+------+ +----+ +----+
+-----------+ +------+ +------+
| | |
| | | / | | |
| |
| | |
| | | | |
+ + +
+
+------+
+------+ | +---+ | |
+------+ | |
| |
| | | | | +
| | |
|
| | | | | +
| | |
|
+------+
+------+ | +---+ | |
+------+ | + + |
| | |
| | | | |
| +---+ |
| | |
| | | \ |
+ +
+------+ +----+ +----+
+-----------+ +-----------+
+-----------------------------------------------------------------------------+
| For The +HCU: Academy Of Reverse
Engineering |
| by Bengaly published by +Tsehp |
|
|
+=============================================================================+
Welcome New Beginners.
So, You finally found your way into
Cracking world eh? :-)
Hacking seems too much of a Borden to
you? :-)
You think you can Handle ASM? :-)
Than you are welcomed to read this
Cracking Guide for new/adva
Note: this tutorial can be published
only by Axion, and cannot Distributed over,
The net. (Due to a special Request) or
other say so by the author of this text.
This Tutorial is for Educational Propose
only! All cracked applications will be
Well respected by us crackers, If you
use a Shareware, please buy it!
Help support those who give you the time
and effort learning and gaining knowledge.
Guide Hierarchy:
----------------
[-]-Overview-------+
|
+----> I.
"Assembly" (Quick Touch)
|
|
+----> II.
"Tools"
|
|
+----> III.
[+]Cracking----+
| |
| +---->[+] Basics
| |
| +---->[+] Adva
| |
| +---->"The
Big Ride"
|
+---->
"Troubleshooting"
|
+----> "Links"
|
+----> "Thanks"
=============
| Overview |
=============
Cracking, what is it? ...
Cracking is what we call: "Software
hackers", those people who "Destroy",
The CODE of the application that they
are examining.
Real cracking began long ago, something
about 10+ years.
But, none of them has been seen like
today,
Today's cracking could be even easier
than before but still can be tough.
1990 Old dos ruled (?) allot of
apps/games were out, those are really the,
Interesting part, as dos seems neglected
nowadays, allot of dos based Protections
Hasn't been cracked (reversed), due to
lack of interest, or just plain hard task.
Dos uses what we call
"Interrupts", those fu
Type something on keyboard, display on
screen, send to printer and etc...
Those fu
But now..1995-2001 Si
Simple task than Ever (Dos actually :)
).
Windows as you don't know, does not use
Interrupts anymore, si
With 32Bit OS (Operation System), all
interrupts were deleted and were rewrite from
Scratch to what we know as
"API" (Application Programming Interface).
Microsoft has wrote allot of APIs and
*almost* all Documented on their Win32API.hlp.
Now, just as Dos crackers used
Interrupts for cracking weak Points + Attacks,
Win9X will use APIs for that matter as
well.
Si
Own good :-).
1996: new cracker called as ORC (Old Red
Cracker) came out with series of huge/long tutorials Explaining about new
attacks/crack points/new ways/ to crack Dos+win32 applications.
Sure now they could be absolute Useless
because it was written in late 1996-1997, but still give us the right track.
(Although I do not recommend read them
unless you familiar with cracking).
Now ask, How much time will it take me
to be a good skilled Cracker..??
Well actually is depend on you and your
devotion to the Subject, I believe 3+ years will
Make you average skilled none the less.
(Unless you are one of those Smart kids :-) ).
You could not crack unless you are
practicing, that's a fact.
Sit at least 2 hours a day to crack 1
application will do fine.
Don't expect being a master if you crack
the Lamest/easiest app around, Don't Hold your
Breath :-), some programmers are stupid,
some not!!..:-)
So I hope you got a brief Idea what the
hell Cracking is-).
I hope you will enjoy reading this
tutorial as much as i enjoyed write it for you. :-)
*There are allot Cracking guides out
there, each guide is written from own Cracker Perspective.
-----------------------------------Page
1-----------------------------------------------
================
| I. ASSEMBLY |
================
This is the most important Section which
cracking could not exist without it.
The low assembly programming language,
ASM is the Core,
The heart knowledge every Cracker Need
to know,
Without it you are basically wasting
your time :) .
For crackers (at least new ones) only
essential parts of asm are needed...else you are
A keygener/Coder..etc, Asm is a word
language (would you like to code in
Opcodes? <= Hex form of asm:
B8012C...) I think not :).
When I mean word language I mean:
MOV/INC/DEC/MUL/LEA/JMP/JNE... you can see they are only shorted words:
I.E: JMP = JUMP
LEA = LOAD EFFECTIVE ADDRESS
MOV = MOVE
And so on..
This way it's very handy for us to
understand instructions.
Although I recommend all cracking lovers
to start read asm books: "the art of asm".
You can easily find those over the net
in E-book/Html form.
BINARY:
-------
Binary is the machine language, it is
understood as 1/0
Every instruction is translated as 1 or
0 that the computer can understand and
Perform then instruction.
I.E: 110011010001110101011111001
BITS/NIBBLES/BYTES/WORD/DWORD:
-----------------------------
BIT
Can be 0 or 1
NIBBLE
4 Bits (1,2,3,4,5,6,7..Every number is a 4bit nibble, Binary system)
BYTE
8 Bits (or 2 nibbles : low/high) ->
7 6 5 4 3
2 1 0
[ ][ ][
][ ][#][#][#][#]
High low
WORDS - 16 Bits (4 nibbles, or 2 bytes:
low/high) -> 15......0
Double WORDS (DWORD) - 32 Bites (2 Words
high/low, or 4 Bytes) -> 31......0
HEX/DECIMAL:
------------
HEX is what we call Base16...
Base116..What is it?
Well HEX uses 16 numbers from 0-15
(start with 0 not 1)
0 1 2 3 4 5 6 7 8 9 A
B C D E F <- Hex
| | | | | | | | | | |
| | | | |
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
<- Decimal (regular numbers)
Max Hex numbers you can get in: 8 Bit is
0-FF, 16bit are 0-FFFF, where in 32bit it's 0-FFFFFFFF
[Converting Systems]:
Hex->Dec:
Suppose you have: 1B as hex number and you want know it's Decimal form
We do this (do you remember from math class thing called: Power?)
Well Power is 2^3 = 8 (2*2*2)..Got it? :-)
Well it work as well here...we Power the number by it's position..
I.E:
We have 1B, let's Break it:
(Hex is base 16!) / 1
=> 16*1 = 16\
+ = 27 Decimal
\ B
=> 11*1 = 11/
Let's make another example with 4 letters, we have hm...4B2Eh (h = Hex)
Let's Break it:
Position 3 4 => 4*4096 = 16384
Position 2 B => 11*256 = 2816
Position 1 2 => 2*16 = 32
Position 0 E => 14*1 = 14
---
Sum = 19246 Decimal
Remember: you power 16^position
(position 0 always start with 1 not 0)
I.E: (from the above example: 16^position 3 = 16*16*16=4096)
Dec->Hex:
Well this is somehow harder, Cuz it's involved with Reminders.
I will show example, but it's hard to do cuz sometimes u need to round
numbers :-/
Suppose we have 212 Decimal, to make it Dec, we don't multiply, but we
divide by 16:
212/16 = 13 Reminder 4--------+
13/16 = 0.8 Reminder 13----+ |
0.8/16 = 0 Reminder 0-----+ | |
0 D 4 Hex =
212 Decimal
Well, it seems much easy, but in fact I
have rounded numbers, long Decimal even much more harder.
Another Example? ...OK :-)
Let's take 5421 Decimal (regular
number).
5421/16 = 338 Reminder 13 -----+
338/16 = 24 Reminder 2 -----+
|
24/16 = 1 Reminder 5 ----+ | |
1/16 = 0 Reminder 1 --+ | | |
1 5 2 D Hex =
5421 Decimal
Don't forget to use Window's Calculator
Scientific Mode.
All Understood now :-) ?...
You now know some converting...Continue
for ASM registers.
REGISTERS:
----------
Registers are the most common used
"VARIABLES" by the CPU.
You can access to them at anytime, as
they are there to serve you.
There are 8 different REGISTERS:
16Bit Registers: AX, BX, CX, DX, SI, DI,
BP, SP (DOS)
========================================================================
32Bit Registers:
EAX,EBX,ECX,EDX,ESI,EDI,EBP,ESP (WINDOWS, E = EXTENDED)
Each register used for a specific task
or multiples:
E/AX = ACCUMULATOR (calculations..etc)
E/BX = THE REMINDER REGISTER (i.e: 2/16
= 0.13..13 should be passed, else i am wrong :-) )
E/CX = THE COUNTER REGISTER (useful for loops, i.e.: loop 13 times)
Other registers are dealing with memory
(offsets/segments..read book :) )
Every Register is divided to low/high
bit:
AX
/ \
AH AL
(AH = high bits / HL = low bits)
If AX = 00001234
/
\
AH=12 AL=34
Same goes for: CX,DX,BX
*Remember, Registers holds HEX values
NOT decimal
*1234h = 4660 Decimal
*h = hex
JUMPS:
------
We all know what jump is no? :-)
Same thing happened with asm.
JMP = JUMP (always jump..no condition)
JNE = JUMP IF NOT EQUAL (also called
Jump Not Zero)
JE
= JUMP IF EQUAL (also called
Jump Zero)
JA
= JUMP IF ABOVE
JAE = JUMP IF ABOVE OR EQUAL
JB
= JUMP IF BELOW
JBE = JUMP IF BELOW OR EQUAL
JC
= JUMP IF CARRY (not common used for crackers..used on ror/rol/shl/shr
instructions)
JG
= JUMP IF GREATER
JGE = JUMP IF GREATER OR EQUAL
JL
= JUMP IF LOWER
JLE = JUMP IF LOWER OR EQUAL
JNA = JUMP IS NOT ABOVE
JNB = JUMP IF NOT BELOW
And so on, the above asm instructions are
commonly used by crackers to reverse the source.
Example:
MOV EAX,00000008
CMP EAX,EDX
JNE <adress>
if EAX register = EDX register (value)
than we wont jump, else we will
MOV
---
We can suspect what it does no?
Well it move a value, memory
location..etc to a Register
Example:
MOV EAX,00000032 (than EAX =
00000032 <= hex format 32h = 50dec)
CMP
---
Well we can guess again what it does :)
CMP = COMPARE
CMP can compare between registers/memory
Example:
CMP EAX,EDX
*Very important for crackers, as they
can check their serial compared :-) (Later on that)
*Unfortunately I can't twelve into ASM
any more, si
Of course I can't explain it :-), so get
a book, you will find ASM fascinating,
Very hard to use but some day you will
be happy you know ASM.
*Read/learn the ASM instructions from
the book, or get the opcodes.hlp and read from there.
*O
---------------------------------Page
2-----------------------------------------------
==============
| II. TOOLS |
==============
Tools is the second essential part for
Cracking,
Without them, you will have to face
"barehanded" against huge amount of code.
Neither to say that you'll be lost
without them :-)
Here are the most used Tools by crackers
(basic/adva
1. Brain - You won't get far without one
;-) (100% WorkTime)
2. Debugger - The only way you can
trace/break a fu
I will suggest using SoftIce as
your only weapon for Debugging.
The Numega's "SoftIce"
is a very powerful Debugger for Kernel.
SoftIce works at the Background
and can detect every thing that
Happens on your computer (if u
break on it), what we call system debugger.
There is a version for
NT/2000/XP, Recommended win98.
If you can get DriverStudio than
it's welcomed the most :-).
95% you will use the debuggers
get it from the net:
Www.playtools.cjb.net or try
(www.protools.cjb.net).
Other Debuggers: Olydgb /
debug.com / w32dasm (debug option) / TRW2000
3. Dissadembler - You will use
Dissasembler for the visual code.
If you don't know what a
Dissasembler actually
Load the application, read
hex values (Opcodes), and Output
The assembly code.
I will suggest you to get:
Win32dasm (www.protools.cjb.net) / IDA
IDA is a first class
Dissasembler, very recommended. [Dos interface].
Very handy piece of work, can
output strings, jumps, calls, imports
Other dissasemblers:
Debug.com (in windows) / Hview..etc
4. HexEditor - The only way we can modify an EXE is via
HexEditor
HexEditor let you modify
Opcodes (some ASM as well).
We use the HexEditor to
find/change code that we as crackers
Know it will make us happy :-)
HexEditors:
WinHex (handy) / Hacker's View
...etc (I use those 2 only, no need more)
Get your copy at the net, or
try www.protools.cjb.net
5. Registry / File Monitors - Those app
will help you find any DLL, reg..etc used
By the apps you
crack, and where they hide there
Registry information
(useful if u want to Unregister).
Some apps reads
the serial/name from hidden Registry info,
So I recommend
using those:
FileMon / RegMon
(www.protools.cjb.net)
6. IceDUMP (Adva
It has really cool
features SoftIce don't have.
Also IceDUMP is
ANTI-ANTI SoftICE tool
Meaning if an app has a Protection:
If SoftICE is Active
than app wont work.
IceDUMP hides SoftICE
so no app can detect it :-)
Useful eh? Also it can
serve us as a Print Screen
Tool and save code to
a TXT.
Get it from
(www.protools.cjb.net)
7. PE-Editors (Adva
Modify the Sections,
directory, delete, add
View and etc...Very
useful when you unpack packed
Applications.
For PE knowledge
(www.win32asm.cjb.net)
Recommended PE
editors:
ProcDump /
PeEditor (www.protools.cjb.net)
8. Resource Editors (Optional) -
Resource editors load the desired app
And if the
Resource is read, you can
Delete,
change, rename, stuff in the windows
Messages and
etc...
(Useful if you
want to kill a nag screen)
Useful
Resource editors:
Borland Resource Work Shop 4.5 / Resource
Hacker
Get them at:
(www.protools.cjb.net) /
(Playtools.cjb.net)
9. Assembly Compilers (For Coders) -
Compilers for asm are: MASM / TASM
MacroASM
is most useful and easy to use
But if you
already code in TASM, than Get it ;-)
You can dl
your copy of MASM at:
For TASM try:
http://egoiste.da.ru/
Or
www.win32asm.cjb.net
10. Programming Languages (For Coders)
- Recommended programming language:
Are: C / Pascal / ASM
Crackers do not tend to Code in Visual Basic
As it
is heavy, UN optimized, slow, using DLLs
And not Portable without them.
Bottom Line, don't use Visual Basic for
Cracking!
About
Delphi. I don't know, I don't code in it
So I
can't say.
Get
compilers at net: borland.com / google.com
11. File Analyzers - The file analyzer Will help you
To know the whole
information about
Your EXE, as from which
packer it was
Packed with, Size PE
information, and many more.
I recommend:
"FileInfo" (www.protools.cjb.net)
Others: GetType, and
more.
All tools above are your Weapon against
Shareware's ;-)
Every tool play different roll in your
cracking stage, as long as you use them and get to know them, The better you
will crack.
Always remember no matter how time a
simple crack can be, you will do it in the end, so don't Get softy if you can't
:-) ,
Many hard apps has been reversed so if
those crackers can do it
You can do it to.
Brain is the only tool you really need
to work on :-)
--------------------------------------Page
3-----------------------------------------
==================
| III. Cracking |
==================
Finally, we are at the learning &
practicing stage.
From now on, take your time, don't be
rush, cracks wont run away, the net
Is full of junk you can practice on.
+----------------------+
+****BASIC
CRACKING****+
+----------------------+
[Welcome To the Camp]
---------------------
Welcome to Cracking Camp my fella
wannabe cracker, for the pass days you and others
Will learn to use their First weapon,
thinking like crackers, learn the art of Zen,
Using weak points, Learning APIs
attacks...and finally training in the field.
This camp is very huge, alot of people
are learning and training in this Camp from all over the world.
Don't expect people to help you, because
they wont, they don't have time to help Newbies
In the camp, so try least to be friendly
to them if you want to get some help :-)
In our big camp you can find the
Library, huge and amount of text, which stored in the Camp Will be accessible
for you due time,
After Basic Training you can enter the
Library and
Keep learning from the Old masters who
passed this camp and left knowledge for free.
[Day One]
Heads up all Newbies.
I want quite and co
Today We are gonna learn about Our First
Weapon, How to use it and set it up.
Our weapon called: SoftICE v4.x Made By NuMega.
I want you all memorize it and think
it's your only friend on this camp.
Always to be by your side as it will be
your best friend while cracking.
SoftICE...SoftICE...someone can tell me
what it does?? For what purpose??...
I guess not, well my fella students,
SoftICE is a system DEBBUGER.
You can use it to examining code, locate
bugs, and we can also exploit it for
Our own good.
Every one, I hope you got SoftICE on
your Computer as We told your parents to buy it
Before they sent your lazy asses here
:-)
Ok...You got it, Let us install it,
enter right serial..Next...MODIFY AUTOEXE.BAT...
Do you know why we need to modify the
autoexec.bat students??
Cuz if we wont, SoftICE will not load
during Boot, and therefore wont be active.
So MODIFY else you will have to do 50
pushups :-)
Reboot your computers and let Windows
load...
All Remember we use here Win98, Camp
wont allow use Win2000/XP until other say so. :-)
Windows loaded...all worked Fine, Great,
Listen up, I won't repeat my self now:
SoftICE run in the Background
(Invisible).
We can make SoftICE visible by pressing
on keyboard CTRL+D and exit the same way.
Did you see the black window with ASM
code (you did learn asm code, the one we recommended to you before you came to
this camp).
All students load up SoftICE and look at
it, it contains all registers, data window, input window and so on.
Let me draw you a rough sketch of
SoftICE on the blackboard so we can examine it:
...............................................................................
EAX=00000001 EBX=00000190 ECX=00000000 EDX=00000000 ESI=00000001 . Registers
EDI=00020080 EBP=007E8C56 ESP=00008C3E EIP=00001149 o d I s z a p c .& Memory
CS=170F
DS=4127 SS=0EE7 ES=4127
FS=0000 GS=016F .
.......................................................................PROT16..
170F:1146 CALL
0DD0
.
170F:1149 OR
AX,AX .
170F:114B JZ
11DD
.
170F:114F PUSH
WORD PTR [DI] .
170F:1151 CALL
KERNEL!LOCALLOCK .
170F:1156 MOV
[BP-08],AX
.
170F:1159 MOV
[BP-0A],SI
. ASM Code
170F:115C MOV
[BP-0C],SI
.
170F:115F JMP
0F0D
.
170F:1162 MOV
SI,[DI+3A]
.
...................................USER(18)....................................
WINICE: Load32 Obj=0005 Add=017F:BFE95000 Len=00001000
Mod=VERSION .
WINICE: Load32 Obj=0001 Add=0177:7D651000 Len=00001000
Mod=INDICDLL . Data &
WINICE: Load32 Obj=0002 Add=017F:7D652000 Len=00001000
Mod=INDICDLL . Text
...............................................................................
:..............................................................................
Input Data
Remember we can exit SoftICE in several
ways: CTRL+D / X / F5
Not so hard right?
But remember you load SoftICE only by
CTRL+D.
Now that you know how SoftICE
looks/works we need to modify it...
Of course you can't use the weapon
before you set it up can you?
Ok, because we are using WIN98 SoftICE
is installed here:
C:\Program Files\NuMega\SoftIce95
Now students, we need to modify it and
as i said exploit it for our own good.
We can modify SoftICE fu
There you will see on your computer that
it has allot of fu
Let us now set it up a little bit, all
follow me students, do not try to mess with the data file as it won't help us
and damage SoftICE.
I am now will write on the Blackboard
the essential parts we will change, You will see it in your Computer screen,
try follow me and write on Notebook stuff needed.
____________________________________
/ \
/--------------------------------------\
| |
| PHYSMB=32 |
|
;EXP=c:\windows\system\kernel32.dll |
| ;EXP=c:\windows\system\user32.dll |
| ;EXP=c:\windows\system\gdi32.dll |
|
;EXP=c:\windows\system\comdlg32.dll |
|
;EXP=c:\windows\system\shell32.dll |
|
;EXP=c:\windows\system\advapi32.dll |
|
;EXP=c:\windows\system\shell232.dll |
|
;EXP=c:\windows\system\comctl32.dll |
| ;EXP=c:\windows\system\crtdll.dll |
| |
|--------------------------------------|
\--------------------------------------/
Student do you see these code in the
Winice.dat?
Those are the main stuff we will change.
PHYSMB=32 <=== Of course We don't use 32MB of RAM
are we? :-)
Change it to whatever number of Ram your
computer use.
Now students look at the computer, do
you see all those Paths with point to DLLs?
Those are the Bullets for our weapon :-)
Remove the ';' from all the lines i.e.:
EXP=c:\windows\system\kernel32.dll
Now we can save the Winice.dat
Now SoftICE still don't know how to use
the Bullets, Cuz we didn't told yet to Sice to load the Bullets, so Reboot your
win98 again,
And there you go, we have the bullets
Ready to use.
Now we will make a test shoot, to see of
SoftICE did load the DLLs.
Load SoftICE, write: BPX MessageBoxA
<enter>
If you don't get a message than SoftICE
is Ready to use.
All ok students, Let summarize what we
did today, we have set SoftICE so it will load the
Windows DLLs and therefor we will use it
to trace/break for later use.
Class, we will continue tomorrow the
second class, be ready to be here in time, and don't forget what you have
learned today.
[Day 2]
Good day class, today we are going to
learn about SoftICE's Breakpoint fu
Yesterday we have learned about how to
load SoftICE, do it now.
O
You can also learn the fu
You will get list of fu
Breakpoints:
------------
Let me teach you the most used Fu
BPX / BPM / BPR
BPX - breakpoint on execute
We use this option to break
Instantly on any API
Or system fu
Choose to.
Usage: BPX <API/fu
BPM = breakpoint on Memory
We use this Option to break
On memory Read/Write
Usage: BPM <address>
Additional Options: R/W/RW/X
BPR - breakpoint on Memory Range
We use this Option to break
On memory range.
Usage: BPR <address> <address>
Additional Options: R/W/RW/T/TW
Crackers 95% use breakpoints, as without
them you could never
Break in the Program's Code and trace,
and find, and crack...etc ;=)
APIs
----
Now we will learn the APIs that we will
use to break on the application
We wish to Crack.
*Most applications nowadays uses the
32bit APIs so it make us some sort of a
Short cut to Break on the program's
original code instead of searching threw HWND
API list for basic Cracking:
MessageBox - 16Bit (win3.1)
MessageBoxA - 32Bit (win9x)
GetDlgItemText - 16Bit (win3.1)
GetDlgItemTextA - 32Bit (win9x)
GetWindowText - 16Bit (win3.1)
GetWindowTextA - 32Bit (win9x)
Hmemcpy - Memory Copy Fu
Those are the Basic API you shell
memorizes for now on.
You will use those to breakpoint at any
application we will attack.
More new APIs will be Given for you when
you are practicing, or
Reading student's essays.
MessageBox/A - Usage: Breaking on any
Windows MessageBox sent by the application.
Typing: BPX MessageBoxA
<enter> in SoftICE will set the trap
If any MessageBox is sent
by Windows SoftICE will break on it
And will show us the code
sent by the application.
GetDlgItemText/A - Usage: Breaking on
text sent to the application, and read by it
Typing: BPX
GetDlgItemTextA <enter> in SoftICE will set the
Trap, if you will
enter Text in the Dialog Text Box of the
Application, SoftICE
will break and show the code used by
The application.
GetWindowText/A - Usage: Breaking on text sent to the application, and
read by it
Typing: BPX
GetWindowTextA <enter> in SoftICE will set the
Trap, if you will enter Text in
the Application,
SoftICE will break
and show the code used by
The application.
Hmemcpy - Usage: Breaking on any Copied Memory by Windows and
By any
Fu
Typing: BPX Hmemcpy
<enter> in SoftICE will set the
Trap, o
Copied memory by any windows
Application/Fu
Shortcut Keys (SoftICE)
-----------------------
SoftICE can use shortcut keys like: F8 /
F5 / F12 / F11 / F10
We will use those shortcut keys instead
type every time 't' or alike.
F8 - Usage: F8 key usually traces into a
CALL
While we debug, we will trace into
a call,
So we could inspect/analyze the
code in it.
F5
- Usage: F5 key Exit SoftICE, simply eh? :-)
F12 - Usage: F12 Stepping out of a
DLL/Fu
F11 - Usage: F11 Return to the
Caller.
F10 - Usage: F10 is a trace code, single
step traces one by one.
Dump / Data Viewing
-------------------
When we Use SoftICE, we must know &
understand what
Do we see..
SoftICE is using HEX, therefore it will
take allot of,
Time for use to convert
hex->Dec/ASCII,
But NuMega has added to SoftICE a fu
Hex -> Dec -> ASCII automatically.
When using SoftICE we have 2 ways to see
data that
Is being stored by the Registers.
As we know, Registers are the CPU's
variables, everything
Is passed / calculated..etc by them.
To view the data stored on the
registers, SoftICE has 2 fu
'D' / '?' ('' <= Don't i
D - Usage: D stand for Dump, we use D
command
To view the Register data which holds
ASCII in the data.
Typing: D <register>
<enter> (D EAX)
? - Usage: ? Stand for Viewing the Hex
data
Stored in the Registers.
? Command will show us:
Hex-Decimal-ASCII (xxxxxxxx-xxxxxxx-xxxxxxx)
Typing: ? <Register>
<enter> (i.e. ? EAX)
To Practice on the above ?/D open up
SoftICE and try the commands,
You will shortly understand what each
command does.
-----------------------------------------Page
4 ----------------------------------------
[Day 3]
Today we will learn about different Kind
Of protections.
Protections:
------------
Registration Key - This protection is
based
On 1 single Serial Key that
Is hidden in the program's
code.
Our entered serial will be
Eventually compared with the
Real serial hidden inside
the
Program it self, we can call
It "hardcoded" ;-)
Serial/Name - This protection is the
most
Used, as it is required the
Actual serial number for the
Name you are entering.
Most cases there will be
A compare routine as well,
If not real serial will be
Hide in the registers.
This could be any shape/form
The coder will choose to.
KeyFile - Used as well, this protection
Required you will have the correct
KeyFile in the same directory of
Your application.
Most Keyfiles are using Name/Serial
Check inside of the file as well.
*Some could use e
Multiple Serials - You can recognize
this,
While installing
Windows, or
Photoshop..etc
They use 4-5 Text inputs,
every
Text button need to have the
right
ASCII combination.
I.e.: [xx]-[xxxx]-[xx]-
[xxxx]
Crypto Serials - Very hard, Crypto
serial/name
Serial is produced using a
xxxBit
E
Nag Screens - Nag screens are the
annoying
Messages that appear when
application
Is started, or closed, or even I
the middle.
Those nag screens inform you that
you need
To register your copy...
Very easy to remove.
Time Limit - Very commonly used in
shareware's
This time limit force the
application
To stop work, disable, or close
the shareware
You are using after xx amount of
time.
Default time is 30 Days.
Easy/Hard to remove, depend on
coder.
Use Limit - Commonly as well, this
protection
Will stop the shareware to work
after
xx times you have used the
shareware.
After it, program will give nag
screen
Or shell stop working and will be
disabled.
Dongle Protection - Spread in Big
Protected shareware's.
This protection is used by
a I/O LPT port (hardware)
You will need the
registration Cart attached
To your PC's parreral port
Or other in order to make
The program fully work,
otherwise it will be
Expired after xxDays /
xxUses /rippled or wont work at all
Hard to crack, depend on
Dongle protection company.
Dongles as: HASP / Sentinel
are most commonly used.
Dongles uses DLLs/VxD to
check the "is registered"
Using the Dongle API as
well for some checks.
CrippleWare - Some will meet such
Protection,
Cripple = Disabled fu
You will notice some apps have
Disabled Buttons [Save, Save
As..]
That will be enabled o
You copy of shareware.
VisualBasic - Allot of apps nowadays,
Are coded in the Visual Basic
Programming language, this
Is what makes Cracking a little
Harder, as visual Basic does not
Save all the information on the
EXE
File, instead it uses DLLs to
call the
Fu
Even Serial/name could be hard
[depend]
In a programs who has been coded
in VBasic.
DLLs - Some apps will use DLLs as a
Protection Scheme.
Time-Lock is one of them and
Used to disable program after xx Time.
Misc. Protections - Matrix Protections
[Not related this tutorial]
Packing [Adva
CD games Protection [Not
related to this tutorial]
Zip password protection
[Not related this tutorial]
CD-Protections - The most commonly used
nowadays
Almost any new game is PACKED
and
Protected by EXE packing
programs
Si
Game's companies Believe that
the only
Way to protect the game is to
use
Anti Piracy Packers such as:
ScureROM / SafeDISC
* Also be aware that some of the
protection above (except for Dongle) can,
* Be used in other files than the
original EXE, Meaning that some Serial/name,
* Protection can be hidden in a DLL that
is invisible in the dir.
* Cracking the DLL will be the regular
way :-)
[Day 4]
Yesterday we have been talking about
Variants of protections, and what
everyone of them
Is capable of doing.
Today we will analyze each protection
[hopefully]
And assume it's weak points, and ways to
attack such
Protection.
Anti Protections:
-----------------
Registration Key - You already know what
it is
Doing and how it works, now
if
You downloaded a shareware
that
Need only 1 reg Number to
make the
Program registered, we can
assume 2
Things:
1. Real serial is
hidden/Unhide
2. Eventually is will
be compared with fake serial.
How to find the
serial:
Method 1:
---------
1. Disassemble
shareware
2. Clicking the
Strn-Ref Button
3. Just search for an
Unusual Alphabetic Number
4. Copy it and try
filling it in the registration text box
*This method works on
apps, which the Coder was too lazy
To hide his
serial, and missed his money :-)
Method 2:
---------
1. Run the shareware,
enter fake serial
2. Press ok/check
Button...you will get a Bad message
3. Write the bad
serial message, and disassemble file
4. Click the
"Strn-Ref" button, we will get allot of text
5. Search for the bad
message String.
6. Double click on
the founded text in Strn-ref
7. we will be taken
to the ASM code where the string is appear
8. Looking for a
UN/Conditional Jump..there is..folow it
9. We should be in a
Jump (Je/Jne) from here we have 2 options:
A: Reverse the
jump (JNE->JE / JE->JNE)
B: searching for a
CMP instruction, break with SoftICE and
Trace
until we will be at that address, and do:
D
<register> or ? <Register>
Should show us
the good/bad serials :-)
*If you reverse
the Jump, than no matter what serial
*You are giving
it will always be acceptable
*As long as you
don't enter the right serial...:-)
Serial/Name - This alittle complicated,
but still
You know the Idea behind it.
For every name there should be
Specific
Serial number, this happens threw
an
Algorithm inside the Program
code,
For every name passed the Algo do
the
Math calculations produce a
working serial
And finally at the end it should
compare it
With your fake serial.
The algorithm can be hard, long,
easy, annoying..etc :-)
From this we can assume 2 things:
1. Real serial is produced by
Algorithm
2. Fake Serial at 70%+ will be
Compared
Someway or another to the
Real Produced Serial.
How to find the serial, Primary
Attacks:
Method 1:
---------
1. Entering a fake serial/name
2. Write the bad message you
get from the program
3. Disassemble Shareware and
do a search for the string
4. Locating where the string
is called from, and we trace
5. We should be in a Jump
(Je/Jne) from here we have 2 options:
A: Reverse the jump
(JNE->JE / JE->JNE)
B: searching for a CMP
instruction, break with SoftICE and
Trace until we
will be at that address, and do:
D <register>
or ? <Register>
Should show us the
good/bad serials we call it:
"Serial
Fishing".
*If you reverse
the Jump, than no matter what serial
*You are giving
for any name, it will always be acceptable
*As long as you
don't enter the right serial/name...:-)
Method 2:
---------
In here we do the same thing as
above but
We wont reverse a jump, but
looking for a
Flag.
* Flag is actually can be 1 or 0
* Meaning: registered /
unregistered
* The Flag can be set by many
ways (i.e: xor eax,eax )
(dec eax / i
* And so on.
* Locating the flag sometimes can
make us a
* Cleaner crack, better than
reversing a jump
* While fooling the flag and
changing his content
* The Shareware/program actually
believe it is registered.
* This is a good way and faster
to crack (depend)
Method 3:
---------
This method is a bit Adva
Required a good Brain :-) and
time.
This method Is called
"KEYGENING"
The Idea is that the Cracker will
Trace and find the produced
serial First.
Than he will find the CALL that
leads to the
Algo who produce the key from
name,
Learn, analyze, the specific Algo
And than switch to SoftICE to see
how the Algo
Behaves on the name (mathematical
Notation)
And how the registers are being
used,
And finally Imitate, Rip, Code is
new Program
Which Create the Serial for any
Name entered
This is called
"KEYGEN".
KeyFile - The KeyFile attack is somehow
Easy to recover, Shareware's whose
Uses key (small xx k file) with
Information inside of it (E
Tend to search the KeyFile while
The program is loaded, if n KeyFile
Is found, or KeyFile information is invalid
Program is Unregistered.
We can assume 2 things:
1. KeyFile must have a serial/name
2. KeyFile can be E
Method 1:
---------
Using SoftICE to Recover the KeyFile
Name, is 1 way we can try.
The "CreateFileA" API is used for that
And will 80% work in the given apps.
For a big hint, Dumping EDI register
At almost 4-5 traces of code will recover
The KeyFile Name (not his content)
Method 2:
---------
Second way to recover the KeyFile
Is by using a file/reg monitor
This system of recovering is at
Almost 100% Successful si
Be shown by every file is
called/read/write
By the given Program we attack.
* The problem in recovering a KeyFile,
* Is not hard, but just take a few
minutes to,
* Locate it, but what does make the
trouble is,
* To recover the good serial/name inside
the KeyFile
* For that brain/SoftICE is used.
Multiple Serial - 1 way to attack this
Kind of protection is
logically
Break on each text input box
and
Trace the code, o
Continue Break on the other
text box left
O
* Those kind of serial have
allot different of serial,
* That can be used in the
same app, He
Crypto Serials - One of the Hardest to
attack,
Same tracing system as regular
Serial/name procedure i have
been
Talking about, but this time
with
Additional 100% Protection who
can
Drive you crazy :-)
When I say Crypto, I mean
Crypto Algorithm
Is being used to create the
serial.
Possible attacks:
1.
Understanding the Crypto Algo
2. Using a
Factor numbers Keygens
3. Tracing
threw SoftICE & analyzing.
Nag Screens - We already know what is
it,
And what it does for his
Porpoise.
Possible attacks:
1. NOPing the
caller (No Operation Code)
2. Deleting the
Resource Nag
3. Jumping over
(Code Redirection)
4. Jump reversing
which causes the Nag to appear.
Time Limit - Well time limits has some
Advantages and disadvantages,
We already know the Advantages,
Let see the disadvantages.
Possible Attacks:
1. Setting timer
forward to make
The shareware
to expire,
So that we will
get the nag screen.
Here the
disadvantage is the nag screen
Searching the
string of the nag in the disassembler
Will finally
take us to the caller, here you kill
The jump.
2. If the
application uses a xx amount
Of Time (I.E:
30 days) we can make it
For our own
good.
30 in Hex is
IEh, this can help us as well
Searching
000000IE in the disassembled code
Will finally
take us to the code where it makes
The
decision whatever the program has expired
Or not, Modify
the jump or the code which makes
The decision
will kill the Time Limit.
Another way is to i
Use Limit - Use time, is actually the
same
As Time limit but the only differe
Is how many times you used the
application.
Same attacks could apply on this
Protection.
Dongle Protection - Very hard topic, it
wont
Be discussed in this guide,
as it
Require more skills (or
luck).
Attacking the Dongle
requires his Technical
Information such as Services, regcodes, version,
etc
Primary
Attacks:
1. Jump
Reversing / Patching / Code Inju
2. Reverse
engineering the Dongle protection
Main
routine in order to emulate the Dongle
CrippleWare - Known Protection si
The crippled (Limited) app can be
cracked.
In some cases Programmers will
not i
The crippled code in the app,
which make it
Alittle Impossible to reverse.
Primary/Possibly attacks:
1. Using
the EnableMenuItem API
And enable the
Disabled (Crippled) button.
Setting
the Flag to 1 does this.
2. Using
Hooks to find the Handle of the Button
And using a Spy tool to enable
the Button.
VisualBasic - This Topic will not be
touched
In the guide, Cuz I am not a VB
Cracker and I must say it does
not
Interest me, although I do know
how to.
Using a VB Disassembler we can
attack our
Shareware's, the Disassembler is
called:
"SmartCheck" and it
comes from Numega's Software's
As well.
Possibly Attacks:
1.
Loading the app into SmartCheck and
Running the
app, while SC analyze it
It will
produce the list of the fu
That is used
by the app, also it will produce of what
The user is
doing on the fly, meaning: if you clicked
An OK button,
S will produce a "+Klick_1" Hierarchy.
Expanding it and exploring will
be worth the trip.
Good against
Name/Serial protection.
*A good
reading is by the VB cracker: Eternal_Bliss
DLLs - A good way to "confuse"
cracker.
None to say it won't work, Eventually
It will be discovered.
Optional/Possibly Attacks:
1.Patching DLL
/ Reversing code
Misc Protections - Attacks on Misc.
Protections
Is what we call
"Self Reading"
A good Knowledge about
CryptoLogy will
Make you understand the
"PlainText Attack" on
The zip password protection,
and etc...
Good knowledge is never
wasted it only here to serve us.
------------------------------Page
5------------------------------------------
[Day 5]
First Test Field:
-----------------
Listen up new ones,
Today we are doing a first Cracking test
to see what we have
Learned until today.
TARGET: Bengali's First CrackMe
(http://crackmes.cjb.net)
PROTECTION: Serial/Name
POSSIBLE ATTACKS: Patch/Fishing
Ok students, we have Got some Good
refere
A got Test field will get you on the
right track.
SoftICE / HexEditor / Win32asm are
setup, We wont need More than those 3 tools.
We will Attack the CrackMe (Program tend
to teach crackers hoe to attack the protection)
Using the Patching / Fishing Attacks.
[Stage 1]-Observation
---------------------
Run the CrackMe, Insert Fake name/Serial
Press the "Check" button and
we will Get a error Message: "BAhh...Loser Goto: Krobar.cjb.net"
This message Is very Interesting us, as
it could Serve Us cracker very Well
All we need to do now is to disassemble
the CrackMe, using Win32DASM (I told you to get it Didn't I? :-) ).
Ok, finished Disassemble the File, Now
you can see some Buttons that are Blue Active, The
Button that Interest us the Most is the
"Strn-Ref" Button, as it will show us any Available Strings In the
Resource of the EXE.
While we press it, we will get the list
of Strings, here:
============================================================================+
"
CrackMe - 1" |
"1 or more chars needed"
|
"Bahhh...Loser, goto:
Krobar.cjb.net "
<---------|
|
"Bengaly"
|Possible Attacks |
"Great Job..." <--------------------------------| |
"MainWindow"
|
"This Is My First CrackMe Created
"
|
"This Is My First CrackMe Created
"
|
============================================================================+
Now, Lets try the Bad message Attack,
Click the "Bahhh...Loser, goto: Krobar.cjb.net "
(Double Click) on the string and we will
be taken to where the String Refere
=======================================================================================+
* Refere
|:004011DC(C), :00401204(C)
<----Called from |
|
:0040121B 6A00 push 00000000 |
|
* Possible StringData Ref from Data Obj
->" CrackMe - 1" |
|
:0040121D 68E3304000 push 004030E3 ;Save the Above String to Stack |
|
* Possible StringData Ref from Data Obj
->"Bahhh...Loser, goto: Krobar.cjb.net " |
->":-)" |
|
:00401222 6812314000 push 00403112 ;Save the Above String To Stack |
:00401227 6A00 push 00000000 |
* Refere
|
:00401229 E8C2000000 Call 004012F0
;Call the MessageBox with the Above Strings. |
=======================================================================================+
Ok, First Lesson that you should know,
this Code above is called "Dead-Listening"
Because we are not dealing with SoftICE
which is Live Cracking, dealing with
Code Text is a Dead Cracking (AKA:
Dead-Listening), good we cleared that one up.
Another important stuff, most of
StringData Ref is called from somewhere inside
The apps, meaning that
"Bahhh...Loser..." String has been called from another Instruction
Within the app.
Now I ask you, How can we know who's
called this String?
Win32dasm give us the solution, here:
* Refere
|:004011DC(C), :00401204(C) <=
addresses
^^^^^^^^ ^^^^^^^^
Caller 1 Caller 2
Now we can Go to those addresses and
analyze the code, if We found what we needed
Than we can crack it With the Attacks i
have been pointed in day4.
Let see what is hidden in Addresses
004011DC / 00401204,
Click the "Search" tab in
win32dasm's Menu bar, and select "Find Next"
Enter the First Address 004011DC With
Direction UP.
*Note we set it to UP because in 70% we
are backtracking up where the code is most
Likey there.
Ok we have search for the address
004011DC and we landed here:
* Refere
|
:004011D4 E847010000 Call 00401320
:004011D9 83F801 cmp eax, 00000001
:004011DC 743D je 0040121B <======== This Jump called the String.
:004011DE 50 push eax
:004011DF 6836304000 push 00403036
:004011E4 E862000000 call 0040124B
:004011E9 50 push eax
:004011EA 6876304000 push 00403076
Students, From here we can see that this
Address has nothing to do with the Serial/name
Procedure, how can we tell?
Well actually This Address get the
Length of the String, because we have *KERNEL32.lstrlenA*.
What Kernel DLL has something to do with
our Name/Serial ??...None...
So actually this Address is useless, buy
remember we had another Address that the
Bad string has been called from?? Yeah,
it was 00401204
Do a search again with direction Down
cuz we have Passed it :-)
We should see this code:
Address
Opcodes Disassembly Remarks
--------- ---------- ------------- -----------
:004011EF E82C010000 Call 00401320
:004011F4 50 push eax
:004011F5 6876304000 push 00403076
:004011FA E885000000 call 00401284 ; algo
:004011FF 5B pop ebx ; Get info ;-)
:00401200 3BC3 cmp eax, ebx ; compare good/fake serial
:00401202 3BC3 cmp eax, ebx ; compare good/fake serial
:00401204 7515 jne 0040121B ;If not Equal Call The Bad Message (Bad_Guy)
:00401206 6A00 push 00000000
There is not much to say, we have here a
classical Form of comparing / Jumping
Do you remember what Attacks I have
explained about in Day4?
Read again, and the code from the
CrackMe will be Self-Explained.
At address 00401204 we have a "Jump
if Not Equal" Conditional jump which means that
If the Serial we enter does not match to
the real our produced by the name, we
are
Giving a Bad Message
"bahh..looser..."
Look at Method 1 attack A/B, this is
what we are going to do here.
Actually they both give the same Result,
but Option B is more Likely Cleaner.
Option 1 - Patching:
---------------------
As I said the patching is a fast crack,
that *can* produce the
Same effect as the Serial key. (Unless
the coder has used some
Techniques to make patches useless, a
good example for that is
A program that reads the good
serial/name from an INI file,
This will make the patch useless unless
you patch the code that
Responsible or opening/reading the INI
file :-) )
As for our example, we can see that
address 00401204 has a Conditional
Jump (JNE), as I mentioned, we can patch
(Reversed) the Jump
So any fake serial number/name we will
enter will be acceptable, unless
You have entered the good serial for the
name.
We will always use the HexEditor to
modify the EXE code.
First thing u have Noticed that W32dasm
has a scrolling cursor that
Change its color on particular
Instructions. (Yellow / White)
Yellow: means that we are on a Jump/Call
instruction and we can Enter/follow it
White: any other instructions.
If you put the cursor on address
00401204 you will see it turned to Yellow.
Now we can follow the jump by pressing
the Right Key or pressing the "Execute Text"
From the Menu and selecting the
"Execute Jump", this will take use to the Bad message
Routine we have found earlier
("ahh..looser..."). If we want to return from the Jump
We simply press the CTRL + Left key (Or
in the Menu "Execute Text" -> "Return From Jump"),
Those very basic needs in W32dasm and
will serve you allot due Cracking experie
Another good thing we need to know is to
find the OFFSET of a Address, this is because
HexEditors uses Offsets and not
Addresses (again depend which).
So in order to know the Offset in
win32dasm, be with cursor on address 00401204 and
Look at the StatusBar of win32dasm, you
will see this:
Line:337 Pg 7 and 8 of 15 Code Data
@:00401204 @Offset 00000604h in File: Crackme1.exe
^^^^^^^^^^^^^^^^
This is the one
So the Offset for 00401204 is 604
(Memorize or write on paper)
Now Make a copy of the Crackme.exe and
load it in the HexEditor, I highly recommend:
HackersView32 (Hview), it's a very
powerful and easy to use.
So from now on i will refer to the only
HexEditor as in Hview, and will use it only.
So load up the Backup exe in Hview.
Press F4 and choose the DECODE mode (Disassemble)
Now we need to make a search, Press F5
and enter the offset we got (604)
And press <enter>,
Great we are at the right address :-)
Now in order to patch it lets switch to
Edit Mode, Press F3.
Now you can change to whatever Opcode
you will, but we need to change it to the
Correct Opcode, move the cursor to the
75, And simply change it to 74 and press <enter>
Now you have modified the ASM code, and
it should be like that:
:00401204 7515 je 0040121B (Jump only if we enter the
correct serial ;) )
Save the File with F9 and exit with F10.
Crack is done.
Option 2 - Live Fishing:
------------------------
For this
As the First one is not a good example
for Live Fishing.
The second CrackMe is the same only with
different small Algo.
This Approach will be your First Sice
test Field, as you will "fish" the serial
From the Memory and make the program
Fully registered and not modified in Code.
In Day2 we have been talking about APIs
/ Bpx Fu
Shortcut keys SoftICE uses.
All together with ASM knowledge will be
mixed to one Big Attack ("Serial fishing")
Starting with Running the CrackMe, Enter
a fake Serial/Name.
Now as I told you students, we need to
make SoftICE break so we can
Trace the ASM code, without Breaking we
couldn't do allot.
So run now SoftICE and set a breakpoint
at:
: BPX GetDlgItemTextA <enter>
: BPX GetWindowTextA <enter>
*I used those 2 APIs because it is
better to set Multiple
*APIs when attacking, because you never
know which APIs the app is importing.
*Note: you can check in win32dasm the
Import/Export Fu
After you set the Breakpoints, exit
SoftICE with F5 (or etc) and press the
"Check" Button on the CrackMe,
SoftICE will Break immediately.
Now first thing to know is that in a
Serial/Name programs there is Most Likely
2 edit boxes, 1 for the name, and 1 for
the Serial input Boxes.
In order to crack the program Live, we
shall always break on the Second Text box
Which is the Serial input box, because
most likely there is a check with the entered
Serial and the Real serial Generated
from the name, so always break on the second!
Ok, we Pressed the Check Button after
setting SoftIce breakpoint and
We immediately Breaks and SoftIce pops,
we will Press F5 to force SoftICE to exit
And automatically read the second Input
text box (Serial Text Box).
Than, we will be landed in this First
code snippets:
[First Break on the Second Exit
Box]
----------------------------------------------------------------------------+
EAX=00000003 EBX=0066FC08 ECX=80007028 EDX=800072B0 ESI=00008C2C |
EDI=0066FBBC EBP=0066FBB4 ESP=0066FBA0 EIP=BFF51743 o d I s z a P c |
CS=0177
DS=017F SS=017F ES=017F
FS=1387 GS=0000 |
-----USER32!SetDlgItemTextA+0023-------------------------------------PROT32-|
0177:BFF51740 RET
000C
|
USER32!GetDlgItemTextA
|
0177:BFF51743 MOV
CL,A4
|
0177:BFF51745 PUSH
EBP
|
0177:BFF51746 MOV
EBP,ESP
|
0177:BFF51748 PUSH
ECX
|
0177:BFF51749 SUB
ESP,3C
|
0177:BFF5174C PUSH
WORD PTR [EBP+08] |
0177:BFF51750 PUSH
DWORD PTR [EBP+0C] |
0177:BFF51753 CALL
KERNEL32!SMapLS_IP_EBP_16 |
----------------------------------------------------------------------------+
Notice that we have Break on
"GetDlgItemTextA".
Now, I must tell that the first Break is
useless to use, because first
we are not in our app's code, and
secondly we are now in a Kernel Dll code.
So this above code is kinda Useless, Now
let's go back to Day2 and remember
The short-Cuts keys we have learned:
F8 - Usage: F8 key usually traces into a
CALL/JUMP
While we debug, we will trace into
a call/jump,
So we could inspect/analyze the
code in it.
F5
- Usage: F5 key Exit SoftICE, simply eh? :-)
F12 - Usage: F12 Stepping/Returning out
of a DLL/Fu
F11 - Usage: F11 Return to the
Caller.
F10 - Usage: F10 is a trace code, single
step traces one by one.
It is clear now what to do, F12 will
take us out of this call, and will
Send us to the GetDlgItemTextA, so Press
F12 and we will be here:
I will comment the Asm code so it will
be more Understood.
------------------------------------------------------------------------------+
EAX=00000005 EBX=0066FC08 ECX=80007028 EDX=800072B0 ESI=00008C2C |
EDI=0066FBBC EBP=0066FBB4 ESP=0066FBB4 EIP=004012D8 o d I S z a P c |
CS=0177
DS=017F SS=017F ES=017F
FS=1387 GS=0000 |
----------------------------------------------------------------------PROT32--|
0177:004012D3 CALL
USER32!GetDlgItemTextA ; Read
Serial Text Input Box |
0177:004012D8 CMP
EAX,00 ; Did we entered any
text?? |
0177:004012DB JZ
004012DF ; Nope, jump to
message say so + |
0177:004012DD JMP
004012F6 ; Else we jump here to
code | |
0177:004012DF PUSH
00 ; Jump to here <--------+ |
0177:004012E1 PUSH
00403462 ; "Please Fill
in |
0177:004012E6 PUSH
00403000 ; 1 more
char" |
0177:004012EB PUSH
00 ; |
0177:004012ED CALL
USER32!MessageBoxA ; Display The
message |
0177:004012F2 LEAVE |
------------------------------------------------------------------------------+
Now we are in the
From now on, we need to know 2 things:
1. ASM
2. Using
the shortcut keys.
*Note: in X86 memory there is what we
call Segment/Offset,
* xxxx:yyyyy is how it look like, Now in
nay computers the Segments may be,
*Be different because of the Memory, but
the Offsets are always the same.
* I.E: 0177:004012F2
^^^^ ^^^^^^^^
Segment:Offset
Any way lets go on with our Practice, At
offset 004012F2 we have a jump
That will lead us to the Code where
serial will be generated/compared and other
Bu
So in order to jump, we need to trace in
SoftIce to that instruction and tra
Now: F10 - Usage: F10 Is a trace code,
single step trace one by one.
So press F10 until you get to the JMP
and F8 - Usage: F8 key usually trace into a CALL/JUMP So press F8 and you will
be here:
--------------------------------------------------------------------------------------+
EAX=00000005 EBX=0066FC08 ECX=80007028 EDX=800072B0 ESI=00008C2C
EDI=0066FBBC EBP=0066FBB4 ESP=0066FBB4 EIP=004012F6 o d I s z a P c
CS=0177
DS=017F SS=017F ES=017F
FS=1387 GS=0000
--------------------------------------------------------------------PROT32------------+
0177:004012F3 RET
0010 ; Return From a
call
0177:004012F6 PUSH
00403038 ; After pressing
f8 we will be here
0177:004012FB CALL
00401430 ; Unimportant
0177:00401300 XOR
ESI,ESI ; ESI = 0
0177:00401302 MOV
ECX,EAX ; ECX = EAX
(Lenght of the Name entered)
0177:00401304 MOV
EAX,00000001 ; EAX = 1
0177:00401309 MOV
EDX,[00403038] ; EDX = Addres of
the name
0177:0040130F MOV
DL,[EAX+00403037] ; DL = First char of the name
0177:00401315 AND
EDX,000000FF ; Clean up EDX
(leave only the Low Byte)
0177:0040131B MOV
EBX,EDX ; EBX = EDX
0177:0040131D IMUL
EBX,EDX ; EBX = EBX * EDX
0177:00401320 ADD
ESI,EBX ; ESI = ESI + EBX
0177:00401322 MOV
EBX,EDX ; EBX = EDX
0177:00401324 SAR
EBX,1 ; Shift Archimatic
EDX Right by 1
0177:00401326 ADD
ESI,EBX ; ESI = ESI+EBX
0177:00401328 SUB
ESI,EDX ; ESI = ESI-EDX
0177:0040132A INC
EAX ; EAX +1 (Next
character on name)
0177:0040132B DEC
ECX ; ECX = ECX-1
(Counter)
0177:0040132C JNZ
00401309 ; Jump to 00401309
while ecx != 0
0177:0040132E PUSH
ESI ; Save ESI to
Stack
0177:0040132F PUSH
00403138 ; Push to stack
0177:00401334 CALL
00401383 ; Convert ESI to
Decimal
0177:00401339 POP ESI ; ESI = last stack information
pushed
0177:0040133A CMP
EAX,ESI ; Compare entered
serial with ESI
0177:0040133C JNZ
00401353 ; If they are not
equal Jump to Bad message +
0177:0040133E PUSH
00 ; Else |
0177:00401340 PUSH
00403462 ; Push
Caption |
0177:00401345 PUSH
004034B8 ; Push good
message Text |
0177:0040134A PUSH
00 ; Creat |
0177:0040134C CALL
USER32!MessageBoxA ; Show
MessageBox |
0177:00401351 JMP
00401366
|
0177:00401353 PUSH
00 ; Create Message
<--------------------------+
0177:00401355 PUSH
00403462 ; Push Caption
0177:0040135A PUSH
00403486 ; Push bad message
Text
0177:0040135F PUSH
00 ;Create
0177:00401361 CALL
USER32!MessageBoxA ; Show
MwssagebOX
0177:0040137A RET
0010 ; eXit the
call
-------------------------------------------------------------------------------------+
Ok, that's good, everything we need is
in front of our eyes, now
If you know asm or at least basic, there
should be no problem for you
To understand this.
What basically it does in this Algo is
to get the Length of the entered Name,
Put it on ECX as it is the Counter
Register, and make a calculation on every
Char from the name we entered, and than
build up a serial number out of it.
The final serial will be converted to
decimal and will be compared with the Entered
Fake serial in address 0040133A.
What we need do is to Trace the Algo
with F10 until you will be reach to address 0040133A And try get the data EAX /
ESI holds.
Now as I said, there are 2 ways to see
the data is with: D / ? Commands
But because we know that the Serial is
in decimal form (Converted at address 00401334)
We assume there is no ASCII data, so
basically at address 0040133A CMP EAX,ESI
You simply do:
:? EAX
:? ESI
Example:
Lest say I entered those fake
information:
Name: Bengaly
Serial: 12121212
I trace the code untill the Compare
address routine, and do :
:? EAX
00B8F47C
0012121212 "¸ô|" (Our fake Serial)
:? ESI
00011BB1
0000072625 "±" (The real Serial)
^^^^^^^^
^^^^^^^^^^ ^^^
Hex
Decimal Ascii
Do you see the Right serial? :-) Of
course you do
Name: Bengaly
Serial: 72625
Enter this following information in the
CrackMe (crackme#2) and you should
Be greeted with a good message.
*Students, this is the end of the test
field, I hope you understand today's lesson.
*Tomorrow we will talk about more stuff.
-----------------------------------Page
6---------------------------------------------
[Day 6]
Protections, And more Protections:
----------------------------------
Today we won't talk about Shareware
protections, But we will
Learn about Protection against Cracking
Tools.
And also how to Attack and destroy them.
SoftICE Attacks:
----------------
1.Melt-SoftICE:
By saying Melting SoftICE we mean that
this is
Some kind of ANTI-SoftICE trick.
The main idea of Melt-Ice is to detect
SoftICE.
I.E some program uses MeltICE trick to
Detect SoftICE,
And if it found it, it will give us a
message saying that:
"DEBBUGER IS ACTIVE" and Program
won't load.
The Melt-ICE trick is using what we call
VxD detection.
The trick is to search for the SoftICE
Vxd called: ///.SICE//
It could also be for WinNT, search for
///.NTICE//
We can Attack this Protection by
searching the ///.SICE// string in
A HexEditor and change to other string,
No more troubled :-)
Misc. Protections:
-----------------------
There are allot of ways other than
MeltICE
To search if Sice is active,
Others can be using Interrupts such as:
INT 68 / INT 03
Searching those interrupts in HexEditor
and eliminate them should
Do the job as well.
Some others can search if a BPX is
entered at SoftICE and
Detecting it on memory.
Some can check the Memory, More
Installed file by SoftIce,
Checking "BCHK" (BoundChecker)
with SoftIce, and many many more.
All those kinda or protections can be
automatically blocked By: IceDUMP
This is also another option IceDUMP do
(Anti-Anti SoftICE).
More Protections can be used against
disassemblers as well.
For example, A protections against
"Win32dasm".
Although w32dasm is a good disassembler,
it does have his weakness
Until the author will fix them of course
:-).
Those weaknesses can help projectionists
to use it for their on good.
Protections:
1. Infinite Jumps (
2. Big Resource size <= make
W32dasm to stop respond
3. Inline Calls: Call [Call xxx]
makes W32dasm to loose data
4. Unreachable Jumps.
Those kinda of weaknesses can help Programmers
against Crackers.
I think its very good protections who's
very annoy to crack at least to me :-).
PACKING:
--------
Another known and very spread today is
the PACKING system.
The packing system has 3 Main options it
can perform (if chosen):
1. Size Reducing
2. E
3. Anti Debugging Options.
There are many PE file packers, the most
familiars are:
ASPr / ASProtect / tElock / PeTite /
PeShrinker / UPX...etc.
E
-------------------------
This is almost the secure way to protect
your application
Or actually protect against crackers,
main idea of E
Is to avoid Outsider to Read the
message, or in software World
To crack it, Software companies uses E
Also for Keyfiles, and many others.
They Imbed the Serial by using a Very
hard Algorithm, that someone without
This knowledge could ever find the
serial, Examples to programs who uses
E
Some uses RSA xxBit, Some uses others, a
good way to reverse it would be
To learn CryptoLogy and become
"Cryptoanalyst" and use it to reverse the Chipper.
*When i talk about Crypto, I mean Crypto
in Software's (Serials protections)
------------------------------------Page
7---------------------------------------------
As for this is A guide, I can not dwelve
into more basic cracking and examples.
I think you should gain a very basic
knowledge by now, the very first thing
You should do, is to READ allot, the
Library has allot of information stored and
Written by very Gifted Reverses, This
camp gave you the very first Glimpse into the world of cracking and what it has
to offer,
a very hard work and time will finally
make you,
A fine talented Fravia, and for
achieving this goal you shall teach others,
This what makes us good Fravia's,
Teach & Learn and work well for others.
[Day 7]
+-----------------------+
+***ADVANCED
CRACKING***+
+-----------------------+
The adva
From a cracker point of view, but by far
the interested one.
What Sections in Cracking is Adva
The section we call them adva
A brainstorm...Those should be the:
Unpacking (Manual):
-------------------
Unpacking is a very hard Section in
cracking world,
Allot of reverses having time cracking
it, while others succeed.
Packing a file that is main idea is to
Reduce the size to Block A Cracker.
Will make the reversing part Hard and
very much Time consuming.
In order to crack Packed files, the
first thing to do is to learn about the
PE structure of a file (EXE), this by
far the most important knowledge.
Than alittle ZEN :-) won't harm anyone
(+ORC essays).
Let's see what a PACKER do:
(LAYER of packer ( Original Code )
LAYER of packer)
Well this is the main Idea, may do
something else, as E
API manipulations, anti-debugging
tricks, fake calls, and many more.
The only thing we can rely on against a
packed file are the tools.
Tools:
Brain by God :-)
Revirgin By +Tsehp
ImportREC by MackT
ProcDump by G-ROM
PE-Editor By Yoda/M.o.D
HexEditor (Any)
SoftICE by NuMega
IceDUMP (TraceX / ScreenDUMP fu
Those are the only tools that can help
you unpack any kind of packer,
Remember it's only TIME until you will
unpack never say Never.
Basic manual unpacking (MUP):
1. Calculating the Raw
Offset (From PE Editors)
2. Putting CC (INT 3) on
the found Offset with HexEditor (for
SoftICE)
3. Breaking, and tracing
for the Original Entry Point (OEP)
With SoftICE.
4. Using Infinite Loop
Packer's Code (Still
SoftICE) .
5. Dumping the Isolated
File using IceDUMP / ProcDump
6. Manually (HARD) /
Auto : Import Table Fixing
(Using
Revirgin / ImportREC)
*Learning how to use Revirgin /
ImportREC is a very Good idea so you can
Use them to FIX the Import Table of the
file (dumped), (if damaged).
This is by Far the easy part, some
PACKERS has really hard options which only
Holds skilled crackers for some time,
but eventually will be breached.
Another achievement will be to CODE your
own Unpacker, this is somehow
The best at all this Unpacking world.
----------------------------------------------------------------------------------------
Manually UnPacking of EP_v0.2:
----------------------------------------------------------------------------------------
This is not very hard Packer, it only
does small things
So this tutorial will make clear of
everything.
--------------------------------------------|
Writer: Bengaly |
Author: CoDe_InSide |
Protection: E
URL:
http://codeindise.cjb.net |
Tools: SoftICE
v4.00 |
Hex-Editor
(any) |
ProcDump
v1.6.2 |
ImportREC (MackT.cjb.net) |
--------------------------------------------|
Let's get started:
------------------
In this example I will use CoDe_InSide's
EP_v0.2 (PE) packer/E
So I will e
After e
Ok, let's open PrucDump. choose "PE
EDITOR" and load calcc.exe
You will see a window with this in formation:
Entry Point: 00017000
<= this is the Virtual Offset
Size of Image: 00018000
Image Base: 01000000
Ok, now that we know the virtual offset
(00017000), click the "Sections" button,
You will see all section Information in
a tab.
Always look at the final section (so we
will patch the offset in HexEditor)
Ok, so look under Virtual Offset of the
last section, you will see 00017000, but we must
Know the Raw offset, so look under Raw
Offset of the section, it is 00017000 too,
Wow we got lucky it's the same offset,
(some may use different offsets), ;D
But here it's the same, now we know the
Raw Offset. (00017000)
Open up hex editor (any), and look for
17000
You will see this in Hex-Editor:
17000: 6A 00 60-E9......
Now, in order to use sICE to break when
we load the program (Breaking on BPINT 3),
We need to Change the 6A -> CC (CC = int 3, a dos breakpoint)
So in hex editor just change:
6A
To:
CC
Now it will be like this -> 17000: CC
00 60-E9......
Save the file and exit HexEditor.
Now load sICE (Ctrl+D).
Set a breakpoint: BPINT 3
Press enter, and exit sICE (Ctrl+D)
Load the e
----------------------------------------------------------------------------------+
EAX=01017000 EBX=00520000 ECX=81653AB0 EDX=81653AF0 ESI=81653A90 |
EDI=00000000 EBP=0056FF78 ESP=0056FE3C EIP=01017000 O d I S z a P c |
CS=0177
DS=017F SS=017F ES=017F
FS=5607 GS=0000 |
-----------------------------------------------------------------------PROT32-----+
0177:01016FFE INVALID
|
0177:01017000 INT
3 <= we brake here |
0177:01017001 ADD
[EAX-17],AH |
0177:01017004 ADD
[ECX],EAX
|
0177:01017006 ADD
[EAX],AL
|
0177:01017008 ADD
[EAX],AL
|
0177:0101700A ADD
[EAX],AL
|
0177:0101700C INC
ESI
|
0177:0101700D INC
EDI
|
0177:0101700E DIV
DWORD PTR [BFF70000] |
----------------------------------------------------------------------------------+
Now we need to change the "CC"
back to "6A" (the original value),
Because if we wont then sICE will exit
...so just press:
E EIP
You will see this:
--------------------------------------------------byte--------------PROT---(0)--
0177:01017000 CC 00 60 E9 01 01 00 00-00
00 00 00 46 47 F7 35 ..`.........FG.5-
0177:01017010 00 00 F7 BF 5C 70 01 00-30
70 01 00 00 00 00 00 ....\p..0p......
0177:01017020 00 00 00 00 00 00 00 00-00
00 00 00 00 00 00 00 ................
0177:01017030 D4 76 F7 BF AC 6D F7 BF-00
00 00 00 C2 01 4C 6F .v...m........Lo
-------------------------------------------------------------------------PROT32-
Change CC 00 to 6A 00
So it will be like this:
0177:01017000 CC 00 60 E9 01 01 00 00-00
00 00 00 46 47 F7 35 (Only the first byte is changed)
Press ALT+D to return to the Command
Window,
Ha...much better, now we can trace the
code ;D
We will trace the code to find the OEP
(Original Entry Point), and we well trace the Original
Import Table so we could be able to fix
the table later (e
1.============================The Hunt
For OEP========================================
Ok, so we changed the int3 back to the
original value so we can trace in sICE,
A very quick way to the the OEP is for
looking the POPAD instruction (most
E
A good way to see the POPAD is to scroll
the code with CTRL+Down
It will take a while but you will see in
the end of the code the POPAD & RET commands..so
When seeing the POPAD instruction,
double click on it (mark it with white) and type: HERE <enter>
Hehehe, we are breaking on the POPAD
instruction:
EAX=01017000 EBX=00520000 ECX=81653AB0 EDX=81653AF0 ESI=81653A90
EDI=00000000 EBP=0056FF78 ESP=0056FE3C EIP=01017000 O d I S z a P c
CS=0177
DS=017F SS=017F ES=017F
FS=5607 GS=0000
--------------------------------------------------byte--------------PROT---(0)---+
0177:01017000 6A 00 60 E9 01 01 00 00-00
00 00 00 46 47 F7 35
j.`.........FG.5 |
0177:01017010 00 00 F7 BF 5C 70 01 00-30
70 01 00 00 00 00 00
....\p..0p...... |
0177:01017020 00 00 00 00 00 00 00 00-00
00 00 00 00 00 00 00 ................ |
0177:01017030 D4 76 F7 BF AC 6D F7 BF-00
00 00 00 C2 01 4C 6F
.v...m........Lo |
-------------------------------------------------------------------------PROT32--+
0177:01017208 POP
EAX
|
0177:01017209 ADD
ESI,14
|
0177:0101720C MOV
DWORD PTR [ESP+20],010119E0
<= OEP |
0177:01017214 JMP
01017170 |
0177:01017219 NOP
|
0177:0101721A REPZ STOSD
|
0177:0101721C POPAD
<= you will break here |
0177:0101721D RET
|
0177:0101721E ADD
[EAX],AL
|
0177:01017220 ADD
[EAX],AL |
---------------------------------------------------------------------------------+
How did I know how trace until here?
Well as I told you, look for a POPAD
instruction and a RET..that will insure
You can find the OEP there...well most
of the times
Now, go over the RET instruction (f10),
and while you are on the RET instruction
Type F10 again..u will be here:
EAX=01017000 EBX=00520000 ECX=81653AB0 EDX=81653AF0 ESI=81653A90
EDI=00000000 EBP=0056FF78 ESP=0056FE3C EIP=010119E0 o d I s Z a P c
CS=0177
DS=017F SS=017F ES=017F
FS=5607 GS=0000
--------------------------------------------------byte--------------PROT---(0)---+
0177:010119E0 55 8B .. .. .. .. .. .. ..
..and ect <= notice here
|
0177:010119F0 A1 00 00 00 00 50 64 89-25
00 00 00 00 83 C4 98
.....Pd.%....... |
0177:01011A00 53 56 57 89 65 E8 C7 45-FC
00 00 00 00 6A 02 FF
SVW.e..E.....j.. |
0177:01011A10 15 B8 10 00 01 83 C4 04-C7
05 78 3F 01 01 FF FF
..........x?.... |
-------------------------------------------------------------------------PROT32--+
0177:010119DF INT
3
|
0177:010119E0 PUSH
EBP <= you break here |
0177:010119E1 MOV
EBP,ESP
|
0177:010119E3 PUSH
FF
|
0177:010119E5 PUSH
01001570
|
0177:010119EA PUSH
01011D60
|
0177:010119EF MOV
EAX,FS:[00000000] |
0177:010119F5 PUSH
EAX
|
0177:010119F6 MOV
FS:[00000000],ESP |
0177:010119FD ADD
ESP,-68
|
---------------------------------------------------------------------------------+
Also notice that EIP use the Original
Entry Point (010119E0)
EAX = First Entry Point (01017000)
Now We are going to use the "
E EIP <enter>
ALT+D :
To return to the Command Window
---------------------------------------------------------------------------------------+
0177:010119E0 EB FE EC 6A FF 68 70 15-00
01 68 60 1D 01 01 64 <= it will be
like this |
0177:010119F0 A1 00 00 00 00 50 64 89-25
00 00 00 00 83 C4 98
|
0177:01011A00 53 56 57 89 65 E8 C7 45-FC
00 00 00 00 6A 02 FF
|
0177:01011A10 15 B8 10 00 01 83 C4 04-C7
05 78 3F 01 01 FF FF
|
-------------------------------------------------------------------------PROT32--------+
0177:010119DF INT
3
|
==> 010119E0 JMP
010119E0 (JUMP) ; the trap |
---------------------------------------------------------------------------------------+
So we set a trap on the OEP ;D, now
let's clear all breakpoints : BC *
Again set a breakpoint on BPINT 3 , and
leave sICE
Load calcc.exe, sICE breaks, type: E EIP
edit the CC->6A and press <enter>
Now leave sICE again (without clearing
the breakpoints)..calcc.exe runs like a baby
Well what's the point of it??
The point is that u wont get a error
message when loading calcc.exe (without bpint3,cc->6a)
That way I can dump it in ProcDump while
the program is loaded and don't crashing ProcDump When trying to DUMP it.
Now let's open ProcDump again...now in
the TASK window, scroll down and look for
The Directory u have the e
D:\Dont Tuch\notepade.exe
If not there, right click on
mouse...press REFRESH LIST...ohh here it is :=)
Now select the file, right click with
mouse and choose:
DUMP (FULL)..if ProcDump still Crash
Then I recommend to dump the file using PARTIAL,
DUMP (PARTIAL) <= click ok all the
time.
Save the new dump anywhere u like,
choose a name of course ;D
(I prefer the name DUMP.EXE ;D) Now
again right click on it again and choose:
KILL TASK (press ok after u get a message) Now, The
dump we made does not run yet,
We need to modify it to make it
run...duh! ;D
So click "PE Editor" and
choose the new dump file we made.
Now the entry point is still 00017000,
so change it to the real OEP: 119E0
It will be like this now:
Entry Point: 000119E0
Now on the "Apply Changes
Method:" choose "To PE File" <= so we can kick the e
After choosing "To PE File",
click "SECTIONS" button.
Now right click on the last section with
mouse and choose: "Kill Section"
This will ensure that the e
Now we will change the Size of Image of
the dump:
Size of Image = Last Virtual Offset +
Last Virtual Size (last section)
So because we killed the last section,
we will use the last section,
To fix this take now the:
Offset = 00014000
Virtual Size = 00002618
Size of Image = 00014000 + 00002618 =
00016618
Click "CANCEL" button and we
back to the Header Info screen,
We see that the "Size Of
Image" = 00018000 <= which is not correct! (at least here it is)
:-)
Change "Size Of Image" =
00018000 -> 00016618
Press OK to rebuild the structure of
dump.exe ;D
Exit ProcDump.
Try running the file (dump.exe)...what's
going on, it's not working...why! >:/
Well it won't work because it runs in a
loop that provides form the program from working!
Remember: 558B ->
So open hex editor again and go to the
OEP we found (119E0).
Change back
Save the file...
Run Dump.exe...IT CRASH AGAIN!!!!!!!!...
>:|
Wtf...why :-( ?
well the main reason is because the EP
v0.2 e
IMPORT TABLE...
To know more about IT I suggest reading
some tutorials about it! :-)
Or some documents about the PE
structure.
2.=======================The Hunt For
Original IT=======================================
Ok, open up sICE, set a BPINT 3
breakpoint, exit sICE, load the e
SICE pop..just E EIP to bring back the
original value so we can trace with sICE..
E EIP
CC 00
To:
6A 00
<enter> or Alt+D
Now we can tracing...it wont take a
while..try find it your self
Didn't find??
So notice this In SoftICE:
--------------------------------------------------------------------------------------+
EAX=01017020 EBX=00520000 ECX=00000000 EDX=7461644F ESI=01012020 ;Original IT |
EDI=00000000 EBP=01000000 ESP=0056FE18 EIP=01017170 o d I s z a p c |
CS=0177
DS=017F SS=017F ES=017F
FS=1127 GS=0000 DS:0101202C=000122A2 |
--------------------------------------------------byte----------------PROT---(0)------+
0177:01017000 D4 76 F7 BF AC 6D F7 BF-00
10 00 00 00 20 01 00 .v...m.......
..-
0177:01017010 00 30 01 00 00 10 00 00-00
00 00 00 20 20 01 00 .0.......... .. |
0177:01017020 00 00 00 00 00 00 00 00-00
00 00 00 00 00 00 00 ................ |
0177:01017030 00 00 00 00 00 00 00 00-00
00 00 00 00 00 00 00
................ |
----------------------------------------------------------------------------PROT32----+
0177:01017163 JMP
0101713C
|
0177:01017165 ADD
ESI,04
|
0177:01017168 LODSD |
0177:01017169 TEST
EAX,EAX
|
0177:0101716B JZ
01017175
|
0177:0101716D ADD
EAX,EBP |
0177:0101716F XCHG
EAX,ESI
|
0177:01017170 MOV
EAX,[ESI+0C] <= ESI move to
EAX, EAX = IT |
0177:01017173 TEST
EAX,EAX |
0177:01017175 JZ
010171F6
|
--------------------------------------------------------------------------------------+
A quick: ? ESI
Will show you ESI=01012020
So we can assume that Original is
starting at 12020 (write it down)
3.======================Fixing Broken
Import Table====================================
So o
Choosing the "PE EDITOR"
Button,
And choosing our dump.exe that we have
created!
Now in order to change the IT starting
point click the "DIRECTORY" button:
You will see:
Import Table: RVA
Size
00017008 00000034
But we know 00017008 is not the real
starting point of the IT, so just edit it and replaced
It with the real RVA
17008->12020
Click OK, and OK again..dump.exe is
rebuild.
Now we need to use a program called
"ImportREC" which will fix us the broken Import Table.
How to use and fix throw ImportREC??
===================================Fixing
Threw ImportREC============================
1. Load the e
(wich in the case wont Crash the
program) and that will make it active to use in ImportREC.
2. In the "attach to an active
process" choose our program -> d:\dont tuch\calcc.exe
3. Enter the correct OEP+IT at "IAT
INFOS"
OEP = 000119E0
RVA = 00012020
SIZE = 00001000
4. Press the "IAT AutoSearch"
button, and u will get the message "Found something!" ,
And some RVA and OEP information's Click
OK!
5. Click the "Get Import"
button
6. Click the "Fix Dump"
button, and choose the dump.exe we made
* Note, sometimes you will get an error
Message but you can ignore it ;-)
Otherwise it works fine.
7. Exit ImportREC
Ok so we fixed the dump.exe with good
IT..it's time to check the program.
You will see a new file is created
dump_.exe ;) click it!!
It works ;-)
EP.v0.2 Is Totally Unpacked /
Reversed & Removed!
---------------------------------------------------------------------------------------
Well my students, it was a long journey
but you finally did it,
I said it takes time to learn, you can't
master at something you haven't
Trained on.
So I again says "Read &
Practice" nothing is perfect until you make it Perfect.
Keygenning:
-----------
Another fascinating Section in Cracking
is the
Keygenning field, this is the Total
Reversing of a given
Protection and by far known as the BEST
Crack.
Creating the actual Keygen is not the
problem, but to Understand
The ALGO it self may give some
brainstorm, also to find the actual
Generation routine can be very
Frustrating part :-) , But as I said,
Time and only Time, nothing actually can
hold good Fravia, unless
It is impossible, but another can crack
what that has been made by Human.
A simple ALGOS won't hold a Skilled
Cracker but will a beginner.
A good ASM knowledge will by far do 50%
of the job, only 50% left is your Brain's Effort
This is a simple Key-Hashing no more.
Math will play a Big roll, ALGO is based
on Math whatever it's simple -> harder.
SoftICE is the most useful tool, as it
shows us how the Algo behave and what does it to
For every instruction, a good way is to
imitate the Algo (Rip it) or to write your own
Algo which will produce the same key
from name (no matter the programming language).
A good example of a simple Algo is used
in Day5 of our Training.
The Crackme2 has a very easy Algo that
creates a serial out of the name based on the
Length of the entered name, a few math
instructions is being used.
Good way is to rip the Algo if you are
an ASM coder.
Else just understand it and create your
own routine in you Favorite Programming Language.
I.EXAMPLE (Keygen routine in C/C++ for
Crackme2):
=================================================
//Simple routine from the ASM code
converted to C
len = strlen(name);
for (i=0; i<len; i++)
{
edx = name[i];
ebx = edx;
ebx *= edx;
esi += ebx;
ebx = edx;
_asm
{
sar ebx,1
}
esi += ebx;
esi -= edx;
}
When you understand the Algo, you can
reverse it totally and create your
Own Keygen, this is what makes Cracking
FUN (not Profit).
-For even harder to Keygen, Crypto is
being used to stop crackers,
But of course some did and will keep
doing them.
Keep practicing and Work Well.
*Don't worry I won't paste here any
Keygen tutorial :-) else this Guide will
Be a book ;-).
Crypto-Key:
-----------
These days Companies is well known of
the Cracking scene as they know that 1+1=2 :-)
And still they are making Funny
routines, but some are not that Lazy, those
Companies who take their Software Deeply
know that they must protect their App at any cost.
Those companies force them Self to use
Crypto ALGO routines to make the Game alittle bit harder.
Mathematical algorithms like RSA's and
etc.
Using Crypto makes the average cracker a
living hell, and he will drop it.
The only attack against that kind of
Crypto-Key Algo is to Learn about the Crypto based
Algo that us being used in the app,
study it and be a Cryptoanalyst, than after
Gaining the Knowledge about it, it's
only matter of Time/Brain/SoftICE to Create the
Actual Keygen :-) , sure it will be
hard, but it can be done, si
And such Algo in a Name/Serial
protections :-) , the only thing the Crypto Algo is
Being used for is to create the valid
key for the name by using very hard MATH.
*IF you want to Practice on Crypto
keygenMes, try TMG's trial keygemME by tEgoiste.
Dongles:
--------
Well there is no much I can say about
Dongles
Because I have never tried to reverse
one,
But they are hard, but already reversed
so the Secret is no more
Longer a secret :-) , Dealing with a
Dongle is dealing with
Technician Knowledge, as far as you
learn about Dongles the faster
You will crack them.
Cracking a Dongle isn't making a Box and
to attach it to the LPT port heh :-)
One way is to find the BAD_Boy jump (you
believe it's still here? ;-) ) and reverse it.
Or you will need to rewrite some parts
(mostly moving all information / services / Regnums) Into Registers and it will
make you a good patch.
Another way is to emulate the Dongle,
and make the APP thinking it's attached,
Known Dongles: Hasp From Aladdin -
Israel / Sentinel / DesKEY / homemade and etc..
Taken From Frog's Print Essay about
Dongles:
============================================
Possible Attacks:
- Breaking with BPIO
278/378.
- Emulating the Dongle
by re-writing its main routine
Is much funnier than
boring tracing and patching
(And sometimes a lot
easier, specially the Hasp protection)
- Beautiful jnz_Bad_Guy
at the end to patch... :-)
- Brute force approach
- Searching with Hiew
the bytes seque
To crack a Dongle, you must first locate
the protection you'll have to crack.
Any means are good:
-Searching in the program or its DLLs
the main Dongle routine (
I wrote my own haspfind.com that search
a directory for the file
Where the Hasp routine is located).
-Bpio with SoftIce. It will always work
(as long as you don't forget to install
the driver and, most of the time, reboot to load it) But you may easily get
stuck/lost deep inside complex routines.
-Si
You may just have to BPX the MessageBoxA
fu
All other similar ones and find the
cross-refere
-Disassembling the file to find some
"Check_If_Dongle_OK" exported fu
+================+
| The Big Ride |
+================+
When i mean the big ride, I don't mean
any new crack
Or any new protection,
I mean that when you are finally ready,
and practiced, and think
You can handle the Real world of
cracking than you are in the Big Ride ;-)
There are 2 different kinds of Cracker:
1. The lonely Crackers -
Those who crack alone,
Write tutorials alone,
And does not interfere
with
Others, those BTW are
kindly the
Best crackers.
They are doing the best
work
And supply you with the
best Knowledge.
You can find them in the
+HCU academy for Crackers.
All lonely crackers have
been posed their Tutorials.
2. The "Glory" Crackers -
Those who think they
don't
Want to be alone, and
want to
Be "famous",
those are the crackers
Whose work in a Cracking
Groups.
In groups a bu
Together in order to
crack an application.
In those kinds of
Groups, there is only 1 goal:
Team Competition / Fun.
I those kind of groups,
there is no profit
What So ever, just crack
for fun before some
Other group will :-) .
This I refer as the Big Ride.
Contribute to give knowledge & teach
or join some Cracking team and have fun
With Others.
------------------------------------------
Page 8 ------------------------------------
+=================+
| Troubleshooting |
+=================+
Some Troubleshooting I have seen allot
lately
Came from the Installing IceDUMP...well
For me I don't know what's so difficult,
but anyway:
Installing IceDUMP:
-------------------
Extract the ZIP file (32bit with dirs.).
It is not important where to Extract
IceDUMP.
O
TOOLS / W9X / WNT
|
| +-------------------->
WinNT VxD versions of SoftICE
|
+---------------+
MASM i
|
SoftICE win9X versions
(Dos as well)
In this dir you should
see allot of Dirs
Every dir represents
SoftICE version,
Starting from
DOS->Windows SoftICE versions.
Also there are some
other Dirs for small
Utile (mp3 player..)
The first thing you do before running
the IceDUMP exe file (VxD)
Is to ensure your SoftICE version, you
can do that by loading SoftICE
And press VER
You will be given The SoftICE
information.
For example, my SoftICE version is:
SoftICE 4.0.5 (Build 334)
Copyright (c) 2000 Compuware
Corporation. All rights reserved
This means i have SoftICE 4.05 Build
334)
So I Run SoftICE for Windows98, so in
IceDUMP Dirs for w9x
I need to enter the sub dir called:
4.05.334
And load the specific VxD for my SoftICE
version.
*You don't need to put IceDUMP files in
SoftICE directory.
My IceDUMP is installed at: D:\Dont
Tuch\My Ducoments\Cracking\Ice Dump\w9x
Where SoftIce is installed at:
C:\Program Files\NuMega\SoftIce95
You see, there is no need to move any
files, when running the right IceDUMP VxD
Version for your SoftICE it will
automatically patched in memory and be ready to use.
And you can use more options IceDUMP
have :-)
Have Fun.
Another Troubleshooting ppl have been
Talking about is that they can't use
SoftICE in WinXP/2000/ME
Setting SoftICE for WinNT/WinME
(XP/2000):
------------------------------------------
First thing to know, that NuMega has
made patches that will
Load SoftICE in the newer Windows.
WinME - has a problem as well, as it
does not uses autoexec.bat
And that's bad, si
O
But the patches they have added are not
100% and you could have problems loading SoftICE, More solutions brought by
NuMega as well,
In their page you can find the right
Patches.
Win2000/XP - Same Problem, NuMega has
made new DriverStudio (2.5) that (hopefully) support WinXP,
Also there are Patches for SoftICE
(NTice) in their home page (www.NuMega.com)
Get Them.
Misc troubleshooting:
-----------------------------
Q. I can't use Hmemcpy under Win2000,
why?
A. Win2000 does not support the Hmemcpy
that's why you can't use it.
As for Replacement you can use the MemCpy fu
Q. I am trying to set a breakpoint on an
API and i get "Symbol is not defined" why?
A. Probably you haven't told SoftICE to
load the DLLs at boot time,
Remove the ';' at the important
DLLs, From Winice.dat and than Reboot.
Q. I AM Cracking a visual basic app but
I can't break at SoftICE why?
A. Visual basic uses it's own DLLs such
as Vb40032.dll and more for Vb6.
I suggest you to go to: http://ebliss.cjb.net/
It has all needed information about VB cracking.
Also I suggest you to get SmartCheck VB debugger.
Q. I heard about Search Fu
A. The search fu
For example, if you enter your name in a text box: Bengaly
After breaking (BPX) with the right API we are doing a search
For our name, instead of manually locating it, it works like that:
S 0 L FFFFFFFF 'Bengaly'
*S = Search
*0 = From starting Address 0 (zero)
*L = Unknown, could be for Until
*FFFFFFFF = end of the address to search.
Now SoftICE will break at where the name Bengaly has been located in
memory
It does not say it's in t he program, but in Memory (cuz we are doing a
LONG-RANGE search).
A good way to know where the name could be set is after the Address of
8xxxxxxx
I.E: :s 0 l ffffffff 'Bengaly'
Pattern found at 0030:82F1A89B (82F1A89B)
^^^^^^^^ Over 8xxxxxxxx
This system is though us +ORC in his fantastic tutorials.
All you need to do is to set a breakpoint at the address's Range and
break:
I.e.: BPR 0030:82F1A89B + 6 R
| |
Name Length-1 <---+ +----> Read
There is a good Searching Tutorial at (I
think): http://fooder.cjb.net
Q. How can I take a snapshot of SoftICE?
A. Well a regular snap shoot you can't
take, but another snapshot
Can be takes and be saved to TXT/HTML.
The snapshot fu
First thing to do is loading Proper IceDUMP Vxd, o
Fu
/ScreenDUMP
Now, ScreenDUMP has some options (Modes), Every mode take snapshot in a
different
Way, press several times /SCREENDUMP will switch Case the modes.
The best mode to use is: mode 01 (Text mode)
To take the snapshot you do:
/ScreenDUMP <dir path><filename>.txt (Mode 01)
I.E: /SCREENDUMP D:\A.TXT
Q. I used this /ScreenDUMP fu
A. Yes this is a common Bug, to fix this
you should always break on some API,
It seems /ScreenDUMP won't take a shoot unless you are in some
Code.
Q. I heard there is an MP3 player under
SoftICE, where is it?
A. Yes there is, the mp3 player is in
\Ice Dump\w9x\mp3\bin
But i must say, The Mp3 player will lookup your machine unless you know
How to use it, I tried Looked my PC, maybe it's not yet working, don't
know :-)
I really recommend putting a CD in the CD-ROM and playing it using the
CD-ROM Buttons
Q. I heard about A TraceX command, what
is it?
A. Well TraceX command actually a tracer
that normally used to single step
Some stream of instructions and,
Because of this it is able to intervene at any point and act
accordingly.
* I recommend reading the Tracer.TXT from the Docs dir in IceDUMP Dirs.
O
Q. It seems W32dasm Stuck/Crash when i
load some apps, why?
A. As I said before, some uses the
TRICKS against W32dasm,
Some Programmers could raise the Resource Size and this makes Win32dasm
Stuck/Freeze, others use FAR jumps, Infinite Loops, and etc.
Q. Why can't I see the String-Refere
A. In order to do that you need the
Win32dasm patch for VB applications.
Q. I have disassembled a file, but i
can't see any ASM code, why?
A. This is because the File is packed,
the packer hide the asm file.
What you can do is to unpack the file and disassemble again.
Q. I got the File unpacked, I see the
ASM code, but there is no Strn-Refs, why?
A. This because you haven't changed the
Characteristic of the file,
Run PE-EDITOR, load the file and press the "Sections" Button,
Select each section, right click and choose the: Change to E0000020
Options do this to all Sections. (It will Auto Update the file).
Now try to Disassemble the file, you "should" have strn-Refs.
Q. Where can I get the full API list?
A. You can dl the Win32.hlp from The
internet (try Microsoft.com) :-)
or try: http://Protools.cjb.net
---------------------------------------
Page 9 -------------------------------------
+=======+
| Links |
+=======+
The way to learn about Cracking is to
search over the net, download
The tutorials, and read/practice, here I
will give you the best
Web pages you can download the free
tutorials/tools from:
-----------Cracking Tutorials:---------
1. +HCU Academy -
http://Tsehp(dot)cjb(dot)net (Academy - Best)
2. The Krobar Collection:
http://Krobar.cjb.net (Recommended)
3. CoDe_InSiDe
- http://codeinside.cjb.net (Mine/CoDe's tutorials)
4. Eternal_Bliss - http://ebliss.cjb.net
(Visual-Basic)
5. +Sandman -
http://www.idca.com/~thesandman/index2.html (Best - Recommended)
6. Icezelion's Win32Asm - http:/win32asm.cjb.net
(Coding)
7. tHE Egoiste - http://egoiste.da.ru
(Great page with Crypto Stuff)
8. CrackMe's Page -
http://crackmes.cjb.net (Recommended, dl all CrackMe from here)
--------Cracking Tools:---------
1. Programmers Tools - http://protools.cjb.net
(Best)
2. Play Tools - http://playtools.cjb.net
(Great)
3. EXE Tools - http://exetools.cjb.net/
(Average)
4. Aaron's Tools -
http://mud.sz.jsinfo.net/per/aaron/index.htm (Average)
5. http://ProcDump32.cjb.net
6. Freak2freak.cjb.net
7. www.sysinternals.com (FileMon)
8.
http://rpi.net.au/~ajohnson/resourcehacker
9.
http://muaddib.immortaldescendants.org
10.http://frog.fsn.net (May be down)
-----------Groups:-----------
1. PGC - http://www.pgc-force.com (I am
in that group)
2. The Millenium Group -
http://tmg.da.ru/ (Keygen Factory :-)
3. HellForge - http://www.hellforge.org/
4. The Cracking Answer -
http://tca2k.da.ru/
5. Immortal
Descendants - http://www.immortaldescendants.org
6. TrickSoft -
http://emc2k.com/tricksoft/
7. DOOM - http://deadlyzone.virtualave.net/Html/load.htm
8. http://www.suddendischarge.com/
And many more :-) , well I can't put all
Sites here,
So I just put the links to the most
useful for crackers.
+========+
| Thanks |
+========+
First Thanks goes to all who made
Reveres-Engineering Posible:
--------------------------------------------------------------
In No specific Order:
+ORC, Fravia+, +RGC, +greythorne,
+ReZiDeNt, +Xoanon , SiuL+Hacky,
The+Q (Home Made), +Spath, +Mammon_,
Frog's print, +gthorne, +daQ,
razzia, +MaLaTTiA, Quine, +Alt-F4,
+DataPimp, The+Chineese, +Hackmore,
+Indian_Trail, bajunny, +Sandman,
+Aesculapius, Shaman, +Aitor,
Dr Fuhrball, MaD, TWD, +SNikKkEL, +Sy
A+heist, The Undertaker, Civetta, +Zer0,
+drlan, +PopJack.
Thank for my Cracking Skills To:
--------------------------------
CoDe_InSiDe,
fusS, _Nordic_, Muad'D1b, gogamoga,
ManKind, PGC, +HCU Academy, +ORC,
+Sandman, +Fravia (+Fravia).
The+Q (For being a cracker from the same
country as I).
Thanx to my real friends as well (even
if some don't know what I do) :-)
Work Well And Have Fun.
By Bengaly 2001