                                 
                                                         ܲ
                                         ۲  
                                              
                               
         ۲    ۲      ۲    ۲
            ۲   ۲           ۲
 ܲ           ۲      
                    
    ޲  ݲ   ޲      
      ޲    ޲     ޲  ޲      ޲    
  ޲   ޲    ޲    ޲      ޲      
        ߲ ܲ  ޲  ߲ ܲ     ߲  
   ߲     ܲ          ܲ                   js
                   inside    
                            
                       

Tutor        : duelist
Date Wrote   : May 10, 1999
Level (1/10) : 2
Target       : Hellforge Softice Crackme 3
Size         : 120kb
Protection   : Anti-Softice, Packed, Name/Serial
Tools Used   : SoftIce


 - INTRODUCTION: -

 Before anything else i would like to say that i rated this
 crackme with 2 because of the softice check, it is very
 easy and about everyone should be able to reverse it. We'll
 start with 'killing' that check (+ analysing the code around
 it...)

 Advice: I won't say what you have to type in softice, only
         what do you need to do, or else you won't learn!


 - CRACKING ANTI-SICE CHECK: -

 Most of the programs that have this kind of check (actually,
 these are mostly used in crackmes) use the CreateFileA with
 '\\.\SICE' as the file parameter, so it won't be hard to kill
 this one.

 1. Switch to softice and set a breakpoint on CreateFileA
 2. Back to windows and execute the crackme
 3. You'll break just after executing it, just ignore that
    break because Explorer calls CreateFileA whenever some
    application is executed... (go back to windows)
 4. You'll break again, this time it's not normal and it 
    should be due to some call inside the program. Press F12
    and you'll be inside the crackmes' code:

	push	00435314                   <- dump this address to see it is
	call	KERNEL32!CreateFileA          '\\.\SICE', it's our check!
	mov	[ebp-04], eax
	cmp	dword ptr [ebp-04], -01    <- does '\\.SICE' exist? if yes,
 /----< jz	00401625                      softice loaded, don't jump!
 |	push	dword ptr [ebp-04]
 |	call	KERNEL32!CloseHandle       <- close the file if it existed
 |	mov	eax, 1			   <- important! eax is set to 1 if
 |	pop	ecx			      softice was loaded
 |	pop	ebx
 |	ret
 |---->	xor	eax, eax                   <- no softice loaded, set eax
 |	pop     ecx 			      to 0
 |	pop	ebx
 |	ret
 |    
 \-! Stop at this line and do the following: "a" to edit the code
     in it, then "jmp 401625" to make it jump always and press
     Escape to get out of code editing mode. Why did i do this?
     Later in the program this routine will be used for another
     thing, and since we don't want to be checking when its run
     again, just leave it patched the correct way!

     SIDE-NOTE: For winNT users: The program will also check for
                '\\.\NTICE' by using this snippet of code, if u
	        change the code this way, you'll spare some time!

 5. Now that you understood this snippet of code, let the program
    run after the ret instruction, and after some steping we'll be
    here:

	test	eax, eax
 /----<	jz	40156D
 |	mov	dword ptr [00439200], 00000006
 | 	jmp	00401577                        >--\
 \---->	mov	dword ptr [00439200], 00000005     |
	mov	edx, [ebp-28]			<--/

    What this snippet of code does is to set the offset 00439200 to
    5 if softice is npt loaded and to 6 if softice is loaded. You
    may think: why is this done if the app only runs when softice is
    _not_ loaded? This tricks people who just reverse the flag in the
    softice check routine, since it is executed later again to load
    the correct value into the offset. Nice work LaZaRuS :)


 - CRACKING NAME/SERIAL CHECK: -

 1. Enter any name and serial you wish
 2. Switch to softice and set a breakpoint on hmemcpy (this is a delphi
    app, so standard api calls are not issued to get editbox's text)
 3. Delete any char in your name or serial (since they are checked in
    real time, we've no button)
 4. Ignore the first break on hmemcpy, that's just windows erasing the
    char... Next time it breaks, press F12 until you get to the crackme's
    code.
 5. Now, i don't include much code here because the target is packed and
    i've got other things than manually reproducing code here. Set a break-
    point on 004017AF (bpx 4017AF) and you should break at the code genera-
    tion routine:

  /--->	movsx	ecx, byte ptr [eax]      <- move each letter of the name into ecx
  |	xor	ecx, [ebp-54]            <- xor ecx with the counter
  |	imul	ecx, [00439200]          <- remember this offset? should be 5!
  |	add	[ebp-50], ecx            <- add the value to this offset
  |	...
  |	inc	dword ptr [ebp-54]       <- increase counter
  |	...	
  |	...
  |	test	ecx, ecx                 <- end of name reached?
  \---<	jnz	00401783                 <- if no, go back to the beginning
 	...
	...
__/	mov	eax, [ebp-50]            <- code is at ebp-50 now...
| \	imul	eax, [ebp-50]		 <- code = code * code (square of code) 
|	
|
\-! These 2 lines of code are executed when all the name has been parsed
    by the above routine...

 6. You now have all the info you need to code a keygenerator, you can check my
    pascal source below if you want to (or you can't code one :)


 - CODING A KEYGENERATOR: -

   ...

   write('   Enter name: ');
   readln(name);
   for i:=1 to length(name) do
   begin
	ecx:=ord(name[i]);
	ecx:=ecx xor i;
	ecx:=ecx * 5;
	ebp:=ebp + ecx;
   end;
   ebp:=ebp * ebp;
   str(ebp, code);
   writeln('   Registration code: ', code);

   ...

 - FINAL REMARKS & THX: -

   Hope you enjoyed this tut, i've tried to not only show you things by a
   'distant' look, but see them deeply, so you can't miss anything. Also
   i hope you learn something about keygens by looking at this tut...

   Thx 2: E_Bliss for kinda 'forcing' me to write tuturials
	  LaZaRuS for writing this crackme
	  tC for being such a nice friend with some nice crackmes
	  MisterE for showing me the way to go ;)
	  Everyone that _wants to learn_ at #cracking4newbies!


				                          signing off, duelist [isd]