the OEP?As U will know,we have
passed the OEP becuase we run the exe before patched Olly.But,becuase the exe is just appearing
a screen that asks for a Name and Registration code,it is in a loop,and not far "after" the OEP,
because no basic routine has been executed,that will make the flow of the programm to go much away
from the OEP.Now,we are at 0040111B paused.Just check a few lines up.We see this place:



004010C2 6A 00 PUSH 0
004010C4 E8 E1010000 CALL sdprotec.004012AA ; JMP to kernel32.GetModuleHandleA
004010C9 A3 F3204000 MOV DWORD PTR DS:[4020F3],EAX
004010CE C705 C7204000 03>MOV DWORD PTR DS:[4020C7],4003
004010D8 C705 CB204000 89>MOV DWORD PTR DS:[4020CB],sdprotec.00401>
004010E2 C705 CF204000 00>MOV DWORD PTR DS:[4020CF],0
004010EC C705 D3204000 00>MOV DWORD PTR DS:[4020D3],0
004010F6 A1 F3204000 MOV EAX,DWORD PTR DS:[4020F3]



Good place for an entry point,because we see a call at GetModuleHandleA (many progs need the
return value from such an API call,and call it some opcodes after the OEP) and we don't see any
other API calls of any kind before the opcode at 004010C2 (and generally,after the OEP API calls
like GetVersion,GetModuleHandleA,LoadLibrary or GetCommandLineA follow.).U may say,why could it
be not an earlier?Well,I tried and after the IAT rebuilding (that will follow) I couldn't make it
work.Eventually the OEP is 004010C2.In some other cases,when an exe is compiled with a
language compiler eg. C++,at the OEP arefour to five opcodes that are the same for every
produced with the same compiler exe.So,after landing at a place of code after the attach and
dump,the OEP cannot be far away,since not many opcode sequences like these exist from the place
we landed,and near it.Anyway,have in mind that it is NOT ALWAYS necessary to land exactly at
OEP,in order for the dump to work.We just say that OEP is the most ideal place,becuase all sections
are intact,nice and clean (and not changed by self-modifications or of modifications that happen during
runtime,between the exe in memory and other processes,or by itself).Remove the memory breakpoint.


Before dumping,right click in all section that u see in tha patched Olly (and PEheader as well) and
set access->Full access.This is done becuase during unpacking,the protector has protected the
access of those memory locations using probably VirtualProtect API's,and if we try to dump the
dumper will fail,or may create a false dump.Also,ImpreC will not be able to read the process from
memory,meaning the data that are contained and to be used,in order to fix the Imports (u can check
it!)

Now,dump the exe with OllyDump,without having checked the IMport Rebuilding,and as an OEP the
value of (OEP as seen in addressing)-Imagebase=004010C2-00400000=10C2.We now have the dump.


For the rebuilding part we will do everything without executing anything in Olly,just seing the code,
because we cannot put any software or hardware breakpoints,the packer detects them all.But don't
mind,because code at that time is not self-modified any more and the mem locations that we will
need contain hard-coded bytes,so no need to run it in Olly actually.Just using Olly as
a Dasm.OpenImpRec and put as OEP the value 10C2.Now IAT autosearch and Get Imports.
Now press Show invalid.We have many invalid.Select one invalid and right click in
it->Disassemble.What we see here is that in the place where the code of a valid API
should have been,are instructions that generate the call to that API.So the only thing
we have to do for all those invalids,is to follow in debugger this codes and
see where they finally jamp,at API's.We will know that we are for the first time in
API's code,because the address of the first opcode will be (and all those who follow and
are in the API!) in 7XXXXXXX format.Then,just a search in all module names in Olly will reveal
which API has as starting address this value,and we can identify this API.Then,we will manually
put the name of that API at the invalid thunk.

But how are we going to follow all those invlid thunks?We,check the Disassm of one invalid,eg
the 00143B98h:


00143B98 58 POP EAX
00143B99 50 PUSH EAX
00143B9A 60 PUSHAD
00143B9B 9C PUSHFD
00143B9C 68 02000000 PUSH 2
00143BA1 50 PUSH EAX
00143BA2 B8 32DEE44B MOV EAX,4BE4DE32
00143BA7 50 PUSH EAX
00143BA8 B8 2C1CB9C3 MOV EAX,C3B91C2C
00143BAD 50 PUSH EAX
00143BAE E8 BD5C3200 CALL sdprotec.00469870
00143BB3 9D POPFD
00143BB4 61 POPAD
00143BB5 B8 2C1CB9C3 MOV EAX,C3B91C2C
00143BBA 9C PUSHFD
00143BBB 2D 32DEE44B SUB EAX,4BE4DE32
00143BC0 9D POPFD
00143BC1 50 PUSH EAX
00143BC2 C3 RETN




Well,all code till 00143BB5 is junk code,to confuse the reverser.So at 00143BB5 moves a value at
EAX,then a PUSHFD (junk opcode also,don't care about this) and at 00143BBB subtract 4BE4DE32 and
in EAX=77D43DFA.Then,the POPFD of junk,and we jamp at 77D43DFA.What API is there?Look in Olly
in Search for all module names and this API is TransLateMessage.So,in ImpRec,invalidate the thunk and
double click on it,and select from user32.dll the TransLateMessage API.Now again show invalid.Good,we
reduced invalids to one.As u can see,by this way we can fix all the invalid thunks.Do the same thing
for every invalid then.But there is one thunk that has not a Push eax-retn that jamps at an API.This
is thunk 468AB3.Well,in Olly go at 468AB3.U see this:


00468AB3 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
00468AB7 85C0 TEST EAX,EAX
00468AB9 7D 1D JGE SHORT sdprotec.00468AD8
00468ABB 83F8 F5 CMP EAX,-0B
00468ABE 7E 18 JLE SHORT sdprotec.00468AD8
00468AC0 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
00468AC4 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C]
00468AC8 51 PUSH ECX
00468AC9 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]
00468ACD 52 PUSH EDX
00468ACE 51 PUSH ECX
00468ACF 50 PUSH EAX
00468AD0 E8 A1F7FFFF CALL sdprotec.00468276
00468AD5 C2 1000 RETN 10
00468AD8 8B5424 10 MOV EDX,DWORD PTR SS:[ESP+10]
00468ADC 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]
00468AE0 52 PUSH EDX
00468AE1 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C]
00468AE5 51 PUSH ECX
00468AE6 52 PUSH EDX
00468AE7 50 PUSH EAX
00468AE8 E8 BD3F0000 CALL sdprotec.0046CAAA
00468AED C2 1000 RETN 10


The call at 00468AE8 goes to the API.All till here is junk code.So in Olly go now at
0046CAAA and we are HeRe:

0046CAAA E8 01000000 CALL sdprotec.0046CAB0
0046CAAF FF58 05 CALL FAR FWORD PTR DS:[EAX+5] ; Far call
0046CAB2 C9 LEAVE
0046CAB3 0A00 OR AL,BYTE PTR DS:[EAX]
0046CAB5 008B 008038CC ADD BYTE PTR DS:[EBX+CC388000],CL
0046CABB 74 0A JE SHORT sdprotec.0046CAC7
0046CABD 50 PUSH EAX
0046CABE C3 RETN


It jamps at 0046CAB0.We cannot see the opcode of that,because it is mixed.So just go at
0046CAB0 and u see that:


0046CAB0 58 POP EAX
0046CAB1 05 C90A0000 ADD EAX,0AC9
0046CAB6 8B00 MOV EAX,DWORD PTR DS:[EAX]
0046CAB8 8038 CC CMP BYTE PTR DS:[EAX],0CC
0046CABB 74 0A JE SHORT sdprotec.0046CAC7
0046CABD 50 PUSH EAX
0046CABE C3 RETN


Well at 0046CABE jamps at the good API we are looking for.So,at 0046CAB0, EAX=0046CAAF
because of the call at 0046CAAA (so stack has return address 0046CAAA ),then adds
the value of 0AC9 so eax is now 0046D578.Now at [EAX] is the API address to fix this thunk.A
small trick that seeks for a software breakpoint there and then a PUSH EAX-RETN and we jamp there.

What is in [EAX]?Well,go at 0046D578 and U see that:


0046D578 76 64 JBE SHORT sdprotec.0046D5DE
0046D57A D6 SALC
0046D57B ^77 E3 JA SHORT sdprotec.0046D560
0046D57D A6 CMPS BYTE PTR DS:[ESI],BYTE PTR ES:[EDI]
0046D57E D4 77 AAM 77



We are interested for the first four bytes in reverse,which give us the address of
77D66476h.I look in Olly,and this is API MessageBoxA.Then,I give this name to out final
invalid API thunk.Now press show invalid,no invalids.Fix dump now.


Run the fixed exe and...Yeeeaaahh!!!Last version of the so called SDprotector defeated!!!


Well,this was a hard protector.Took me at least 6 hours,including writing this tutor.This
is one contribution to all of U,that are really interested to see how other people think,
including the makers of this packer...