+------+        +----+   +----+  +-----------+ +------+  +------+

        |      |        |    |   |    | /            | |      |  |      |

        |      |        |    |   |    | |            |  +    +    +    +

 +------+      +------+ |    +---+    | |     +------+  |    |    |    |

 |                    | |             | |    +          |    |    |    |

 |                    | |             | |    +          |    |    |    |

 +------+      +------+ |    +---+    | |     +------+  |    +    +    |

        |      |        |    |   |    | |            |  |    +---+     |

        |      |        |    |   |    | \            |  +              +

        +------+        +----+   +----+  +-----------+    +-----------+

+-----------------------------------------------------------------------------+

|             For The +HCU: Academy Of Reverse Engineering                    |                                      

|                     by Bengaly published by +Tsehp                          |

|                                                                             |

+=============================================================================+

 

 

 

Welcome New Beginners.

So, You finally found your way into Cracking world eh? :-)

Hacking seems too much of a Borden to you? :-)

You think you can Handle ASM? :-)

Than you are welcomed to read this Cracking Guide for new/advanced (?) Users.

Note: this tutorial can be published only by Axion, and cannot Distributed over,

The net. (Due to a special Request) or other say so by the author of this text.

This Tutorial is for Educational Propose only! All cracked applications will be

Well respected by us crackers, If you use a Shareware, please buy it!

Help support those who give you the time and effort learning and gaining knowledge.

 

Guide Hierarchy:

----------------

 

[-]-Overview-------+

                   |

                   +----> I. "Assembly" (Quick Touch)

                   |                   

                   |                    

                   +----> II. "Tools"      

                   |                    

                   |

                   +----> III. [+]Cracking----+

                   |                          |

                   |                          +---->[+] Basics

                   |                          |

                   |                          +---->[+] Advanced

                   |                          |

                   |                          +---->"The Big Ride"

                   |

                   +----> "Troubleshooting"  

                   |

                   +----> "Links"

                   |

                   +----> "Thanks"

 

=============

| Overview  |

=============

Cracking, what is it? ...

Cracking is what we call: "Software hackers", those people who "Destroy",

The CODE of the application that they are examining.

Real cracking began long ago, something about 10+ years.

But, none of them has been seen like today,

Today's cracking could be even easier than before but still can be tough.

1990 Old dos ruled (?) allot of apps/games were out, those are really the,

Interesting part, as dos seems neglected nowadays, allot of dos based Protections

Hasn't been cracked (reversed), due to lack of interest, or just plain hard task.

Dos uses what we call "Interrupts", those functions that were called each time you

Type something on keyboard, display on screen, send to printer and etc...

Those functions were basically the CORE that cracks usually based / could based on.

But now..1995-2001 Since Win3.1 - Win9x - WinXP, Cracking has began such more

Simple task than Ever (Dos actually :) ).

Windows as you don't know, does not use Interrupts anymore, since now we are dealing

With 32Bit OS (Operation System), all interrupts were deleted and were rewrite from

Scratch to what we know as "API" (Application Programming Interface).

Microsoft has wrote allot of APIs and *almost* all Documented on their Win32API.hlp.

Now, just as Dos crackers used Interrupts for cracking weak Points + Attacks,

Win9X will use APIs for that matter as well.

Since every application must Import / Export DLLs (APIs) than u can use it for your

Own good :-).

1996: new cracker called as ORC (Old Red Cracker) came out with series of huge/long tutorials Explaining about new attacks/crack points/new ways/ to crack Dos+win32 applications.

Sure now they could be absolute Useless because it was written in late 1996-1997, but still give us the right track.

(Although I do not recommend read them unless you familiar with cracking).

Now ask, How much time will it take me to be a good skilled Cracker..??

Well actually is depend on you and your devotion to the Subject, I believe 3+ years will

Make you average skilled none the less. (Unless you are one of those Smart kids :-) ).

You could not crack unless you are practicing, that's a fact.

Sit at least 2 hours a day to crack 1 application will do fine.

Don't expect being a master if you crack the Lamest/easiest app around, Don't Hold your

Breath :-), some programmers are stupid, some not!!..:-)

So I hope you got a brief Idea what the hell Cracking is-).

I hope you will enjoy reading this tutorial as much as i enjoyed write it for you. :-)

*There are allot Cracking guides out there, each guide is written from own Cracker Perspective.

 

-----------------------------------Page 1-----------------------------------------------

 

================

| I. ASSEMBLY  |

================

 

This is the most important Section which cracking could not exist without it.

The low assembly programming language, ASM is the Core,

The heart knowledge every Cracker Need to know,

Without it you are basically wasting your time :) .

For crackers (at least new ones) only essential parts of asm are needed...else you are

A keygener/Coder..etc, Asm is a word language (would you like to code in

Opcodes? <= Hex form of asm: B8012C...) I think not :).

When I mean word language I mean: MOV/INC/DEC/MUL/LEA/JMP/JNE... you can see they are only shorted words:

 

I.E: JMP = JUMP

     LEA = LOAD EFFECTIVE ADDRESS

     MOV = MOVE

 

And so on..

This way it's very handy for us to understand instructions.

Although I recommend all cracking lovers to start read asm books: "the art of asm".

You can easily find those over the net in E-book/Html form.

 

BINARY:

-------

Binary is the machine language, it is understood as 1/0

Every instruction is translated as 1 or 0 that the computer can understand and

Perform then instruction.

I.E: 110011010001110101011111001

 

BITS/NIBBLES/BYTES/WORD/DWORD:

-----------------------------

 

BIT     Can be 0 or 1

NIBBLE  4 Bits (1,2,3,4,5,6,7..Every number is a 4bit nibble, Binary system)

BYTE    8 Bits (or 2 nibbles : low/high) ->  7  6  5  4  3  2  1  0

                                            [ ][ ][ ][ ][#][#][#][#]

                                               High          low

 

WORDS - 16 Bits (4 nibbles, or 2 bytes: low/high) -> 15......0

Double WORDS (DWORD) - 32 Bites (2 Words high/low, or 4 Bytes) -> 31......0 

 

HEX/DECIMAL:

------------

 

HEX is what we call Base16...

Base116..What is it?

Well HEX uses 16 numbers from 0-15 (start with 0 not 1)

 

0 1 2 3 4 5 6 7 8 9  A  B  C  D  E  F <- Hex   

| | | | | | | | | |  |  |  |  |  |  |

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 <- Decimal (regular numbers)

 

Max Hex numbers you can get in: 8 Bit is 0-FF, 16bit are 0-FFFF, where in 32bit it's 0-FFFFFFFF

 

[Converting Systems]:

 

Hex->Dec:

          Suppose you have: 1B as hex number and you want know it's Decimal form

          We do this (do you remember from math class thing called: Power?)

          Well Power is 2^3 = 8 (2*2*2)..Got it? :-)

          Well it work as well here...we Power the number by it's position..

          I.E:

          We have 1B, let's Break it:

          (Hex is base 16!)           / 1 => 16*1 = 16\

                                                      + = 27 Decimal

                                       \ B => 11*1 = 11/

         

          Let's make another example with 4 letters, we have hm...4B2Eh (h = Hex)

          Let's Break it:

                             Position 3    4 => 4*4096 = 16384

                             Position 2    B => 11*256 = 2816 

                             Position 1    2 => 2*16   = 32   

                             Position 0    E => 14*1   = 14 

                                                         ---

                                                Sum = 19246 Decimal

 

Remember: you power 16^position (position 0 always start with 1 not 0)

          I.E: (from the above example: 16^position 3 = 16*16*16=4096)  

 

Dec->Hex:

    Well this is somehow harder, Cuz it's involved with Reminders.

    I will show example, but it's hard to do cuz sometimes u need to round numbers :-/

    Suppose we have 212 Decimal, to make it Dec, we don't multiply, but we divide by 16:

        

         212/16 = 13 Reminder 4--------+

         13/16  = 0.8 Reminder 13----+ |

         0.8/16 = 0 Reminder 0-----+ | |

                                   0 D 4 Hex = 212 Decimal

 

Well, it seems much easy, but in fact I have rounded numbers, long Decimal even much more harder.

Another Example? ...OK :-)

Let's take 5421 Decimal (regular number).

 

     5421/16 = 338 Reminder 13 -----+

     338/16  = 24 Reminder 2 -----+ |  

     24/16   = 1 Reminder 5 ----+ | |

     1/16    = 0 Reminder 1 --+ | | |

                              1 5 2 D Hex = 5421 Decimal

 

Don't forget to use Window's Calculator Scientific Mode.

All Understood now :-) ?...

You now know some converting...Continue for ASM registers. 

           

REGISTERS:

----------

Registers are the most common used "VARIABLES" by the CPU.

You can access to them at anytime, as they are there to serve you.

 

There are 8 different REGISTERS:

 

16Bit Registers: AX, BX, CX, DX, SI, DI, BP, SP  (DOS)

========================================================================

32Bit Registers: EAX,EBX,ECX,EDX,ESI,EDI,EBP,ESP (WINDOWS, E = EXTENDED)

 

Each register used for a specific task or multiples:

 

E/AX = ACCUMULATOR  (calculations..etc)

E/BX = THE REMINDER REGISTER (i.e: 2/16 = 0.13..13 should be passed, else i am wrong :-) )

E/CX = THE COUNTER REGISTER  (useful for loops, i.e.: loop 13 times)

 

Other registers are dealing with memory (offsets/segments..read book :) )

 

Every Register is divided to low/high bit:

 

                     AX

                    /  \

                   AH   AL       (AH = high bits / HL = low bits)

If AX = 00001234

            /  \

        AH=12   AL=34

 

Same goes for: CX,DX,BX

 

*Remember, Registers holds HEX values NOT decimal

*1234h = 4660 Decimal

*h = hex

 

JUMPS:

------

We all know what jump is no? :-)

Same thing happened with asm.

 

JMP = JUMP (always jump..no condition)

JNE = JUMP IF NOT EQUAL (also called Jump Not Zero)

JE  = JUMP IF EQUAL     (also called Jump Zero)

JA  = JUMP IF ABOVE

JAE = JUMP IF ABOVE OR EQUAL

JB  = JUMP IF BELOW

JBE = JUMP IF BELOW OR EQUAL

JC  = JUMP IF CARRY (not common used for crackers..used on ror/rol/shl/shr instructions)

JG  = JUMP IF GREATER

JGE = JUMP IF GREATER OR EQUAL

JL  = JUMP IF LOWER

JLE = JUMP IF LOWER OR EQUAL

JNA = JUMP IS NOT ABOVE

JNB = JUMP IF NOT BELOW

 

And so on, the above asm instructions are commonly used by crackers to reverse the source.

 

Example:

            MOV EAX,00000008

            CMP EAX,EDX

            JNE <adress>

 

if EAX register = EDX register (value) than we wont jump, else we will

 

 

MOV

---

We can suspect what it does no?

Well it move a value, memory location..etc to a Register

 

Example:

           MOV EAX,00000032 (than EAX = 00000032 <= hex format 32h = 50dec)

 

CMP

---

Well we can guess again what it does :)

CMP = COMPARE

CMP can compare between registers/memory

 

Example:

            CMP EAX,EDX

 

*Very important for crackers, as they can check their serial compared :-) (Later on that)

*Unfortunately I can't twelve into ASM any more, since it is very long journey, and

Of course I can't explain it :-), so get a book, you will find ASM fascinating,

Very hard to use but some day you will be happy you know ASM.

*Read/learn the ASM instructions from the book, or get the opcodes.hlp and read from there.

*Once you know ASM (basics), you can apply it for Cracking.

 

---------------------------------Page 2-----------------------------------------------

 

==============

| II. TOOLS  |

==============

 

Tools is the second essential part for Cracking,

Without them, you will have to face "barehanded" against huge amount of code.

Neither to say that you'll be lost without them :-)

Here are the most used Tools by crackers (basic/advanced):

 

1. Brain - You won't get far without one ;-) (100% WorkTime)

 

2. Debugger - The only way you can trace/break a function or code live

              I will suggest using SoftIce as your only weapon for Debugging.

              The Numega's "SoftIce" is a very powerful Debugger for Kernel.

              SoftIce works at the Background and can detect every thing that

              Happens on your computer (if u break on it), what we call system debugger.

              There is a version for NT/2000/XP, Recommended win98.

              If you can get DriverStudio than it's welcomed the most :-).

              95% you will use the debuggers get it from the net:                                                                  

              Www.playtools.cjb.net or try (www.protools.cjb.net).

              Other Debuggers: Olydgb / debug.com / w32dasm (debug option) / TRW2000

 

3. Dissadembler - You will use Dissasembler for the visual code.

                  If you don't know what a Dissasembler actually

                  Load the application, read hex values (Opcodes), and Output

                  The assembly code.

                  I will suggest you to get: Win32dasm (www.protools.cjb.net) / IDA

                  IDA is a first class Dissasembler, very recommended. [Dos interface].

                  Very handy piece of work, can output strings, jumps, calls, imports

                  Other dissasemblers: Debug.com (in windows) / Hview..etc

 

4. HexEditor -   The only way we can modify an EXE is via HexEditor

                 HexEditor let you modify Opcodes (some ASM as well).

                 We use the HexEditor to find/change code that we as crackers

                 Know it will make us happy :-)

                 HexEditors:

                 WinHex (handy) / Hacker's View ...etc (I use those 2 only, no need more)

                 Get your copy at the net, or try www.protools.cjb.net

 

5. Registry / File Monitors - Those app will help you find any DLL, reg..etc used

                              By the apps you crack, and where they hide there

                              Registry information (useful if u want to Unregister).

                              Some apps reads the serial/name from hidden Registry info,

                              So I recommend using those:

                              FileMon / RegMon (www.protools.cjb.net)

                          

6. IceDUMP (Advanced) -  This little proggy is Add-on to SoftIce

                         It has really cool features SoftIce don't have.

                         Also IceDUMP is ANTI-ANTI SoftICE tool

                         Meaning if an app has a Protection:

                         If SoftICE is Active than app wont work.

                         IceDUMP hides SoftICE so no app can detect it :-)

                         Useful eh? Also it can serve us as a Print Screen

                         Tool and save code to a TXT.

                         Get it from (www.protools.cjb.net)    

 

7. PE-Editors (Advanced) - Those are the PE editors, you can

                           Modify the Sections, directory, delete, add

                           View and etc...Very useful when you unpack packed

                           Applications.

                           For PE knowledge (www.win32asm.cjb.net)

                           Recommended PE editors:

                           ProcDump / PeEditor  (www.protools.cjb.net)

 

8. Resource Editors (Optional) - Resource editors load the desired app

                                 And if the Resource is read, you can

                                 Delete, change, rename, stuff in the windows

                                 Messages and etc...

                                 (Useful if you want to kill a nag screen)

                                 Useful Resource editors:

                                 Borland Resource Work Shop 4.5 / Resource Hacker

                                 Get them at: (www.protools.cjb.net) /

                                 (Playtools.cjb.net)

 

9. Assembly Compilers (For Coders) - Compilers for asm are: MASM / TASM

                                     MacroASM is most useful and easy to use

                                     But if you already code in TASM, than Get it ;-)

                                     You can dl your copy of MASM at:

                                     For TASM try: http://egoiste.da.ru/

                                     Or www.win32asm.cjb.net

                                    

 

10. Programming Languages (For Coders) -  Recommended programming language:

                                          Are: C / Pascal / ASM

                                          Crackers do not tend to Code in Visual Basic

                                          As it is heavy, UN optimized, slow, using DLLs

                                          And not Portable without them.

                                          Bottom Line, don't use Visual Basic for

                                          Cracking!

                                          About Delphi. I don't know, I don't code in it

                                          So I can't say. 

                                          Get compilers at net: borland.com / google.com

 

11. File Analyzers -  The file analyzer Will help you

                      To know the whole information about

                      Your EXE, as from which packer it was

                      Packed with, Size PE information, and many more.

                      I recommend: "FileInfo" (www.protools.cjb.net)

                      Others: GetType, and more.

                          

All tools above are your Weapon against Shareware's ;-)

Every tool play different roll in your cracking stage, as long as you use them and get to know them, The better you will crack.

Always remember no matter how time a simple crack can be, you will do it in the end, so don't Get softy if you can't :-) ,

Many hard apps has been reversed so if those crackers can do it

You can do it to.

Brain is the only tool you really need to work on :-)

 

--------------------------------------Page 3-----------------------------------------

 

==================

| III. Cracking  |

==================

 

Finally, we are at the learning & practicing stage.

From now on, take your time, don't be rush, cracks wont run away, the net

Is full of junk you can practice on.

 

                             +----------------------+

                             +****BASIC CRACKING****+

                             +----------------------+

 

[Welcome To the Camp]

---------------------

Welcome to Cracking Camp my fella wannabe cracker, for the pass days you and others

Will learn to use their First weapon, thinking like crackers, learn the art of Zen,

Using weak points, Learning APIs attacks...and finally training in the field.

This camp is very huge, alot of people are learning and training in this Camp from all over the world.

Don't expect people to help you, because they wont, they don't have time to help Newbies

In the camp, so try least to be friendly to them if you want to get some help :-)

In our big camp you can find the Library, huge and amount of text, which stored in the Camp Will be accessible for you due time,

After Basic Training you can enter the Library and

Keep learning from the Old masters who passed this camp and left knowledge for free.

 

[Day One]

Heads up all Newbies.

I want quite and concentration and faces to this Text.

Today We are gonna learn about Our First Weapon, How to use it and set it up.

Our weapon called: SoftICE v4.x Made By NuMega.

I want you all memorize it and think it's your only friend on this camp.

Always to be by your side as it will be your best friend while cracking.

SoftICE...SoftICE...someone can tell me what it does?? For what purpose??...

I guess not, well my fella students, SoftICE is a system DEBBUGER.

You can use it to examining code, locate bugs, and we can also exploit it for

Our own good.

Every one, I hope you got SoftICE on your Computer as We told your parents to buy it

Before they sent your lazy asses here :-)

Ok...You got it, Let us install it, enter right serial..Next...MODIFY AUTOEXE.BAT...

Do you know why we need to modify the autoexec.bat students??

Cuz if we wont, SoftICE will not load during Boot, and therefore wont be active.

So MODIFY else you will have to do 50 pushups :-)

Reboot your computers and let Windows load...

All Remember we use here Win98, Camp wont allow use Win2000/XP until other say so. :-)

Windows loaded...all worked Fine, Great, Listen up, I won't repeat my self now:

SoftICE run in the Background (Invisible).

We can make SoftICE visible by pressing on keyboard CTRL+D and exit the same way.

Did you see the black window with ASM code (you did learn asm code, the one we recommended to you before you came to this camp).

All students load up SoftICE and look at it, it contains all registers, data window, input window and so on.

Let me draw you a rough sketch of SoftICE on the blackboard so we can examine it:

 

...............................................................................

EAX=00000001   EBX=00000190   ECX=00000000   EDX=00000000   ESI=00000001      . Registers

EDI=00020080   EBP=007E8C56   ESP=00008C3E   EIP=00001149   o d I s z a p c   .& Memory

CS=170F   DS=4127   SS=0EE7   ES=4127   FS=0000   GS=016F                     .

.......................................................................PROT16..

170F:1146  CALL      0DD0                                                     .

170F:1149  OR        AX,AX                                                    .

170F:114B  JZ        11DD                                                     .

170F:114F  PUSH      WORD PTR [DI]                                            .

170F:1151  CALL      KERNEL!LOCALLOCK                                         .

170F:1156  MOV       [BP-08],AX                                               .

170F:1159  MOV       [BP-0A],SI                                               . ASM Code

170F:115C  MOV       [BP-0C],SI                                               .

170F:115F  JMP       0F0D                                                     .

170F:1162  MOV       SI,[DI+3A]                                               .

...................................USER(18)....................................

WINICE: Load32  Obj=0005 Add=017F:BFE95000 Len=00001000 Mod=VERSION           .

WINICE: Load32  Obj=0001 Add=0177:7D651000 Len=00001000 Mod=INDICDLL          . Data &

WINICE: Load32  Obj=0002 Add=017F:7D652000 Len=00001000 Mod=INDICDLL          . Text

...............................................................................   

:.............................................................................. Input Data

 

Remember we can exit SoftICE in several ways: CTRL+D / X / F5

Not so hard right?

But remember you load SoftICE only by CTRL+D.

Now that you know how SoftICE looks/works we need to modify it...

Of course you can't use the weapon before you set it up can you?

Ok, because we are using WIN98 SoftICE is installed here:

C:\Program Files\NuMega\SoftIce95

Now students, we need to modify it and as i said exploit it for our own good.

We can modify SoftICE functionality by opening the file called: Winice.dat

There you will see on your computer that it has allot of functions/imports/exports and so on.

Let us now set it up a little bit, all follow me students, do not try to mess with the data file as it won't help us and damage SoftICE.

I am now will write on the Blackboard the essential parts we will change, You will see it in your Computer screen, try follow me and write on Notebook stuff needed.

  ____________________________________

 /                                    \

/--------------------------------------\

|                                      |

| PHYSMB=32                            |

| ;EXP=c:\windows\system\kernel32.dll  |

| ;EXP=c:\windows\system\user32.dll    |

| ;EXP=c:\windows\system\gdi32.dll     |

| ;EXP=c:\windows\system\comdlg32.dll  |

| ;EXP=c:\windows\system\shell32.dll   |

| ;EXP=c:\windows\system\advapi32.dll  |

| ;EXP=c:\windows\system\shell232.dll  |

| ;EXP=c:\windows\system\comctl32.dll  |

| ;EXP=c:\windows\system\crtdll.dll    |

|                                      |

|--------------------------------------|

\--------------------------------------/

 

Student do you see these code in the Winice.dat?

Those are the main stuff we will change.

PHYSMB=32  <=== Of course We don't use 32MB of RAM are we? :-)

Change it to whatever number of Ram your computer use.

Now students look at the computer, do you see all those Paths with point to DLLs?

Those are the Bullets for our weapon :-)

Remove the ';' from all the lines i.e.: EXP=c:\windows\system\kernel32.dll

Now we can save the Winice.dat

Now SoftICE still don't know how to use the Bullets, Cuz we didn't told yet to Sice to load the Bullets, so Reboot your win98 again,

And there you go, we have the bullets Ready to use.

Now we will make a test shoot, to see of SoftICE did load the DLLs.

Load SoftICE, write: BPX MessageBoxA <enter>

If you don't get a message than SoftICE is Ready to use.

All ok students, Let summarize what we did today, we have set SoftICE so it will load the

Windows DLLs and therefor we will use it to trace/break for later use.

Class, we will continue tomorrow the second class, be ready to be here in time, and don't forget what you have learned today.

 

[Day 2]

Good day class, today we are going to learn about SoftICE's Breakpoint functions

Yesterday we have learned about how to load SoftICE, do it now.

Once SoftICE has been loaded we can now use SoftICE functions built in.

You can also learn the functions by pressing: h <enter>

You will get list of functions/options.

 

Breakpoints:

------------

Let me teach you the most used Functions Crackers uses for breakpoints:

BPX / BPM / BPR

 

BPX - breakpoint on execute

      We use this option to break

      Instantly on any API

      Or system function we

      Choose to.

      Usage: BPX <API/function>

 

BPM = breakpoint on Memory

      We use this Option to break

      On memory Read/Write

      Usage: BPM <address>

      Additional Options: R/W/RW/X

 

BPR - breakpoint on Memory Range

      We use this Option to break

      On memory range.

      Usage: BPR <address> <address>

      Additional Options: R/W/RW/T/TW

 

Crackers 95% use breakpoints, as without them you could never

Break in the Program's Code and trace, and find, and crack...etc ;=)

 

APIs

----

Now we will learn the APIs that we will use to break on the application

We wish to Crack.

*Most applications nowadays uses the 32bit APIs so it make us some sort of a

Short cut to Break on the program's original code instead of searching threw HWND

 

API list for basic Cracking:

 

MessageBox  - 16Bit (win3.1)

MessageBoxA - 32Bit (win9x)

GetDlgItemText  - 16Bit (win3.1)

GetDlgItemTextA - 32Bit (win9x)

GetWindowText   - 16Bit (win3.1)

GetWindowTextA  - 32Bit (win9x)

Hmemcpy - Memory Copy Function

 

Those are the Basic API you shell memorizes for now on.

You will use those to breakpoint at any application we will attack.

More new APIs will be Given for you when you are practicing, or

Reading student's essays.

 

MessageBox/A - Usage: Breaking on any Windows MessageBox sent by the application.

                      Typing: BPX MessageBoxA <enter> in SoftICE will set the trap

                      If any MessageBox is sent by Windows SoftICE will break on it

                      And will show us the code sent by the application.

 

GetDlgItemText/A - Usage: Breaking on text sent to the application, and read by it

                          Typing: BPX GetDlgItemTextA <enter> in SoftICE will set the

                          Trap, if you will enter Text in the Dialog Text Box of the

                          Application, SoftICE will break and show the code used by

                          The application.

 

GetWindowText/A - Usage:  Breaking on text sent to the application, and read by it

                          Typing: BPX GetWindowTextA <enter> in SoftICE will set the

                          Trap, if you will enter Text in the Application,

                          SoftICE will break and show the code used by

                          The application.

 

Hmemcpy - Usage:  Breaking on any Copied Memory by Windows and By any

                  Function Used by windows.

                  Typing: BPX Hmemcpy <enter> in SoftICE will set the

                  Trap, once set the trap, SoftICE will break on any

                  Copied memory by any windows Application/Function.

 

 

Shortcut Keys (SoftICE)

-----------------------

SoftICE can use shortcut keys like: F8 / F5 / F12 / F11 / F10

We will use those shortcut keys instead type every time 't' or alike.

 

F8 - Usage: F8 key usually traces into a CALL

            While we debug, we will trace into a call,

            So we could inspect/analyze the code in it.

 

F5  - Usage: F5 key Exit SoftICE, simply eh? :-)

F12 - Usage: F12 Stepping out of a DLL/Function (p ret jump)

F11 - Usage: F11 Return to the Caller.   

F10 - Usage: F10 is a trace code, single step traces one by one.

 

 

Dump / Data Viewing

-------------------

When we Use SoftICE, we must know & understand what

Do we see..

SoftICE is using HEX, therefore it will take allot of,

Time for use to convert hex->Dec/ASCII,

But NuMega has added to SoftICE a function to Convert

Hex -> Dec -> ASCII automatically.

 

When using SoftICE we have 2 ways to see data that

Is being stored by the Registers.

As we know, Registers are the CPU's variables, everything

Is passed / calculated..etc by them.

To view the data stored on the registers, SoftICE has 2 functions:

 

'D' / '?' ('' <= Don't include it while in SoftICE)

 

D - Usage: D stand for Dump, we use D command

           To view the Register data which holds

           ASCII in the data.

           Typing: D <register> <enter> (D EAX)

 

? - Usage: ? Stand for Viewing the Hex data

           Stored in the Registers.

           ? Command will show us: Hex-Decimal-ASCII (xxxxxxxx-xxxxxxx-xxxxxxx)

           Typing: ? <Register> <enter> (i.e. ? EAX)

          

To Practice on the above ?/D open up SoftICE and try the commands,

You will shortly understand what each command does.

 

-----------------------------------------Page 4 ----------------------------------------

 

[Day 3]

Today we will learn about different Kind

Of protections.

 

Protections:

------------

 

Registration Key - This protection is based

                   On 1 single Serial Key that

                   Is hidden in the program's code.

                   Our entered serial will be

                   Eventually compared with the

                   Real serial hidden inside the

                   Program it self, we can call

                   It "hardcoded" ;-)

 

Serial/Name - This protection is the most

              Used, as it is required the

              Actual serial number for the

              Name you are entering.

              Most cases there will be

              A compare routine as well,

              If not real serial will be

              Hide in the registers.

              This could be any shape/form

              The coder will choose to.

 

KeyFile - Used as well, this protection

          Required you will have the correct

          KeyFile in the same directory of

          Your application.

          Most Keyfiles are using Name/Serial

          Check inside of the file as well.

          *Some could use encryption - Hard

 

 

Multiple Serials - You can recognize this,

                   While installing Windows, or

                   Photoshop..etc

                   They use 4-5 Text inputs, every

                   Text button need to have the right

                   ASCII combination.

                   I.e.: [xx]-[xxxx]-[xx]- [xxxx]

 

Crypto Serials - Very hard, Crypto serial/name

                 Serial is produced using a xxxBit

                 Encryption/RSA...

 

Nag Screens - Nag screens are the annoying

              Messages that appear when application

              Is started, or closed, or even I the middle.

              Those nag screens inform you that you need

              To register your copy...

              Very easy to remove.

 

Time Limit - Very commonly used in shareware's

             This time limit force the application

             To stop work, disable, or close the shareware

             You are using after xx amount of time.

             Default time is 30 Days.

             Easy/Hard to remove, depend on coder.

 

Use Limit - Commonly as well, this protection

            Will stop the shareware to work after

            xx times you have used the shareware.

            After it, program will give nag screen

            Or shell stop working and will be disabled.

 

Dongle Protection - Spread in Big Protected shareware's.

                    This protection is used by a I/O LPT port (hardware)

                    You will need the registration Cart attached

                    To your PC's parreral port Or other in order to make

                    The program fully work, otherwise it will be

                    Expired after xxDays / xxUses /rippled or wont work at all

                    Hard to crack, depend on Dongle protection company.

                    Dongles as: HASP / Sentinel are most commonly used.

                    Dongles uses DLLs/VxD to check the "is registered"

                    Using the Dongle API as well for some checks.

 

CrippleWare - Some will meet such Protection,

              Cripple = Disabled functions.

              You will notice some apps have

              Disabled Buttons [Save, Save As..]

              That will be enabled once you will register

              You copy of shareware.

 

 

VisualBasic - Allot of apps nowadays,

              Are coded in the Visual Basic

              Programming language, this

              Is what makes Cracking a little

              Harder, as visual Basic does not

              Save all the information on the EXE

              File, instead it uses DLLs to call the

              Functions.

              Even Serial/name could be hard [depend]

              In a programs who has been coded in VBasic.             

 

DLLs - Some apps will use DLLs as a   

       Protection Scheme.

       Time-Lock is one of them and

       Used to disable program after xx Time.

 

Misc. Protections - Matrix Protections [Not related this tutorial]

                    Packing [Advance Topic]

                    CD games Protection [Not related to this tutorial]

                    Zip password protection [Not related this tutorial]                  

 

CD-Protections - The most commonly used nowadays

                 Almost any new game is PACKED and

                 Protected by EXE packing programs

                 Since the Pirate has gone too far

                 Game's companies Believe that the only

                 Way to protect the game is to use            

                 Anti Piracy Packers such as:

                 ScureROM / SafeDISC

 

* Also be aware that some of the protection above (except for Dongle) can,

* Be used in other files than the original EXE, Meaning that some Serial/name,

* Protection can be hidden in a DLL that is invisible in the dir.

* Cracking the DLL will be the regular way :-)

 

[Day 4]

 

Yesterday we have been talking about

Variants of protections, and what everyone of them

Is capable of doing.

Today we will analyze each protection [hopefully]

And assume it's weak points, and ways to attack such

Protection.

 

Anti Protections:

-----------------

 

Registration Key - You already know what it is

                   Doing and how it works, now if

                   You downloaded a shareware that

                   Need only 1 reg Number to make the

                   Program registered, we can assume 2

                   Things:

                          1. Real serial is hidden/Unhide

                          2. Eventually is will be compared with fake serial.

                   

                          How to find the serial:

 

                          Method 1:

                          ---------

                          1. Disassemble shareware

                          2. Clicking the Strn-Ref Button       

                          3. Just search for an Unusual Alphabetic Number

                          4. Copy it and try filling it in the registration text box

                          *This method works on apps, which the Coder was too lazy

                          To hide his serial, and missed his money :-)

 

                          Method 2:

                          ---------

                          1. Run the shareware, enter fake serial

                          2. Press ok/check Button...you will get a Bad message

                          3. Write the bad serial message, and disassemble file

                          4. Click the "Strn-Ref" button, we will get allot of text

                          5. Search for the bad message String.

                          6. Double click on the founded text in Strn-ref

                          7. we will be taken to the ASM code where the string is appear

                          8. Looking for a UN/Conditional Jump..there is..folow it

                          9. We should be in a Jump (Je/Jne) from here we have 2 options:

                             A: Reverse the jump (JNE->JE / JE->JNE)

                             B: searching for a CMP instruction, break with SoftICE and 

                                Trace until we will be at that address, and do:

                                D <register> or ? <Register>

                                Should show us the good/bad serials :-)

                                *If you reverse the Jump, than no matter what serial

                                *You are giving it will always be acceptable

                                *As long as you don't enter the right serial...:-)

 

 

 

Serial/Name - This alittle complicated, but still

              You know the Idea behind it.

              For every name there should be Specific

              Serial number, this happens threw an

              Algorithm inside the Program code,

              For every name passed the Algo do the

              Math calculations produce a working serial

              And finally at the end it should compare it

              With your fake serial.

              The algorithm can be hard, long, easy, annoying..etc :-)

              From this we can assume 2 things:

               1. Real serial is produced by Algorithm

               2. Fake Serial at 70%+ will be Compared

                  Someway or another to the Real Produced Serial.

 

                 How to find the serial, Primary Attacks:

             

                 Method 1:

                 ---------

                 1. Entering a fake serial/name

                 2. Write the bad message you get from the program

                 3. Disassemble Shareware and do a search for the string

                 4. Locating where the string is called from, and we trace

                 5. We should be in a Jump (Je/Jne) from here we have 2 options:

                          A: Reverse the jump (JNE->JE / JE->JNE)

                          B: searching for a CMP instruction, break with SoftICE and

                             Trace until we will be at that address, and do:

                             D <register> or ? <Register>

                             Should show us the good/bad serials we call it:

                             "Serial Fishing".

                             *If you reverse the Jump, than no matter what serial

                             *You are giving for any name, it will always be acceptable

                             *As long as you don't enter the right serial/name...:-)

 

              Method 2:

              ---------

              In here we do the same thing as above but

              We wont reverse a jump, but looking for a

              Flag.

              * Flag is actually can be 1 or 0

              * Meaning: registered / unregistered

              * The Flag can be set by many ways (i.e: xor eax,eax )

                                                 (dec eax / inc eax)

              * And so on.

              * Locating the flag sometimes can make us a

              * Cleaner crack, better than reversing a jump

              * While fooling the flag and changing his content           

              * The Shareware/program actually believe it is registered.

              * This is a good way and faster to crack (depend)

             

              Method 3:

              ---------

              This method is a bit Advanced and

              Required a good Brain :-) and time.

              This method Is called "KEYGENING"

              The Idea is that the Cracker will

              Trace and find the produced serial First.

              Than he will find the CALL that leads to the

              Algo who produce the key from name,

              Learn, analyze, the specific Algo

              And than switch to SoftICE to see how the Algo

              Behaves on the name (mathematical Notation)

              And how the registers are being used,

              And finally Imitate, Rip, Code is new Program

              Which Create the Serial for any Name entered  

              This is called "KEYGEN".

 

KeyFile - The KeyFile attack is somehow

          Easy to recover, Shareware's whose

          Uses key (small xx k file) with

          Information inside of it (Encrypted or NonEncrypted)

          Tend to search the KeyFile while

          The program is loaded, if n KeyFile

          Is found, or KeyFile information is invalid

          Program is Unregistered.

          We can assume 2 things:

           1. KeyFile must have a serial/name

           2. KeyFile can be Encrypted/unencrypted

 

           Method 1:

           ---------

          Using SoftICE to Recover the KeyFile

          Name, is 1 way we can try.

          The "CreateFileA" API is used for that

          And will 80% work in the given apps.

          For a big hint, Dumping EDI register

          At almost 4-5 traces of code will recover

          The KeyFile Name (not his content)

 

           Method 2:

           ---------

           Second way to recover the KeyFile

           Is by using a file/reg monitor

           This system of recovering is at

           Almost 100% Successful since we will

           Be shown by every file is called/read/write

           By the given Program we attack.

 

* The problem in recovering a KeyFile,

* Is not hard, but just take a few minutes to,

* Locate it, but what does make the trouble is,

* To recover the good serial/name inside the KeyFile

* For that brain/SoftICE is used.

 

 

Multiple Serial -  1 way to attack this

                   Kind of protection is logically

                   Break on each text input box and

                   Trace the code, once found the serial

                   Continue Break on the other text box left

                   Once finished, you should recover the serial.

                   * Those kind of serial have allot different of serial,

                   * That can be used in the same app, Hench the Multiple.

 

 

Crypto Serials - One of the Hardest to attack,

                 Same tracing system as regular

                 Serial/name procedure i have been

                 Talking about, but this time with

                 Additional 100% Protection who can          

                 Drive you crazy :-)

                 When I say Crypto, I mean Crypto Algorithm

                 Is being used to create the serial.

                 Possible attacks:

                                 1. Understanding the Crypto Algo

                                 2. Using a Factor numbers Keygens

                                 3. Tracing threw SoftICE & analyzing.

 

 

 

Nag Screens - We already know what is it,

              And what it does for his Porpoise.

              Possible attacks:

                              1. NOPing the caller (No Operation Code)

                              2. Deleting the Resource Nag

                              3. Jumping over (Code Redirection)                          

                              4. Jump reversing which causes the Nag to appear.

 

Time Limit - Well time limits has some

             Advantages and disadvantages,

             We already know the Advantages,

             Let see the disadvantages.

             Possible Attacks:

                             1. Setting timer forward to make

                                The shareware to expire, 

                                So that we will get the nag screen.

                                Here the disadvantage is the nag screen

                                Searching the string of the nag in the disassembler

                                Will finally take us to the caller, here you kill

                                The jump.

                            

                             2. If the application uses a xx amount

                                Of Time (I.E: 30 days) we can make it

                                For our own good.

                                30 in Hex is IEh, this can help us as well

                                Searching 000000IE in the disassembled code

                                Will finally take us to the code where it makes

                                The decision whatever the program has expired

                                Or not, Modify the jump or the code which makes

                                The decision will kill the Time Limit.

                                Another way is to increase the Time that we can use

 

 

Use Limit - Use time, is actually the same

            As Time limit but the only difference

            Is how many times you used the application.     

            Same attacks could apply on this Protection.

           

 

Dongle Protection - Very hard topic, it wont

                    Be discussed in this guide, as it

                    Require more skills (or luck).

                    Attacking the Dongle requires his Technical

                    Information such as Services, regcodes, version, etc

                    Primary Attacks:

                                     1. Jump Reversing / Patching / Code Injunction

                                     2. Reverse engineering the Dongle protection

                                        Main routine in order to emulate the Dongle

 

CrippleWare - Known Protection since the win95 days

              The crippled (Limited) app can be cracked.

              In some cases Programmers will not include

              The crippled code in the app, which make it

              Alittle Impossible to reverse.

              Primary/Possibly attacks:

                                     1. Using the EnableMenuItem API

                                        And enable the Disabled (Crippled) button.

                                        Setting the Flag to 1 does this.

                                     2. Using Hooks to find the Handle of the Button

                                        And using a Spy tool to enable the Button.           

 

VisualBasic - This Topic will not be touched

              In the guide, Cuz I am not a VB

              Cracker and I must say it does not

              Interest me, although I do know how to.

              Using a VB Disassembler we can attack our

              Shareware's, the Disassembler is called:

              "SmartCheck" and it comes from Numega's Software's

              As well.

              Possibly Attacks:

                               1. Loading the app into SmartCheck and

                                  Running the app, while SC analyze it

                                  It will produce the list of the functions/calls

                                  That is used by the app, also it will produce of what

                                  The user is doing on the fly, meaning: if you clicked     

                                  An OK button, S will produce a "+Klick_1" Hierarchy.

                                  Expanding it and exploring will be worth the trip.

                                  Good against Name/Serial protection.

                                  *A good reading is by the VB cracker: Eternal_Bliss

 

 

DLLs - A good way to "confuse" cracker.

       None to say it won't work, Eventually

       It will be discovered.

       Optional/Possibly Attacks:

                                1.Patching DLL / Reversing code

 

 

Misc Protections - Attacks on Misc. Protections

                   Is what we call "Self Reading"

                   A good Knowledge about CryptoLogy will

                   Make you understand the "PlainText Attack" on

                   The zip password protection, and etc...

                   Good knowledge is never wasted it only here to serve us.                   

 

------------------------------Page 5------------------------------------------

 

 

[Day 5]

 

First Test Field:

-----------------

Listen up new ones,

Today we are doing a first Cracking test to see what we have

Learned until today.

 

TARGET: Bengali's First CrackMe (http://crackmes.cjb.net)

PROTECTION: Serial/Name

POSSIBLE ATTACKS: Patch/Fishing

 

Ok students, we have Got some Good references on Protections/Attacks

A got Test field will get you on the right track.

SoftICE / HexEditor / Win32asm are setup, We wont need More than those 3 tools.

We will Attack the CrackMe (Program tend to teach crackers hoe to attack the protection)

Using the Patching / Fishing Attacks.

 

[Stage 1]-Observation

---------------------

 

Run the CrackMe, Insert Fake name/Serial

Press the "Check" button and we will Get a error Message: "BAhh...Loser Goto: Krobar.cjb.net"

This message Is very Interesting us, as it could Serve Us cracker very Well

All we need to do now is to disassemble the CrackMe, using Win32DASM (I told you to get it Didn't I? :-) ).

Ok, finished Disassemble the File, Now you can see some Buttons that are Blue Active, The

Button that Interest us the Most is the "Strn-Ref" Button, as it will show us any Available Strings In the Resource of the EXE.

While we press it, we will get the list of Strings, here:

 

============================================================================+

"    CrackMe - 1"                                                           |

"1 or more chars needed"                                                    |

"Bahhh...Loser, goto: Krobar.cjb.net "   <---------|                        |

"Bengaly"                                          |Possible Attacks        |

"Great Job..."    <--------------------------------|                        |

"MainWindow"                                                                |

"This Is My First CrackMe Created "                                         |

"This Is My First CrackMe Created "                                         |

============================================================================+

 

Now, Lets try the Bad message Attack, Click the "Bahhh...Loser, goto: Krobar.cjb.net "

(Double Click) on the string and we will be taken to where the String Reference is Found, Here:

 

=======================================================================================+

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:                  |

|:004011DC(C), :00401204(C) <----Called from                                           |

                                                                                       |

:0040121B 6A00                    push 00000000                                        |

                                                                                       |

* Possible StringData Ref from Data Obj ->"    CrackMe - 1"                            | 

                                                                                       |

:0040121D 68E3304000              push 004030E3   ;Save the Above String to Stack      |

                                                                                       |

* Possible StringData Ref from Data Obj ->"Bahhh...Loser, goto: Krobar.cjb.net "       |      

                                        ->":-)"                                        |

                                                                                       |

:00401222 6812314000              push 00403112   ;Save the Above String To Stack      |

:00401227 6A00                    push 00000000                                        |

* Reference To: USER32.MessageBoxA, Ord:01BBh                                          |

                                                                                       |

:00401229 E8C2000000  Call 004012F0  ;Call the MessageBox with the Above Strings.      |

=======================================================================================+

 

Ok, First Lesson that you should know, this Code above is called "Dead-Listening"

Because we are not dealing with SoftICE which is Live Cracking, dealing with

Code Text is a Dead Cracking (AKA: Dead-Listening), good we cleared that one up.

Another important stuff, most of StringData Ref is called from somewhere inside

The apps, meaning that "Bahhh...Loser..." String has been called from another Instruction Within the app.

Now I ask you, How can we know who's called this String?

Win32dasm give us the solution, here:

 

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:                       

|:004011DC(C), :00401204(C) <= addresses

  ^^^^^^^^      ^^^^^^^^

  Caller 1       Caller 2

 

Now we can Go to those addresses and analyze the code, if We found what we needed

Than we can crack it With the Attacks i have been pointed in day4.

Let see what is hidden in Addresses 004011DC / 00401204,

Click the "Search" tab in win32dasm's Menu bar, and select "Find Next"

Enter the First Address 004011DC With Direction UP.

*Note we set it to UP because in 70% we are backtracking up where the code is most

Likey there.

Ok we have search for the address 004011DC and we landed here:

 

* Reference To: KERNEL32.lstrlenA, Ord:02E2h

                                  |

:004011D4 E847010000              Call 00401320

:004011D9 83F801                  cmp eax, 00000001

:004011DC 743D                    je 0040121B  <======== This Jump called the String.

:004011DE 50                      push eax

:004011DF 6836304000              push 00403036

:004011E4 E862000000              call 0040124B

:004011E9 50                      push eax

:004011EA 6876304000              push 00403076

 

Students, From here we can see that this Address has nothing to do with the Serial/name

Procedure, how can we tell?

Well actually This Address get the Length of the String, because we have *KERNEL32.lstrlenA*.

What Kernel DLL has something to do with our Name/Serial ??...None...

So actually this Address is useless, buy remember we had another Address that the

Bad string has been called from?? Yeah, it was 00401204

Do a search again with direction Down cuz we have Passed it :-)

We should see this code:

 

 Address   Opcodes                 Disassembly    Remarks

--------- ----------              -------------  -----------

:004011EF E82C010000              Call 00401320

:004011F4 50                      push eax

:004011F5 6876304000              push 00403076

:004011FA E885000000              call 00401284  ; algo

:004011FF 5B                      pop ebx        ; Get info ;-)

:00401200 3BC3                    cmp eax, ebx   ; compare good/fake serial

:00401202 3BC3                    cmp eax, ebx   ; compare good/fake serial

:00401204 7515                    jne 0040121B   ;If not Equal Call The Bad Message (Bad_Guy)

:00401206 6A00                    push 00000000

 

There is not much to say, we have here a classical Form of comparing / Jumping

Do you remember what Attacks I have explained about in Day4?

Read again, and the code from the CrackMe will be Self-Explained.

At address 00401204 we have a "Jump if Not Equal" Conditional jump which means that

If the Serial we enter does not match to the real our produced by the name,  we are

Giving a Bad Message "bahh..looser..."

Look at Method 1 attack A/B, this is what we are going to do here.

Actually they both give the same Result, but Option B is more Likely Cleaner.

 

Option 1 - Patching:

---------------------

As I said the patching is a fast crack, that *can* produce the

Same effect as the Serial key. (Unless the coder has used some

Techniques to make patches useless, a good example for that is

A program that reads the good serial/name from an INI file,

This will make the patch useless unless you patch the code that

Responsible or opening/reading the INI file :-) )

 

As for our example, we can see that address 00401204 has a Conditional

Jump (JNE), as I mentioned, we can patch (Reversed) the Jump

So any fake serial number/name we will enter will be acceptable, unless

You have entered the good serial for the name.

We will always use the HexEditor to modify the EXE code.

First thing u have Noticed that W32dasm has a scrolling cursor that

Change its color on particular Instructions. (Yellow / White)

Yellow: means that we are on a Jump/Call instruction and we can Enter/follow it

White: any other instructions.

If you put the cursor on address 00401204 you will see it turned to Yellow.

Now we can follow the jump by pressing the Right Key or pressing the "Execute Text"

From the Menu and selecting the "Execute Jump", this will take use to the Bad message

Routine we have found earlier ("ahh..looser..."). If we want to return from the Jump

We simply press the CTRL + Left key (Or in the Menu "Execute Text" -> "Return From Jump"),

Those very basic needs in W32dasm and will serve you allot due Cracking experience.

Another good thing we need to know is to find the OFFSET of a Address, this is because

HexEditors uses Offsets and not Addresses (again depend which).

So in order to know the Offset in win32dasm, be with cursor on address 00401204 and

Look at the StatusBar of win32dasm, you will see this:

 

Line:337 Pg 7 and 8 of 15 Code Data @:00401204 @Offset 00000604h in File: Crackme1.exe

                                                ^^^^^^^^^^^^^^^^

                                                This is the one

So the Offset for 00401204 is 604 (Memorize or write on paper)

Now Make a copy of the Crackme.exe and load it in the HexEditor, I highly recommend:

HackersView32 (Hview), it's a very powerful and easy to use.

So from now on i will refer to the only HexEditor as in Hview, and will use it only.

 

So load up the Backup exe in Hview. Press F4 and choose the DECODE mode (Disassemble)

Now we need to make a search, Press F5 and enter the offset we got (604)

And press <enter>,

Great we are at the right address :-)

Now in order to patch it lets switch to Edit Mode, Press F3.

Now you can change to whatever Opcode you will, but we need to change it to the

Correct Opcode, move the cursor to the 75, And simply change it to 74 and press <enter>

Now you have modified the ASM code, and it should be like that:

 

:00401204 7515  je 0040121B (Jump only if we enter the correct serial ;) )

 

Save the File with F9 and exit with F10.

Crack is done.

 

Option 2 - Live Fishing:

------------------------

For this Mission I shall use my Second CrackMe,

As the First one is not a good example for Live Fishing.

The second CrackMe is the same only with different small Algo.

 

This Approach will be your First Sice test Field, as you will "fish" the serial

From the Memory and make the program Fully registered and not modified in Code.

 

In Day2 we have been talking about APIs / Bpx Functions, as well as the

Shortcut keys SoftICE uses.

All together with ASM knowledge will be mixed to one Big Attack ("Serial fishing")

 

Starting with Running the CrackMe, Enter a fake Serial/Name.

Now as I told you students, we need to make SoftICE break so we can

Trace the ASM code, without Breaking we couldn't do allot.

So run now SoftICE and set a breakpoint at:

 

: BPX GetDlgItemTextA <enter>

: BPX GetWindowTextA <enter>

 

*I used those 2 APIs because it is better to set Multiple

*APIs when attacking, because you never know which APIs the app is importing.

*Note: you can check in win32dasm the Import/Export Functions.

 

After you set the Breakpoints, exit SoftICE with F5 (or etc) and press the

"Check" Button on the CrackMe, SoftICE will Break immediately.

 

Now first thing to know is that in a Serial/Name programs there is Most Likely

2 edit boxes, 1 for the name, and 1 for the Serial input Boxes.

In order to crack the program Live, we shall always break on the Second Text box

Which is the Serial input box, because most likely there is a check with the entered

Serial and the Real serial Generated from the name, so always break on the second!

 

Ok, we Pressed the Check Button after setting SoftIce breakpoint and

We immediately Breaks and SoftIce pops, we will Press F5 to force SoftICE to exit

And automatically read the second Input text box (Serial Text Box).

Than, we will be landed in this First code snippets:

 

               [First Break on the Second Exit Box]

----------------------------------------------------------------------------+

EAX=00000003   EBX=0066FC08   ECX=80007028   EDX=800072B0   ESI=00008C2C    |    

EDI=0066FBBC   EBP=0066FBB4   ESP=0066FBA0   EIP=BFF51743   o d I s z a P c |   

CS=0177   DS=017F   SS=017F   ES=017F   FS=1387   GS=0000                   |   

-----USER32!SetDlgItemTextA+0023-------------------------------------PROT32-|

0177:BFF51740  RET       000C                                               | 

USER32!GetDlgItemTextA                                                      |

0177:BFF51743  MOV       CL,A4                                              |   

0177:BFF51745  PUSH      EBP                                                |   

0177:BFF51746  MOV       EBP,ESP                                            |   

0177:BFF51748  PUSH      ECX                                                |   

0177:BFF51749  SUB       ESP,3C                                             |   

0177:BFF5174C  PUSH      WORD PTR [EBP+08]                                  |   

0177:BFF51750  PUSH      DWORD PTR [EBP+0C]                                 |

0177:BFF51753  CALL      KERNEL32!SMapLS_IP_EBP_16                          |

----------------------------------------------------------------------------+

Notice that we have Break on "GetDlgItemTextA".

Now, I must tell that the first Break is useless to use, because first

we are not in our app's code, and secondly we are now in a Kernel Dll code.

So this above code is kinda Useless, Now let's go back to Day2 and remember

The short-Cuts keys we have learned:

 

F8 - Usage: F8 key usually traces into a CALL/JUMP

            While we debug, we will trace into a call/jump,

            So we could inspect/analyze the code in it.

 

F5  - Usage: F5 key Exit SoftICE, simply eh? :-)

F12 - Usage: F12 Stepping/Returning out of a DLL/Function (p ret jump)

F11 - Usage: F11 Return to the Caller.   

F10 - Usage: F10 is a trace code, single step traces one by one.

 

It is clear now what to do, F12 will take us out of this call, and will

Send us to the GetDlgItemTextA, so Press F12 and we will be here:

I will comment the Asm code so it will be more Understood.

 

------------------------------------------------------------------------------+

EAX=00000005   EBX=0066FC08   ECX=80007028   EDX=800072B0   ESI=00008C2C      | 

EDI=0066FBBC   EBP=0066FBB4   ESP=0066FBB4   EIP=004012D8   o d I S z a P c   | 

CS=0177   DS=017F   SS=017F   ES=017F   FS=1387   GS=0000                     | 

----------------------------------------------------------------------PROT32--|

0177:004012D3  CALL      USER32!GetDlgItemTextA  ; Read Serial Text Input Box |                        

0177:004012D8  CMP       EAX,00      ; Did we entered any text??              |             

0177:004012DB  JZ        004012DF    ; Nope, jump to message say so +         |                                 

0177:004012DD  JMP       004012F6    ; Else we jump here to code    |         |                      

0177:004012DF  PUSH      00          ; Jump to here        <--------+         |  

0177:004012E1  PUSH      00403462    ; "Please Fill in                        |                  

0177:004012E6  PUSH      00403000    ; 1 more char"                           |               

0177:004012EB  PUSH      00          ;                                        |  

0177:004012ED  CALL      USER32!MessageBoxA  ; Display The message            |                   

0177:004012F2  LEAVE                                                          |          

------------------------------------------------------------------------------+   

 

Now we are in the Correct Place (the CrackMe Code).

From now on, we need to know 2 things:

                                       1. ASM

                                       2. Using the shortcut keys.

 

*Note: in X86 memory there is what we call Segment/Offset,

* xxxx:yyyyy is how it look like, Now in nay computers the Segments may be,

*Be different because of the Memory, but the Offsets are always the same.

* I.E: 0177:004012F2 

       ^^^^ ^^^^^^^^

     Segment:Offset

 

Any way lets go on with our Practice, At offset 004012F2 we have a jump

That will lead us to the Code where serial will be generated/compared and other

Bunch of stuff that may be.

So in order to jump, we need to trace in SoftIce to that instruction and trance into it.

Now: F10 - Usage: F10 Is a trace code, single step trace one by one.

So press F10 until you get to the JMP and F8 - Usage: F8 key usually trace into a CALL/JUMP So press F8 and you will be here:

 

--------------------------------------------------------------------------------------+

EAX=00000005   EBX=0066FC08   ECX=80007028   EDX=800072B0   ESI=00008C2C                             

EDI=0066FBBC   EBP=0066FBB4   ESP=0066FBB4   EIP=004012F6   o d I s z a P c              

CS=0177   DS=017F   SS=017F   ES=017F   FS=1387   GS=0000                                

--------------------------------------------------------------------PROT32------------+

0177:004012F3  RET       0010            ; Return From a call

0177:004012F6  PUSH      00403038        ; After pressing f8 we will be here

0177:004012FB  CALL      00401430        ; Unimportant

0177:00401300  XOR       ESI,ESI         ; ESI = 0                                       

0177:00401302  MOV       ECX,EAX         ; ECX = EAX (Lenght of the Name entered)

0177:00401304  MOV       EAX,00000001    ; EAX = 1

0177:00401309  MOV       EDX,[00403038]  ; EDX = Addres of the name

0177:0040130F  MOV       DL,[EAX+00403037] ; DL = First char of the name

0177:00401315  AND       EDX,000000FF    ; Clean up EDX (leave only the Low Byte)

0177:0040131B  MOV       EBX,EDX         ; EBX = EDX

0177:0040131D  IMUL      EBX,EDX         ; EBX = EBX * EDX

0177:00401320  ADD       ESI,EBX         ; ESI = ESI + EBX

0177:00401322  MOV       EBX,EDX         ; EBX = EDX

0177:00401324  SAR       EBX,1           ; Shift Archimatic EDX Right by 1

0177:00401326  ADD       ESI,EBX         ; ESI = ESI+EBX

0177:00401328  SUB       ESI,EDX         ; ESI = ESI-EDX

0177:0040132A  INC       EAX             ; EAX +1 (Next character on name)

0177:0040132B  DEC       ECX             ; ECX = ECX-1 (Counter)

0177:0040132C  JNZ       00401309        ; Jump to 00401309 while ecx != 0

0177:0040132E  PUSH      ESI             ; Save ESI to Stack

0177:0040132F  PUSH      00403138        ; Push to stack

0177:00401334  CALL      00401383        ; Convert ESI to Decimal

0177:00401339  POP       ESI             ; ESI = last stack information pushed

0177:0040133A  CMP       EAX,ESI         ; Compare entered serial with ESI

0177:0040133C  JNZ       00401353        ; If they are not equal Jump to Bad message +

0177:0040133E  PUSH      00              ; Else                                      |   

0177:00401340  PUSH      00403462        ; Push Caption                              |

0177:00401345  PUSH      004034B8        ; Push good message Text                    |

0177:0040134A  PUSH      00              ; Creat                                     |   

0177:0040134C  CALL      USER32!MessageBoxA  ; Show MessageBox                       |

0177:00401351  JMP       00401366                                                    |   

0177:00401353  PUSH      00              ; Create Message <--------------------------+   

0177:00401355  PUSH      00403462        ; Push Caption

0177:0040135A  PUSH      00403486        ; Push bad message Text

0177:0040135F  PUSH      00              ;Create

0177:00401361  CALL      USER32!MessageBoxA    ; Show MwssagebOX

0177:0040137A  RET       0010                  ; eXit the call                           

-------------------------------------------------------------------------------------+

 

Ok, that's good, everything we need is in front of our eyes, now

If you know asm or at least basic, there should be no problem for you

To understand this.

What basically it does in this Algo is to get the Length of the entered Name,

Put it on ECX as it is the Counter Register, and make a calculation on every

Char from the name we entered, and than build up a serial number out of it.

The final serial will be converted to decimal and will be compared with the Entered

Fake serial in address 0040133A.

What we need do is to Trace the Algo with F10 until you will be reach to address 0040133A And try get the data EAX / ESI holds.

Now as I said, there are 2 ways to see the data is with: D / ? Commands

But because we know that the Serial is in decimal form (Converted at address 00401334)

We assume there is no ASCII data, so basically at address 0040133A CMP EAX,ESI

You simply do:

:? EAX

:? ESI        

  

Example:

Lest say I entered those fake information:

Name: Bengaly

Serial: 12121212   

 

I trace the code untill the Compare address routine, and do : 

 

:? EAX

00B8F47C  0012121212  "¸ô|"   (Our fake Serial)                      

:? ESI

00011BB1  0000072625  "±"   (The real Serial)                                   

^^^^^^^^  ^^^^^^^^^^   ^^^

 Hex        Decimal    Ascii

 

Do you see the Right serial? :-) Of course you do

Name: Bengaly

Serial: 72625

Enter this following information in the CrackMe (crackme#2) and you should

Be greeted with a good message.

 

*Students, this is the end of the test field, I hope you understand today's lesson.

*Tomorrow we will talk about more stuff.

 

-----------------------------------Page 6---------------------------------------------

 

[Day 6]

 

Protections, And more Protections:

----------------------------------

 

Today we won't talk about Shareware protections, But we will

Learn about Protection against Cracking Tools.

And also how to Attack and destroy them.

 

SoftICE Attacks:

----------------

1.Melt-SoftICE:

By saying Melting SoftICE we mean that this is

Some kind of ANTI-SoftICE trick.

The main idea of Melt-Ice is to detect SoftICE.

I.E some program uses MeltICE trick to Detect SoftICE,

And if it found it, it will give us a message saying that:

"DEBBUGER IS ACTIVE" and Program won't load.

The Melt-ICE trick is using what we call VxD detection.

The trick is to search for the SoftICE Vxd called: ///.SICE//

It could also be for WinNT, search for ///.NTICE//

We can Attack this Protection by searching the ///.SICE// string in

A HexEditor and change to other string, No more troubled :-)

 

Misc. Protections:

-----------------------

There are allot of ways other than MeltICE

To search if Sice is active,

Others can be using Interrupts such as: INT 68 / INT 03

Searching those interrupts in HexEditor and eliminate them should

Do the job as well.

Some others can search if a BPX is entered at SoftICE and

Detecting it on memory.

Some can check the Memory, More Installed file by SoftIce,

Checking "BCHK" (BoundChecker) with SoftIce, and many many more.

All those kinda or protections can be automatically blocked By: IceDUMP

This is also another option IceDUMP do (Anti-Anti SoftICE).

 

More Protections can be used against disassemblers as well.

For example, A protections against "Win32dasm".

Although w32dasm is a good disassembler, it does have his weakness

Until the author will fix them of course :-).

Those weaknesses can help projectionists to use it for their on good.

Protections:

              1. Infinite Jumps (EBFE) <= make w32dasm to crash

              2. Big Resource size <= make W32dasm to stop respond     

              3. Inline Calls: Call [Call xxx] makes W32dasm to loose data

              4. Unreachable Jumps.

 

Those kinda of weaknesses can help Programmers against Crackers.

I think its very good protections who's very annoy to crack at least to me :-).

 

PACKING:

--------

Another known and very spread today is the PACKING system.

The packing system has 3 Main options it can perform (if chosen):

1. Size Reducing

2. Encrypting the PE of a EXE / Manipulating APIs / Scrambling Import Tables and more

3. Anti Debugging Options.

 

There are many PE file packers, the most familiars are:

ASPr / ASProtect / tElock / PeTite / PeShrinker / UPX...etc.

 

Encryption / CryptoLogy:

-------------------------

This is almost the secure way to protect your application

Or actually protect against crackers, main idea of Encryption

Is to avoid Outsider to Read the message, or in software World

To crack it, Software companies uses Encryption's for their Serial/Name

Also for Keyfiles, and many others.

They Imbed the Serial by using a Very hard Algorithm, that someone without

This knowledge could ever find the serial, Examples to programs who uses

Encryption's are: FlashFXP / CuteFTP

Some uses RSA xxBit, Some uses others, a good way to reverse it would be

To learn CryptoLogy and become "Cryptoanalyst" and use it to reverse the Chipper.

*When i talk about Crypto, I mean Crypto in Software's (Serials protections)

 

------------------------------------Page 7---------------------------------------------

 

As for this is A guide, I can not dwelve into more basic cracking and examples.

I think you should gain a very basic knowledge by now, the very first thing

You should do, is to READ allot, the Library has allot of information stored and

Written by very Gifted Reverses, This camp gave you the very first Glimpse into the world of cracking and what it has to offer,

a very hard work and time will finally make you,

A fine talented Fravia, and for achieving this goal you shall teach others,

This what makes us good Fravia's, Teach & Learn and work well for others.

 

[Day 7]

                          

                           +-----------------------+

                           +***ADVANCED CRACKING***+

                           +-----------------------+

 

The advanced Cracking field is by far the most time consuming and hard work

From a cracker point of view, but by far the interested one.

What Sections in Cracking is Advanced??

The section we call them advance is the sections that Makes crackers

A brainstorm...Those should be the:

 

Unpacking (Manual):

-------------------

 

Unpacking is a very hard Section in cracking world,

Allot of reverses having time cracking it, while others succeed.

Packing a file that is main idea is to Reduce the size to Block A Cracker.

Will make the reversing part Hard and very much Time consuming.

In order to crack Packed files, the first thing to do is to learn about the

PE structure of a file (EXE), this by far the most important knowledge.

Than alittle ZEN :-) won't harm anyone (+ORC essays).

 

Let's see what a PACKER do:

 

           (LAYER of packer ( Original Code ) LAYER of packer)

 

Well this is the main Idea, may do something else, as Encryption,

API manipulations, anti-debugging tricks, fake calls, and many more.

The only thing we can rely on against a packed file are the tools.

 

Tools:

       Brain by God :-)

       Revirgin By +Tsehp

       ImportREC by MackT

       ProcDump by G-ROM

       PE-Editor By Yoda/M.o.D

       HexEditor (Any)

       SoftICE by NuMega

       IceDUMP (TraceX / ScreenDUMP functions) By IceDUMP team (I'll call them TeamICE ;-)

 

Those are the only tools that can help you unpack any kind of packer,

Remember it's only TIME until you will unpack never say Never.

 

Basic manual unpacking (MUP):

                       1. Calculating the Raw Offset (From PE Editors)

                       2. Putting CC (INT 3) on the found Offset with HexEditor (for  

                          SoftICE)

                       3. Breaking, and tracing for the Original Entry Point (OEP)

                          With SoftICE.

                       4. Using Infinite Loop EBFE to Isolate the Original Code From the

                          Packer's Code (Still SoftICE) .

                       5. Dumping the Isolated File using IceDUMP / ProcDump

                       6. Manually (HARD) / Auto : Import Table Fixing

                          (Using Revirgin / ImportREC)

*Learning how to use Revirgin / ImportREC is a very Good idea so you can

Use them to FIX the Import Table of the file (dumped), (if damaged).

 

This is by Far the easy part, some PACKERS has really hard options which only

Holds skilled crackers for some time, but eventually will be breached.

Another achievement will be to CODE your own Unpacker, this is somehow

The best at all this Unpacking world.

 

----------------------------------------------------------------------------------------

                          Manually UnPacking of EP_v0.2:

----------------------------------------------------------------------------------------

 

This is not very hard Packer, it only does small things

So this tutorial will make clear of everything.

 

--------------------------------------------|

Writer:         Bengaly                     |

Author:         CoDe_InSide                 |

Protection: Encryption & scrambling IT      |

URL:    http://codeindise.cjb.net           |

Tools:            SoftICE v4.00             |

            Hex-Editor (any)                |

            ProcDump v1.6.2                 |

            ImportREC (MackT.cjb.net)       |

--------------------------------------------|

 

Let's get started:

------------------

 

In this example I will use CoDe_InSide's EP_v0.2 (PE) packer/Encrypter.

So I will encrypt Calculator.exe

After encryption you will get calcc.exe .

Ok, let's open PrucDump. choose "PE EDITOR" and load calcc.exe

 

You will see a window with this in formation:

 

Entry Point:   00017000    <= this is the Virtual Offset

Size of Image: 00018000

Image Base:    01000000

 

Ok, now that we know the virtual offset (00017000), click the "Sections" button,

You will see all section Information in a tab.

 

Always look at the final section (so we will patch the offset in HexEditor)

Ok, so look under Virtual Offset of the last section, you will see 00017000, but we must

Know the Raw offset, so look under Raw Offset of the section, it is 00017000 too,

Wow we got lucky it's the same offset, (some may use different offsets), ;D

But here it's the same, now we know the Raw Offset. (00017000)

 

Open up hex editor (any), and look for 17000

You will see this in Hex-Editor:

 

17000: 6A 00 60-E9......

 

Now, in order to use sICE to break when we load the program (Breaking on BPINT 3),

We need to Change the 6A -> CC  (CC = int 3, a dos breakpoint)

 

So in hex editor just change:

 

6A

 

To:

 

CC

 

Now it will be like this -> 17000: CC 00 60-E9......

 

Save the file and exit HexEditor.

Now load sICE (Ctrl+D).

Set a breakpoint: BPINT 3

Press enter, and exit sICE (Ctrl+D)

Load the encrypted file (Calcc.exe), SICE will pop up here:

 

----------------------------------------------------------------------------------+

EAX=01017000   EBX=00520000   ECX=81653AB0   EDX=81653AF0   ESI=81653A90          |

EDI=00000000   EBP=0056FF78   ESP=0056FE3C   EIP=01017000   O d I S z a P c       |

CS=0177   DS=017F   SS=017F   ES=017F   FS=5607   GS=0000                         |

-----------------------------------------------------------------------PROT32-----+

0177:01016FFE  INVALID                                                            |

0177:01017000  INT       3   <= we brake here                                     |            

0177:01017001  ADD       [EAX-17],AH                                              |

0177:01017004  ADD       [ECX],EAX                                                |

0177:01017006  ADD       [EAX],AL                                                 |

0177:01017008  ADD       [EAX],AL                                                 |

0177:0101700A  ADD       [EAX],AL                                                 |

0177:0101700C  INC       ESI                                                      |

0177:0101700D  INC       EDI                                                      |

0177:0101700E  DIV       DWORD PTR [BFF70000]                                     |

----------------------------------------------------------------------------------+

 

Now we need to change the "CC" back to "6A" (the original value),

Because if we wont then sICE will exit ...so just press:

E EIP

You will see this:

--------------------------------------------------byte--------------PROT---(0)--

0177:01017000 CC 00 60 E9 01 01 00 00-00 00 00 00 46 47 F7 35  ..`.........FG.5-

0177:01017010 00 00 F7 BF 5C 70 01 00-30 70 01 00 00 00 00 00  ....\p..0p......

0177:01017020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................

0177:01017030 D4 76 F7 BF AC 6D F7 BF-00 00 00 00 C2 01 4C 6F  .v...m........Lo

-------------------------------------------------------------------------PROT32-

 

Change CC 00 to 6A 00

 

So it will be like this:

0177:01017000 CC 00 60 E9 01 01 00 00-00 00 00 00 46 47 F7 35 (Only the first byte is changed)

 

Press ALT+D to return to the Command Window,

Ha...much better, now we can trace the code ;D

We will trace the code to find the OEP (Original Entry Point), and we well trace the Original

Import Table so we could be able to fix the table later (encryptor f*ck up the IT)

 

1.============================The Hunt For OEP========================================

 

Ok, so we changed the int3 back to the original value so we can trace in sICE,

A very quick way to the the OEP is for looking the POPAD instruction (most

Encryptors use PUSHAD and then POPAD instruction..begining and ending of code)

 

A good way to see the POPAD is to scroll the code with CTRL+Down

It will take a while but you will see in the end of the code the POPAD & RET commands..so

When seeing the POPAD instruction, double click on it (mark it with white) and type: HERE <enter>

Hehehe, we are breaking on the POPAD instruction:

 

EAX=01017000   EBX=00520000   ECX=81653AB0   EDX=81653AF0   ESI=81653A90       

EDI=00000000   EBP=0056FF78   ESP=0056FE3C   EIP=01017000   O d I S z a P c    

CS=0177   DS=017F   SS=017F   ES=017F   FS=5607   GS=0000                      

--------------------------------------------------byte--------------PROT---(0)---+

0177:01017000 6A 00 60 E9 01 01 00 00-00 00 00 00 46 47 F7 35  j.`.........FG.5  |

0177:01017010 00 00 F7 BF 5C 70 01 00-30 70 01 00 00 00 00 00  ....\p..0p......  |

0177:01017020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................  |

0177:01017030 D4 76 F7 BF AC 6D F7 BF-00 00 00 00 C2 01 4C 6F  .v...m........Lo  |

-------------------------------------------------------------------------PROT32--+

0177:01017208  POP       EAX                                                     |

0177:01017209  ADD       ESI,14                                                  |

0177:0101720C  MOV       DWORD PTR [ESP+20],010119E0    <= OEP                   |      

0177:01017214  JMP       01017170                                                |

0177:01017219  NOP                                                               |

0177:0101721A  REPZ STOSD                                                        |

0177:0101721C  POPAD       <= you will break here                                |               

0177:0101721D  RET                                                               |

0177:0101721E  ADD       [EAX],AL                                                |

0177:01017220  ADD       [EAX],AL                                                |

---------------------------------------------------------------------------------+

 

How did I know how trace until here?

Well as I told you, look for a POPAD instruction and a RET..that will insure

You can find the OEP there...well most of the times

 

Now, go over the RET instruction (f10), and while you are on the RET instruction

Type F10 again..u will be here:

 

EAX=01017000   EBX=00520000   ECX=81653AB0   EDX=81653AF0   ESI=81653A90       

EDI=00000000   EBP=0056FF78   ESP=0056FE3C   EIP=010119E0   o d I s Z a P c    

CS=0177   DS=017F   SS=017F   ES=017F   FS=5607   GS=0000                      

--------------------------------------------------byte--------------PROT---(0)---+

0177:010119E0 55 8B .. .. .. .. .. .. .. ..and ect <= notice here                |

0177:010119F0 A1 00 00 00 00 50 64 89-25 00 00 00 00 83 C4 98  .....Pd.%.......  |

0177:01011A00 53 56 57 89 65 E8 C7 45-FC 00 00 00 00 6A 02 FF  SVW.e..E.....j..  |

0177:01011A10 15 B8 10 00 01 83 C4 04-C7 05 78 3F 01 01 FF FF  ..........x?....  |

-------------------------------------------------------------------------PROT32--+

0177:010119DF  INT       3                                                       |

0177:010119E0  PUSH      EBP   <= you break here                                 |

0177:010119E1  MOV       EBP,ESP                                                 |

0177:010119E3  PUSH      FF                                                      |

0177:010119E5  PUSH      01001570                                                |

0177:010119EA  PUSH      01011D60                                                |

0177:010119EF  MOV       EAX,FS:[00000000]                                       |

0177:010119F5  PUSH      EAX                                                     |

0177:010119F6  MOV       FS:[00000000],ESP                                       |

0177:010119FD  ADD       ESP,-68                                                 |

---------------------------------------------------------------------------------+

 

Also notice that EIP use the Original Entry Point (010119E0)

EAX = First Entry Point (01017000)

 

Now We are going to use the "EBFE" trick (infinite Loop)! , Do this in sICE:

 

E EIP <enter>          

EBFE              : Change 558B to EBFE (Don't forget to remember 558B!)

ALT+D             : To return to the Command Window

 

---------------------------------------------------------------------------------------+

0177:010119E0 EB FE EC 6A FF 68 70 15-00 01 68 60 1D 01 01 64  <= it will be like this |

0177:010119F0 A1 00 00 00 00 50 64 89-25 00 00 00 00 83 C4 98                          |

0177:01011A00 53 56 57 89 65 E8 C7 45-FC 00 00 00 00 6A 02 FF                          |

0177:01011A10 15 B8 10 00 01 83 C4 04-C7 05 78 3F 01 01 FF FF                          |

-------------------------------------------------------------------------PROT32--------+

0177:010119DF  INT       3                                                             |

 ==> 010119E0  JMP       010119E0          (JUMP)   ; the trap                         |

---------------------------------------------------------------------------------------+

 

So we set a trap on the OEP ;D, now let's clear all breakpoints : BC *

Again set a breakpoint on BPINT 3 , and leave sICE

Load calcc.exe, sICE breaks, type: E EIP edit the CC->6A and press <enter>

Now leave sICE again (without clearing the breakpoints)..calcc.exe runs like a baby

Well what's the point of it??

The point is that u wont get a error message when loading calcc.exe (without bpint3,cc->6a)

That way I can dump it in ProcDump while the program is loaded and don't crashing ProcDump When trying to DUMP it.

 

Now let's open ProcDump again...now in the TASK window, scroll down and look for

The Directory u have the encrypted file, mine is:

 

D:\Dont Tuch\notepade.exe

 

If not there, right click on mouse...press REFRESH LIST...ohh here it is :=)

 

Now select the file, right click with mouse and choose:

DUMP (FULL)..if ProcDump still Crash Then I recommend to dump the file using PARTIAL,

DUMP (PARTIAL) <= click ok all the time.

 

Save the new dump anywhere u like, choose a name of course ;D

(I prefer the name DUMP.EXE ;D) Now again right click on it again and choose:

KILL TASK  (press ok after u get a message) Now, The dump we made does not run yet,

We need to modify it to make it run...duh! ;D

So click "PE Editor" and choose the new dump file we made.

Now the entry point is still 00017000, so change it to the real OEP: 119E0

 

It will be like this now:

 

Entry Point: 000119E0

 

Now on the "Apply Changes Method:" choose "To PE File" <= so we can kick the encryption Code.

After choosing "To PE File", click "SECTIONS" button.

Now right click on the last section with mouse and choose: "Kill Section"

This will ensure that the encryption code wont be on the dump.exe anymore ;D

Now we will change the Size of Image of the dump:

 

Size of Image = Last Virtual Offset + Last Virtual Size  (last section)

 

So because we killed the last section, we will use the last section,

To fix this take now the:

 

Offset            = 00014000 

Virtual Size      = 00002618

Size of Image = 00014000 + 00002618 = 00016618

 

Click "CANCEL" button and we back to the Header Info screen,

We see that the "Size Of Image" = 00018000 <= which is not correct! (at least here it is) :-) 

Change "Size Of Image" = 00018000 -> 00016618

 

Press OK to rebuild the structure of dump.exe ;D

Exit ProcDump.

Try running the file (dump.exe)...what's going on, it's not working...why! >:/

 

Well it won't work because it runs in a loop that provides form the program from working!

Remember: 558B -> EBFE?

So open hex editor again and go to the OEP we found (119E0).

 

Change back EBFE -> 558B

 

Save the file...

Run Dump.exe...IT CRASH AGAIN!!!!!!!!... >:|

 

Wtf...why :-( ?

well the main reason is because the EP v0.2 encryption routine, it basically F*CKING UP THE

IMPORT TABLE...

To know more about IT I suggest reading some tutorials about it! :-)

Or some documents about the PE structure.

 

2.=======================The Hunt For Original IT=======================================

 

Ok, open up sICE, set a BPINT 3 breakpoint, exit sICE, load the encrypted file (not the dump)

SICE pop..just E EIP to bring back the original value so we can trace with sICE..

 

E EIP

CC 00

To:

6A 00

<enter> or Alt+D

 

Now we can tracing...it wont take a while..try find it your self

Didn't find??

 

So notice this In SoftICE:

--------------------------------------------------------------------------------------+

EAX=01017020   EBX=00520000   ECX=00000000   EDX=7461644F   ESI=01012020 ;Original IT | 

EDI=00000000   EBP=01000000   ESP=0056FE18   EIP=01017170   o d I s z a p c           |

CS=0177   DS=017F   SS=017F   ES=017F   FS=1127   GS=0000   DS:0101202C=000122A2      |

--------------------------------------------------byte----------------PROT---(0)------+

0177:01017000 D4 76 F7 BF AC 6D F7 BF-00 10 00 00 00 20 01 00  .v...m....... ..-     

0177:01017010 00 30 01 00 00 10 00 00-00 00 00 00 20 20 01 00  .0..........  ..      |

0177:01017020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................      |

0177:01017030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................      |

----------------------------------------------------------------------------PROT32----+

0177:01017163  JMP       0101713C                                                     |

0177:01017165  ADD       ESI,04                                                       |

0177:01017168  LODSD                                                                  |

0177:01017169  TEST      EAX,EAX                                                      |

0177:0101716B  JZ        01017175                                                     |

0177:0101716D  ADD       EAX,EBP                                                      |

0177:0101716F  XCHG      EAX,ESI                                                      |

0177:01017170  MOV       EAX,[ESI+0C]  <= ESI move to EAX, EAX = IT                   |

0177:01017173  TEST      EAX,EAX                                                      |

0177:01017175  JZ        010171F6                                                     |

--------------------------------------------------------------------------------------+

 

A quick: ? ESI

Will show you ESI=01012020

So we can assume that Original is starting at 12020 (write it down)

 

3.======================Fixing Broken Import Table====================================

 

So once that we know the start point of the IT, we open ProcDump again,

Choosing the "PE EDITOR" Button,

And choosing our dump.exe that we have created!

Now in order to change the IT starting point click the "DIRECTORY" button:

You will see:

 

Import Table:   RVA           Size

              00017008       00000034

 

But we know 00017008 is not the real starting point of the IT, so just edit it and replaced

It with the real RVA

 

17008->12020

 

Click OK, and OK again..dump.exe is rebuild.

Now we need to use a program called "ImportREC" which will fix us the broken Import Table.

 

How to use and fix throw ImportREC??

 

===================================Fixing Threw ImportREC============================

 

1. Load the encrypted file (not dump) using the CC->6A trick in sICE,

(wich in the case wont Crash the program) and that will make it active to use in ImportREC.

2. In the "attach to an active process" choose our program -> d:\dont tuch\calcc.exe

3. Enter the correct OEP+IT at "IAT INFOS"

OEP = 000119E0

RVA = 00012020

SIZE = 00001000

4. Press the "IAT AutoSearch" button, and u will get the message "Found something!" ,

And some RVA and OEP information's Click OK!

5. Click the "Get Import" button

6. Click the "Fix Dump" button, and choose the dump.exe we made

* Note, sometimes you will get an error Message but you can ignore it ;-)

Otherwise it works fine.

7. Exit ImportREC

 

Ok so we fixed the dump.exe with good IT..it's time to check the program.

You will see a new file is created dump_.exe ;) click it!!

 

It works ;-)

 

                EP.v0.2 Is Totally Unpacked / Reversed & Removed!

---------------------------------------------------------------------------------------

 

Well my students, it was a long journey but you finally did it,

I said it takes time to learn, you can't master at something you haven't

Trained on.

So I again says "Read & Practice" nothing is perfect until you make it Perfect.

 

Keygenning:

-----------

 

Another fascinating Section in Cracking is the

Keygenning field, this is the Total Reversing of a given

Protection and by far known as the BEST Crack.

Creating the actual Keygen is not the problem, but to Understand

The ALGO it self may give some brainstorm, also to find the actual

Generation routine can be very Frustrating part :-) , But as I said,

Time and only Time, nothing actually can hold good Fravia, unless

It is impossible, but another can crack what that has been made by Human.

A simple ALGOS won't hold a Skilled Cracker but will a beginner.

A good ASM knowledge will by far do 50% of the job, only 50% left is your Brain's Effort

This is a simple Key-Hashing no more.

Math will play a Big roll, ALGO is based on Math whatever it's simple -> harder.

SoftICE is the most useful tool, as it shows us how the Algo behave and what does it to

For every instruction, a good way is to imitate the Algo (Rip it) or to write your own

Algo which will produce the same key from name (no matter the programming language).

A good example of a simple Algo is used in Day5 of our Training.

The Crackme2 has a very easy Algo that creates a serial out of the name based on the

Length of the entered name, a few math instructions is being used.

Good way is to rip the Algo if you are an ASM coder.

Else just understand it and create your own routine in you Favorite Programming Language.

 

I.EXAMPLE (Keygen routine in C/C++ for Crackme2):

=================================================

//Simple routine from the ASM code converted to C

len = strlen(name);

for (i=0; i<len; i++)

{

edx = name[i];

ebx = edx;

ebx *= edx;

esi += ebx;

ebx = edx;

_asm

{

sar ebx,1

}

esi += ebx;

esi -= edx;

}

 

When you understand the Algo, you can reverse it totally and create your

Own Keygen, this is what makes Cracking FUN (not Profit).

-For even harder to Keygen, Crypto is being used to stop crackers,

But of course some did and will keep doing them.

Keep practicing and Work Well.

*Don't worry I won't paste here any Keygen tutorial :-) else this Guide will

Be a book ;-).

 

Crypto-Key:

-----------

 

These days Companies is well known of the Cracking scene as they know that 1+1=2 :-)

And still they are making Funny routines, but some are not that Lazy, those

Companies who take their Software Deeply know that they must protect their App at any cost.

Those companies force them Self to use Crypto ALGO routines to make the Game alittle bit harder.

Mathematical algorithms like RSA's and etc.

Using Crypto makes the average cracker a living hell, and he will drop it.

The only attack against that kind of Crypto-Key Algo is to Learn about the Crypto based

Algo that us being used in the app, study it and be a Cryptoanalyst, than after

Gaining the Knowledge about it, it's only matter of Time/Brain/SoftICE to Create the

Actual Keygen :-) , sure it will be hard, but it can be done, since there is no Public-Keys

And such Algo in a Name/Serial protections :-) , the only thing the Crypto Algo is

Being used for is to create the valid key for the name by using very hard MATH.

*IF you want to Practice on Crypto keygenMes, try TMG's trial keygemME by tEgoiste.

 

Dongles:

--------

Well there is no much I can say about Dongles

Because I have never tried to reverse one,

But they are hard, but already reversed so the Secret is no more

Longer a secret :-) , Dealing with a Dongle is dealing with

Technician Knowledge, as far as you learn about Dongles the faster

You will crack them.

Cracking a Dongle isn't making a Box and to attach it to the LPT port heh :-)

One way is to find the BAD_Boy jump (you believe it's still here? ;-) ) and reverse it.

Or you will need to rewrite some parts (mostly moving all information / services / Regnums) Into Registers and it will make you a good patch.

Another way is to emulate the Dongle, and make the APP thinking it's attached,

Known Dongles: Hasp From Aladdin - Israel / Sentinel / DesKEY / homemade and etc..

 

Taken From Frog's Print Essay about Dongles:

============================================

Possible Attacks:

                        - Breaking with BPIO 278/378.

                        - Emulating the Dongle by re-writing its main routine

                          Is much funnier than boring tracing and patching

                          (And sometimes a lot easier, specially the Hasp protection)

                        - Beautiful jnz_Bad_Guy at the end to patch... :-)

                        - Brute force approach

                        - Searching with Hiew the bytes sequence 0xE900000000

 

To crack a Dongle, you must first locate the protection you'll have to crack.

Any means are good: 

-Searching in the program or its DLLs the main Dongle routine (

I wrote my own haspfind.com that search a directory for the file

Where the Hasp routine is located). 

-Bpio with SoftIce. It will always work

(as long as you don't forget to install the driver and, most of the time, reboot to load it) But you may easily get stuck/lost deep inside complex routines. 

-Since most programs will issue an error message ("Dongle not found"...)

You may just have to BPX the MessageBoxA functions or,

All other similar ones and find the cross-references. 

-Disassembling the file to find some "Check_If_Dongle_OK" exported functions.

 

+================+

| The Big Ride   |

+================+

 

When i mean the big ride, I don't mean any new crack

Or any new protection,

I mean that when you are finally ready, and practiced, and think

You can handle the Real world of cracking than you are in the Big Ride ;-)

There are 2 different kinds of Cracker:

 

1. The lonely Crackers -

                       Those who crack alone,

                       Write tutorials alone,

                       And does not interfere with

                       Others, those BTW are kindly the

                       Best crackers.

                       They are doing the best work

                       And supply you with the best Knowledge.

                       You can find them in the +HCU academy for Crackers.

                       All lonely crackers have been posed their Tutorials.

 

2. The "Glory" Crackers -

                       Those who think they don't

                       Want to be alone, and want to

                       Be "famous", those are the crackers

                       Whose work in a Cracking Groups.

                       In groups a bunch of crackers working.

                       Together in order to crack an application.

                       In those kinds of Groups, there is only 1 goal:

                       Team Competition / Fun.

                       I those kind of groups, there is no profit

                       What So ever, just crack for fun before some

                       Other group will :-) .

 

This I refer as the Big Ride.

Contribute to give knowledge & teach or join some Cracking team and have fun

With Others.

 

------------------------------------------ Page 8 ------------------------------------

 

+=================+

| Troubleshooting |

+=================+

 

 

Some Troubleshooting I have seen allot lately

Came from the Installing IceDUMP...well

For me I don't know what's so difficult, but anyway:

 

Installing IceDUMP:

-------------------

Extract the ZIP file (32bit with dirs.).

It is not important where to Extract IceDUMP.

Once extracted, should see Dirs:

TOOLS / W9X / WNT

 |       |     +--------------------> WinNT VxD versions of SoftICE

 |       +---------------+ 

MASM include files       |

                         |

                         SoftICE win9X versions (Dos as well)

                         In this dir you should see allot of Dirs

                         Every dir represents SoftICE version,

                         Starting from DOS->Windows SoftICE versions.

                         Also there are some other Dirs for small

                         Utile (mp3 player..)

 

The first thing you do before running the IceDUMP exe file (VxD)

Is to ensure your SoftICE version, you can do that by loading SoftICE

And press VER

You will be given The SoftICE information.

For example, my SoftICE version is:

 

SoftICE 4.0.5 (Build 334)                                                      

Copyright (c) 2000 Compuware Corporation.  All rights reserved  

 

This means i have SoftICE 4.05 Build 334)

So I Run SoftICE for Windows98, so in IceDUMP Dirs for w9x

I need to enter the sub dir called: 4.05.334

And load the specific VxD for my SoftICE version.

*You don't need to put IceDUMP files in SoftICE directory.

My IceDUMP is installed at: D:\Dont Tuch\My Ducoments\Cracking\Ice Dump\w9x

Where SoftIce is installed at: C:\Program Files\NuMega\SoftIce95

You see, there is no need to move any files, when running the right IceDUMP VxD

Version for your SoftICE it will automatically patched in memory and be ready to use.

And you can use more options IceDUMP have :-)

Have Fun.

 

Another Troubleshooting ppl have been

Talking about is that they can't use SoftICE in WinXP/2000/ME

 

Setting SoftICE for WinNT/WinME (XP/2000):

------------------------------------------

 

First thing to know, that NuMega has made patches that will

Load SoftICE in the newer Windows.

WinME - has a problem as well, as it does not uses autoexec.bat

And that's bad, since we can't modify SoftICE to run in Windows Boot Load.

Once Solution has been brought to us by IceDUMP Team (TeamICE, or IceMen :-) )

But the patches they have added are not 100% and you could have problems loading SoftICE, More solutions brought by NuMega as well,

In their page you can find the right Patches.

Win2000/XP - Same Problem, NuMega has made new DriverStudio (2.5) that (hopefully) support WinXP,

Also there are Patches for SoftICE (NTice) in their home page (www.NuMega.com)

Get Them.

 

Misc troubleshooting:

-----------------------------

Q. I can't use Hmemcpy under Win2000, why?

A. Win2000 does not support the Hmemcpy that's why you can't use it.

   As for Replacement you can use the MemCpy function (not the same, but better than nothing)

 

Q. I am trying to set a breakpoint on an API and i get "Symbol is not defined" why?

A. Probably you haven't told SoftICE to load the DLLs at boot time,

   Remove the  ';' at the important DLLs, From Winice.dat and than Reboot.

 

Q. I AM Cracking a visual basic app but I can't break at SoftICE why?

A. Visual basic uses it's own DLLs such as Vb40032.dll and more for Vb6.

   I suggest you to go to: http://ebliss.cjb.net/

   It has all needed information about VB cracking.

   Also I suggest you to get SmartCheck VB debugger.       

 

Q. I heard about Search Function in SoftICE, what is it and, how to use it?

A. The search function is very powerful once you know how to use it

   For example, if you enter your name in a text box: Bengaly

   After breaking (BPX) with the right API we are doing a search

   For our name, instead of manually locating it, it works like that:

   S 0 L FFFFFFFF 'Bengaly'   

   *S = Search

   *0 = From starting Address 0 (zero)

   *L = Unknown, could be for Until

   *FFFFFFFF = end of the address to search.

   Now SoftICE will break at where the name Bengaly has been located in memory

   It does not say it's in t he program, but in Memory (cuz we are doing a

   LONG-RANGE search).

   A good way to know where the name could be set is after the Address of 8xxxxxxx

   I.E: :s 0 l ffffffff 'Bengaly'                                                       

        Pattern found at 0030:82F1A89B (82F1A89B)   

                                        ^^^^^^^^ Over 8xxxxxxxx

  This system is though us +ORC in his fantastic tutorials.

  All you need to do is to set a breakpoint at the address's Range and break:

  I.e.: BPR 0030:82F1A89B + 6 R 

                           | |

         Name Length-1 <---+ +----> Read

 

 There is a good Searching Tutorial at (I think): http://fooder.cjb.net

 

Q. How can I take a snapshot of SoftICE?

A. Well a regular snap shoot you can't take, but another snapshot

   Can be takes and be saved to TXT/HTML.

   The snapshot function is brought us by IceDUMP, very strong utile.

   First thing to do is loading Proper IceDUMP Vxd, once loaded you can use the

   Function, like this:

   /ScreenDUMP     

   Now, ScreenDUMP has some options (Modes), Every mode take snapshot in a different

   Way, press several times /SCREENDUMP will switch Case the modes.

   The best mode to use is: mode 01 (Text mode)

   To take the snapshot you do:

   /ScreenDUMP <dir path><filename>.txt (Mode 01)

   I.E: /SCREENDUMP D:\A.TXT

 

 

Q. I used this /ScreenDUMP function, but it Looked up my Computer, what to do?

A. Yes this is a common Bug, to fix this you should always break on some API,

   It seems /ScreenDUMP won't take a shoot unless you are in some Code.  

 

Q. I heard there is an MP3 player under SoftICE, where is it?

A. Yes there is, the mp3 player is in \Ice Dump\w9x\mp3\bin

   But i must say, The Mp3 player will lookup your machine unless you know

   How to use it, I tried Looked my PC, maybe it's not yet working, don't know :-)

   I really recommend putting a CD in the CD-ROM and playing it using the CD-ROM Buttons

 

Q. I heard about A TraceX command, what is it?

A. Well TraceX command actually a tracer that normally used to single step

   Some stream of instructions and,

   Because of this it is able to intervene at any point and act accordingly.

   * I recommend reading the Tracer.TXT from the Docs dir in IceDUMP Dirs.

   Once Tracing, take your time, it takes a while For Sice to Break (depend on memory?)

 

Q. It seems W32dasm Stuck/Crash when i load some apps, why?

A. As I said before, some uses the TRICKS against W32dasm,

   Some Programmers could raise the Resource Size and this makes Win32dasm

   Stuck/Freeze, others use FAR jumps, Infinite Loops, and etc.

 

Q. Why can't I see the String-References of a VB application in w32dasm?

A. In order to do that you need the Win32dasm patch for VB applications.

 

Q. I have disassembled a file, but i can't see any ASM code, why?

A. This is because the File is packed, the packer hide the asm file.

   What you can do is to unpack the file and disassemble again.

 

Q. I got the File unpacked, I see the ASM code, but there is no Strn-Refs, why?

A. This because you haven't changed the Characteristic of the file,

   Run PE-EDITOR, load the file and press the "Sections" Button,

   Select each section, right click and choose the: Change to E0000020

   Options do this to all Sections. (It will Auto Update the file).

   Now try to Disassemble the file, you "should" have strn-Refs.

 

Q. Where can I get the full API list?

A. You can dl the Win32.hlp from The internet (try Microsoft.com) :-)

   or try: http://Protools.cjb.net

  

--------------------------------------- Page 9 -------------------------------------

 

+=======+

| Links |

+=======+

 

The way to learn about Cracking is to search over the net, download

The tutorials, and read/practice, here I will give you the best

Web pages you can download the free tutorials/tools from:

 

-----------Cracking Tutorials:---------

 

1. +HCU Academy - http://Tsehp(dot)cjb(dot)net (Academy - Best)

2. The Krobar Collection: http://Krobar.cjb.net (Recommended)

3. CoDe_InSiDe - http://codeinside.cjb.net (Mine/CoDe's tutorials)

4. Eternal_Bliss - http://ebliss.cjb.net (Visual-Basic)

5. +Sandman - http://www.idca.com/~thesandman/index2.html (Best - Recommended)

6. Icezelion's Win32Asm - http:/win32asm.cjb.net (Coding)

7. tHE Egoiste - http://egoiste.da.ru (Great page with Crypto Stuff)

8. CrackMe's Page - http://crackmes.cjb.net (Recommended, dl all CrackMe from here)

 

--------Cracking Tools:---------

 

1. Programmers Tools - http://protools.cjb.net (Best)

2. Play Tools - http://playtools.cjb.net (Great)

3. EXE Tools - http://exetools.cjb.net/ (Average)

4. Aaron's Tools - http://mud.sz.jsinfo.net/per/aaron/index.htm (Average)

5. http://ProcDump32.cjb.net

6. Freak2freak.cjb.net

7. www.sysinternals.com (FileMon)

8. http://rpi.net.au/~ajohnson/resourcehacker

9. http://muaddib.immortaldescendants.org

10.http://frog.fsn.net (May be down)

 

-----------Groups:-----------

 

1. PGC - http://www.pgc-force.com (I am in that group)

2. The Millenium Group - http://tmg.da.ru/ (Keygen Factory :-)

3. HellForge - http://www.hellforge.org/

4. The Cracking Answer - http://tca2k.da.ru/

5. Immortal Descendants - http://www.immortaldescendants.org

6. TrickSoft - http://emc2k.com/tricksoft/

7. DOOM - http://deadlyzone.virtualave.net/Html/load.htm

8. http://www.suddendischarge.com/

 

And many more :-) , well I can't put all Sites here,

So I just put the links to the most useful for crackers.

 

 

+========+

| Thanks |

+========+

 

First Thanks goes to all who made Reveres-Engineering Posible:

--------------------------------------------------------------

In No specific Order:

 

+ORC, Fravia+, +RGC, +greythorne, +ReZiDeNt, +Xoanon , SiuL+Hacky,

The+Q (Home Made), +Spath, +Mammon_, Frog's print, +gthorne, +daQ,

razzia, +MaLaTTiA, Quine, +Alt-F4, +DataPimp, The+Chineese, +Hackmore,

+Indian_Trail, bajunny, +Sandman, +Aesculapius, Shaman, +Aitor,

Dr Fuhrball, MaD, TWD, +SNikKkEL, +Sync, Flipper, +Spalj, +Tsehp,

A+heist, The Undertaker, Civetta, +Zer0, +drlan, +PopJack.

 

Thank for my Cracking Skills To:

--------------------------------

 

CoDe_InSiDe, fusS, _Nordic_, Muad'D1b, gogamoga,

ManKind, PGC, +HCU Academy, +ORC, +Sandman, +Fravia (+Fravia).

The+Q (For being a cracker from the same country as I).

Thanx to my real friends as well (even if some don't know what I do) :-)

 

Work Well And Have Fun.

                          By Bengaly 2001