+------+ +----+ +----+ +-----------+ +------+ +------+ | | | | | | / | | | | | | | | | | | | | + + + + +------+ +------+ | +---+ | | +------+ | | | | | | | | | + | | | | | | | | | + | | | | +------+ +------+ | +---+ | | +------+ | + + | | | | | | | | | | +---+ | | | | | | | \ | + + +------+ +----+ +----+ +-----------+ +-----------+ +-----------------------------------------------------------------------------+ | For The +HCU: Academy Of Reverse Engineering | | by Bengaly published by +Tsehp | | | +=============================================================================+ Welcome New Beginners. So, You finally found your way into Cracking world eh? :-) Hacking seems too much of a Borden to you? :-) You think you can Handle ASM? :-) Than you are welcomed to read this Cracking Guide for new/advanced (?) Users. Note: this tutorial can be published only by Axion, and cannot Distributed over, The net. (Due to a special Request) or other say so by the author of this text. This Tutorial is for Educational Propose only! All cracked applications will be Well respected by us crackers, If you use a Shareware, please buy it! Help support those who give you the time and effort learning and gaining knowledge. Guide Hierarchy: ---------------- [-]-Overview-------+ | +----> I. "Assembly" (Quick Touch) | | +----> II. "Tools" | | +----> III. [+]Cracking----+ | | | +---->[+] Basics | | | +---->[+] Advanced | | | +---->"The Big Ride" | +----> "Troubleshooting" | +----> "Links" | +----> "Thanks" ============= | Overview | ============= Cracking, what is it? ... Cracking is what we call: "Software hackers", those people who "Destroy", The CODE of the application that they are examining. Real cracking began long ago, something about 10+ years. But, none of them has been seen like today, Today's cracking could be even easier than before but still can be tough. 1990 Old dos ruled (?) allot of apps/games were out, those are really the, Interesting part, as dos seems neglected nowadays, allot of dos based Protections Hasn't been cracked (reversed), due to lack of interest, or just plain hard task. Dos uses what we call "Interrupts", those functions that were called each time you Type something on keyboard, display on screen, send to printer and etc... Those functions were basically the CORE that cracks usually based / could based on. But now..1995-2001 Since Win3.1 - Win9x - WinXP, Cracking has began such more Simple task than Ever (Dos actually :) ). Windows as you don't know, does not use Interrupts anymore, since now we are dealing With 32Bit OS (Operation System), all interrupts were deleted and were rewrite from Scratch to what we know as "API" (Application Programming Interface). Microsoft has wrote allot of APIs and *almost* all Documented on their Win32API.hlp. Now, just as Dos crackers used Interrupts for cracking weak Points + Attacks, Win9X will use APIs for that matter as well. Since every application must Import / Export DLLs (APIs) than u can use it for your Own good :-). 1996: new cracker called as ORC (Old Red Cracker) came out with series of huge/long tutorials Explaining about new attacks/crack points/new ways/ to crack Dos+win32 applications. Sure now they could be absolute Useless because it was written in late 1996-1997, but still give us the right track. (Although I do not recommend read them unless you familiar with cracking). Now ask, How much time will it take me to be a good skilled Cracker..?? Well actually is depend on you and your devotion to the Subject, I believe 3+ years will Make you average skilled none the less. (Unless you are one of those Smart kids :-) ). You could not crack unless you are practicing, that's a fact. Sit at least 2 hours a day to crack 1 application will do fine. Don't expect being a master if you crack the Lamest/easiest app around, Don't Hold your Breath :-), some programmers are stupid, some not!!..:-) So I hope you got a brief Idea what the hell Cracking is-). I hope you will enjoy reading this tutorial as much as i enjoyed write it for you. :-) *There are allot Cracking guides out there, each guide is written from own Cracker Perspective. -----------------------------------Page 1----------------------------------------------- ================ | I. ASSEMBLY | ================ This is the most important Section which cracking could not exist without it. The low assembly programming language, ASM is the Core, The heart knowledge every Cracker Need to know, Without it you are basically wasting your time :) . For crackers (at least new ones) only essential parts of asm are needed...else you are A keygener/Coder..etc, Asm is a word language (would you like to code in Opcodes? <= Hex form of asm: B8012C...) I think not :). When I mean word language I mean: MOV/INC/DEC/MUL/LEA/JMP/JNE... you can see they are only shorted words: I.E: JMP = JUMP LEA = LOAD EFFECTIVE ADDRESS MOV = MOVE And so on.. This way it's very handy for us to understand instructions. Although I recommend all cracking lovers to start read asm books: "the art of asm". You can easily find those over the net in E-book/Html form. BINARY: ------- Binary is the machine language, it is understood as 1/0 Every instruction is translated as 1 or 0 that the computer can understand and Perform then instruction. I.E: 110011010001110101011111001 BITS/NIBBLES/BYTES/WORD/DWORD: ----------------------------- BIT Can be 0 or 1 NIBBLE 4 Bits (1,2,3,4,5,6,7..Every number is a 4bit nibble, Binary system) BYTE 8 Bits (or 2 nibbles : low/high) -> 7 6 5 4 3 2 1 0 [ ][ ][ ][ ][#][#][#][#] High low WORDS - 16 Bits (4 nibbles, or 2 bytes: low/high) -> 15......0 Double WORDS (DWORD) - 32 Bites (2 Words high/low, or 4 Bytes) -> 31......0 HEX/DECIMAL: ------------ HEX is what we call Base16... Base116..What is it? Well HEX uses 16 numbers from 0-15 (start with 0 not 1) 0 1 2 3 4 5 6 7 8 9 A B C D E F <- Hex | | | | | | | | | | | | | | | | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 <- Decimal (regular numbers) Max Hex numbers you can get in: 8 Bit is 0-FF, 16bit are 0-FFFF, where in 32bit it's 0-FFFFFFFF [Converting Systems]: Hex->Dec: Suppose you have: 1B as hex number and you want know it's Decimal form We do this (do you remember from math class thing called: Power?) Well Power is 2^3 = 8 (2*2*2)..Got it? :-) Well it work as well here...we Power the number by it's position.. I.E: We have 1B, let's Break it: (Hex is base 16!) / 1 => 16*1 = 16\ + = 27 Decimal \ B => 11*1 = 11/ Let's make another example with 4 letters, we have hm...4B2Eh (h = Hex) Let's Break it: Position 3 4 => 4*4096 = 16384 Position 2 B => 11*256 = 2816 Position 1 2 => 2*16 = 32 Position 0 E => 14*1 = 14 --- Sum = 19246 Decimal Remember: you power 16^position (position 0 always start with 1 not 0) I.E: (from the above example: 16^position 3 = 16*16*16=4096) Dec->Hex: Well this is somehow harder, Cuz it's involved with Reminders. I will show example, but it's hard to do cuz sometimes u need to round numbers :-/ Suppose we have 212 Decimal, to make it Dec, we don't multiply, but we divide by 16: 212/16 = 13 Reminder 4--------+ 13/16 = 0.8 Reminder 13----+ | 0.8/16 = 0 Reminder 0-----+ | | 0 D 4 Hex = 212 Decimal Well, it seems much easy, but in fact I have rounded numbers, long Decimal even much more harder. Another Example? ...OK :-) Let's take 5421 Decimal (regular number). 5421/16 = 338 Reminder 13 -----+ 338/16 = 24 Reminder 2 -----+ | 24/16 = 1 Reminder 5 ----+ | | 1/16 = 0 Reminder 1 --+ | | | 1 5 2 D Hex = 5421 Decimal Don't forget to use Window's Calculator Scientific Mode. All Understood now :-) ?... You now know some converting...Continue for ASM registers. REGISTERS: ---------- Registers are the most common used "VARIABLES" by the CPU. You can access to them at anytime, as they are there to serve you. There are 8 different REGISTERS: 16Bit Registers: AX, BX, CX, DX, SI, DI, BP, SP (DOS) ======================================================================== 32Bit Registers: EAX,EBX,ECX,EDX,ESI,EDI,EBP,ESP (WINDOWS, E = EXTENDED) Each register used for a specific task or multiples: E/AX = ACCUMULATOR (calculations..etc) E/BX = THE REMINDER REGISTER (i.e: 2/16 = 0.13..13 should be passed, else i am wrong :-) ) E/CX = THE COUNTER REGISTER (useful for loops, i.e.: loop 13 times) Other registers are dealing with memory (offsets/segments..read book :) ) Every Register is divided to low/high bit: AX / \ AH AL (AH = high bits / HL = low bits) If AX = 00001234 / \ AH=12 AL=34 Same goes for: CX,DX,BX *Remember, Registers holds HEX values NOT decimal *1234h = 4660 Decimal *h = hex JUMPS: ------ We all know what jump is no? :-) Same thing happened with asm. JMP = JUMP (always jump..no condition) JNE = JUMP IF NOT EQUAL (also called Jump Not Zero) JE = JUMP IF EQUAL (also called Jump Zero) JA = JUMP IF ABOVE JAE = JUMP IF ABOVE OR EQUAL JB = JUMP IF BELOW JBE = JUMP IF BELOW OR EQUAL JC = JUMP IF CARRY (not common used for crackers..used on ror/rol/shl/shr instructions) JG = JUMP IF GREATER JGE = JUMP IF GREATER OR EQUAL JL = JUMP IF LOWER JLE = JUMP IF LOWER OR EQUAL JNA = JUMP IS NOT ABOVE JNB = JUMP IF NOT BELOW And so on, the above asm instructions are commonly used by crackers to reverse the source. Example: MOV EAX,00000008 CMP EAX,EDX JNE if EAX register = EDX register (value) than we wont jump, else we will MOV --- We can suspect what it does no? Well it move a value, memory location..etc to a Register Example: MOV EAX,00000032 (than EAX = 00000032 <= hex format 32h = 50dec) CMP --- Well we can guess again what it does :) CMP = COMPARE CMP can compare between registers/memory Example: CMP EAX,EDX *Very important for crackers, as they can check their serial compared :-) (Later on that) *Unfortunately I can't twelve into ASM any more, since it is very long journey, and Of course I can't explain it :-), so get a book, you will find ASM fascinating, Very hard to use but some day you will be happy you know ASM. *Read/learn the ASM instructions from the book, or get the opcodes.hlp and read from there. *Once you know ASM (basics), you can apply it for Cracking. ---------------------------------Page 2----------------------------------------------- ============== | II. TOOLS | ============== Tools is the second essential part for Cracking, Without them, you will have to face "barehanded" against huge amount of code. Neither to say that you'll be lost without them :-) Here are the most used Tools by crackers (basic/advanced): 1. Brain - You won't get far without one ;-) (100% WorkTime) 2. Debugger - The only way you can trace/break a function or code live I will suggest using SoftIce as your only weapon for Debugging. The Numega's "SoftIce" is a very powerful Debugger for Kernel. SoftIce works at the Background and can detect every thing that Happens on your computer (if u break on it), what we call system debugger. There is a version for NT/2000/XP, Recommended win98. If you can get DriverStudio than it's welcomed the most :-). 95% you will use the debuggers get it from the net: Www.playtools.cjb.net or try (www.protools.cjb.net). Other Debuggers: Olydgb / debug.com / w32dasm (debug option) / TRW2000 3. Dissadembler - You will use Dissasembler for the visual code. If you don't know what a Dissasembler actually Load the application, read hex values (Opcodes), and Output The assembly code. I will suggest you to get: Win32dasm (www.protools.cjb.net) / IDA IDA is a first class Dissasembler, very recommended. [Dos interface]. Very handy piece of work, can output strings, jumps, calls, imports Other dissasemblers: Debug.com (in windows) / Hview..etc 4. HexEditor - The only way we can modify an EXE is via HexEditor HexEditor let you modify Opcodes (some ASM as well). We use the HexEditor to find/change code that we as crackers Know it will make us happy :-) HexEditors: WinHex (handy) / Hacker's View ...etc (I use those 2 only, no need more) Get your copy at the net, or try www.protools.cjb.net 5. Registry / File Monitors - Those app will help you find any DLL, reg..etc used By the apps you crack, and where they hide there Registry information (useful if u want to Unregister). Some apps reads the serial/name from hidden Registry info, So I recommend using those: FileMon / RegMon (www.protools.cjb.net) 6. IceDUMP (Advanced) - This little proggy is Add-on to SoftIce It has really cool features SoftIce don't have. Also IceDUMP is ANTI-ANTI SoftICE tool Meaning if an app has a Protection: If SoftICE is Active than app wont work. IceDUMP hides SoftICE so no app can detect it :-) Useful eh? Also it can serve us as a Print Screen Tool and save code to a TXT. Get it from (www.protools.cjb.net) 7. PE-Editors (Advanced) - Those are the PE editors, you can Modify the Sections, directory, delete, add View and etc...Very useful when you unpack packed Applications. For PE knowledge (www.win32asm.cjb.net) Recommended PE editors: ProcDump / PeEditor (www.protools.cjb.net) 8. Resource Editors (Optional) - Resource editors load the desired app And if the Resource is read, you can Delete, change, rename, stuff in the windows Messages and etc... (Useful if you want to kill a nag screen) Useful Resource editors: Borland Resource Work Shop 4.5 / Resource Hacker Get them at: (www.protools.cjb.net) / (Playtools.cjb.net) 9. Assembly Compilers (For Coders) - Compilers for asm are: MASM / TASM MacroASM is most useful and easy to use But if you already code in TASM, than Get it ;-) You can dl your copy of MASM at: For TASM try: http://egoiste.da.ru/ Or www.win32asm.cjb.net 10. Programming Languages (For Coders) - Recommended programming language: Are: C / Pascal / ASM Crackers do not tend to Code in Visual Basic As it is heavy, UN optimized, slow, using DLLs And not Portable without them. Bottom Line, don't use Visual Basic for Cracking! About Delphi. I don't know, I don't code in it So I can't say. Get compilers at net: borland.com / google.com 11. File Analyzers - The file analyzer Will help you To know the whole information about Your EXE, as from which packer it was Packed with, Size PE information, and many more. I recommend: "FileInfo" (www.protools.cjb.net) Others: GetType, and more. All tools above are your Weapon against Shareware's ;-) Every tool play different roll in your cracking stage, as long as you use them and get to know them, The better you will crack. Always remember no matter how time a simple crack can be, you will do it in the end, so don't Get softy if you can't :-) , Many hard apps has been reversed so if those crackers can do it You can do it to. Brain is the only tool you really need to work on :-) --------------------------------------Page 3----------------------------------------- ================== | III. Cracking | ================== Finally, we are at the learning & practicing stage. From now on, take your time, don't be rush, cracks wont run away, the net Is full of junk you can practice on. +----------------------+ +****BASIC CRACKING****+ +----------------------+ [Welcome To the Camp] --------------------- Welcome to Cracking Camp my fella wannabe cracker, for the pass days you and others Will learn to use their First weapon, thinking like crackers, learn the art of Zen, Using weak points, Learning APIs attacks...and finally training in the field. This camp is very huge, alot of people are learning and training in this Camp from all over the world. Don't expect people to help you, because they wont, they don't have time to help Newbies In the camp, so try least to be friendly to them if you want to get some help :-) In our big camp you can find the Library, huge and amount of text, which stored in the Camp Will be accessible for you due time, After Basic Training you can enter the Library and Keep learning from the Old masters who passed this camp and left knowledge for free. [Day One] Heads up all Newbies. I want quite and concentration and faces to this Text. Today We are gonna learn about Our First Weapon, How to use it and set it up. Our weapon called: SoftICE v4.x Made By NuMega. I want you all memorize it and think it's your only friend on this camp. Always to be by your side as it will be your best friend while cracking. SoftICE...SoftICE...someone can tell me what it does?? For what purpose??... I guess not, well my fella students, SoftICE is a system DEBBUGER. You can use it to examining code, locate bugs, and we can also exploit it for Our own good. Every one, I hope you got SoftICE on your Computer as We told your parents to buy it Before they sent your lazy asses here :-) Ok...You got it, Let us install it, enter right serial..Next...MODIFY AUTOEXE.BAT... Do you know why we need to modify the autoexec.bat students?? Cuz if we wont, SoftICE will not load during Boot, and therefore wont be active. So MODIFY else you will have to do 50 pushups :-) Reboot your computers and let Windows load... All Remember we use here Win98, Camp wont allow use Win2000/XP until other say so. :-) Windows loaded...all worked Fine, Great, Listen up, I won't repeat my self now: SoftICE run in the Background (Invisible). We can make SoftICE visible by pressing on keyboard CTRL+D and exit the same way. Did you see the black window with ASM code (you did learn asm code, the one we recommended to you before you came to this camp). All students load up SoftICE and look at it, it contains all registers, data window, input window and so on. Let me draw you a rough sketch of SoftICE on the blackboard so we can examine it: ............................................................................... EAX=00000001 EBX=00000190 ECX=00000000 EDX=00000000 ESI=00000001 . Registers EDI=00020080 EBP=007E8C56 ESP=00008C3E EIP=00001149 o d I s z a p c .& Memory CS=170F DS=4127 SS=0EE7 ES=4127 FS=0000 GS=016F . .......................................................................PROT16.. 170F:1146 CALL 0DD0 . 170F:1149 OR AX,AX . 170F:114B JZ 11DD . 170F:114F PUSH WORD PTR [DI] . 170F:1151 CALL KERNEL!LOCALLOCK . 170F:1156 MOV [BP-08],AX . 170F:1159 MOV [BP-0A],SI . ASM Code 170F:115C MOV [BP-0C],SI . 170F:115F JMP 0F0D . 170F:1162 MOV SI,[DI+3A] . ...................................USER(18).................................... WINICE: Load32 Obj=0005 Add=017F:BFE95000 Len=00001000 Mod=VERSION . WINICE: Load32 Obj=0001 Add=0177:7D651000 Len=00001000 Mod=INDICDLL . Data & WINICE: Load32 Obj=0002 Add=017F:7D652000 Len=00001000 Mod=INDICDLL . Text ............................................................................... :.............................................................................. Input Data Remember we can exit SoftICE in several ways: CTRL+D / X / F5 Not so hard right? But remember you load SoftICE only by CTRL+D. Now that you know how SoftICE looks/works we need to modify it... Of course you can't use the weapon before you set it up can you? Ok, because we are using WIN98 SoftICE is installed here: C:\Program Files\NuMega\SoftIce95 Now students, we need to modify it and as i said exploit it for our own good. We can modify SoftICE functionality by opening the file called: Winice.dat There you will see on your computer that it has allot of functions/imports/exports and so on. Let us now set it up a little bit, all follow me students, do not try to mess with the data file as it won't help us and damage SoftICE. I am now will write on the Blackboard the essential parts we will change, You will see it in your Computer screen, try follow me and write on Notebook stuff needed. ____________________________________ / \ /--------------------------------------\ | | | PHYSMB=32 | | ;EXP=c:\windows\system\kernel32.dll | | ;EXP=c:\windows\system\user32.dll | | ;EXP=c:\windows\system\gdi32.dll | | ;EXP=c:\windows\system\comdlg32.dll | | ;EXP=c:\windows\system\shell32.dll | | ;EXP=c:\windows\system\advapi32.dll | | ;EXP=c:\windows\system\shell232.dll | | ;EXP=c:\windows\system\comctl32.dll | | ;EXP=c:\windows\system\crtdll.dll | | | |--------------------------------------| \--------------------------------------/ Student do you see these code in the Winice.dat? Those are the main stuff we will change. PHYSMB=32 <=== Of course We don't use 32MB of RAM are we? :-) Change it to whatever number of Ram your computer use. Now students look at the computer, do you see all those Paths with point to DLLs? Those are the Bullets for our weapon :-) Remove the ';' from all the lines i.e.: EXP=c:\windows\system\kernel32.dll Now we can save the Winice.dat Now SoftICE still don't know how to use the Bullets, Cuz we didn't told yet to Sice to load the Bullets, so Reboot your win98 again, And there you go, we have the bullets Ready to use. Now we will make a test shoot, to see of SoftICE did load the DLLs. Load SoftICE, write: BPX MessageBoxA If you don't get a message than SoftICE is Ready to use. All ok students, Let summarize what we did today, we have set SoftICE so it will load the Windows DLLs and therefor we will use it to trace/break for later use. Class, we will continue tomorrow the second class, be ready to be here in time, and don't forget what you have learned today. [Day 2] Good day class, today we are going to learn about SoftICE's Breakpoint functions Yesterday we have learned about how to load SoftICE, do it now. Once SoftICE has been loaded we can now use SoftICE functions built in. You can also learn the functions by pressing: h You will get list of functions/options. Breakpoints: ------------ Let me teach you the most used Functions Crackers uses for breakpoints: BPX / BPM / BPR BPX - breakpoint on execute We use this option to break Instantly on any API Or system function we Choose to. Usage: BPX BPM = breakpoint on Memory We use this Option to break On memory Read/Write Usage: BPM
Additional Options: R/W/RW/X BPR - breakpoint on Memory Range We use this Option to break On memory range. Usage: BPR
Additional Options: R/W/RW/T/TW Crackers 95% use breakpoints, as without them you could never Break in the Program's Code and trace, and find, and crack...etc ;=) APIs ---- Now we will learn the APIs that we will use to break on the application We wish to Crack. *Most applications nowadays uses the 32bit APIs so it make us some sort of a Short cut to Break on the program's original code instead of searching threw HWND API list for basic Cracking: MessageBox - 16Bit (win3.1) MessageBoxA - 32Bit (win9x) GetDlgItemText - 16Bit (win3.1) GetDlgItemTextA - 32Bit (win9x) GetWindowText - 16Bit (win3.1) GetWindowTextA - 32Bit (win9x) Hmemcpy - Memory Copy Function Those are the Basic API you shell memorizes for now on. You will use those to breakpoint at any application we will attack. More new APIs will be Given for you when you are practicing, or Reading student's essays. MessageBox/A - Usage: Breaking on any Windows MessageBox sent by the application. Typing: BPX MessageBoxA in SoftICE will set the trap If any MessageBox is sent by Windows SoftICE will break on it And will show us the code sent by the application. GetDlgItemText/A - Usage: Breaking on text sent to the application, and read by it Typing: BPX GetDlgItemTextA in SoftICE will set the Trap, if you will enter Text in the Dialog Text Box of the Application, SoftICE will break and show the code used by The application. GetWindowText/A - Usage: Breaking on text sent to the application, and read by it Typing: BPX GetWindowTextA in SoftICE will set the Trap, if you will enter Text in the Application, SoftICE will break and show the code used by The application. Hmemcpy - Usage: Breaking on any Copied Memory by Windows and By any Function Used by windows. Typing: BPX Hmemcpy in SoftICE will set the Trap, once set the trap, SoftICE will break on any Copied memory by any windows Application/Function. Shortcut Keys (SoftICE) ----------------------- SoftICE can use shortcut keys like: F8 / F5 / F12 / F11 / F10 We will use those shortcut keys instead type every time 't' or alike. F8 - Usage: F8 key usually traces into a CALL While we debug, we will trace into a call, So we could inspect/analyze the code in it. F5 - Usage: F5 key Exit SoftICE, simply eh? :-) F12 - Usage: F12 Stepping out of a DLL/Function (p ret jump) F11 - Usage: F11 Return to the Caller. F10 - Usage: F10 is a trace code, single step traces one by one. Dump / Data Viewing ------------------- When we Use SoftICE, we must know & understand what Do we see.. SoftICE is using HEX, therefore it will take allot of, Time for use to convert hex->Dec/ASCII, But NuMega has added to SoftICE a function to Convert Hex -> Dec -> ASCII automatically. When using SoftICE we have 2 ways to see data that Is being stored by the Registers. As we know, Registers are the CPU's variables, everything Is passed / calculated..etc by them. To view the data stored on the registers, SoftICE has 2 functions: 'D' / '?' ('' <= Don't include it while in SoftICE) D - Usage: D stand for Dump, we use D command To view the Register data which holds ASCII in the data. Typing: D (D EAX) ? - Usage: ? Stand for Viewing the Hex data Stored in the Registers. ? Command will show us: Hex-Decimal-ASCII (xxxxxxxx-xxxxxxx-xxxxxxx) Typing: ? (i.e. ? EAX) To Practice on the above ?/D open up SoftICE and try the commands, You will shortly understand what each command does. -----------------------------------------Page 4 ---------------------------------------- [Day 3] Today we will learn about different Kind Of protections. Protections: ------------ Registration Key - This protection is based On 1 single Serial Key that Is hidden in the program's code. Our entered serial will be Eventually compared with the Real serial hidden inside the Program it self, we can call It "hardcoded" ;-) Serial/Name - This protection is the most Used, as it is required the Actual serial number for the Name you are entering. Most cases there will be A compare routine as well, If not real serial will be Hide in the registers. This could be any shape/form The coder will choose to. KeyFile - Used as well, this protection Required you will have the correct KeyFile in the same directory of Your application. Most Keyfiles are using Name/Serial Check inside of the file as well. *Some could use encryption - Hard Multiple Serials - You can recognize this, While installing Windows, or Photoshop..etc They use 4-5 Text inputs, every Text button need to have the right ASCII combination. I.e.: [xx]-[xxxx]-[xx]- [xxxx] Crypto Serials - Very hard, Crypto serial/name Serial is produced using a xxxBit Encryption/RSA... Nag Screens - Nag screens are the annoying Messages that appear when application Is started, or closed, or even I the middle. Those nag screens inform you that you need To register your copy... Very easy to remove. Time Limit - Very commonly used in shareware's This time limit force the application To stop work, disable, or close the shareware You are using after xx amount of time. Default time is 30 Days. Easy/Hard to remove, depend on coder. Use Limit - Commonly as well, this protection Will stop the shareware to work after xx times you have used the shareware. After it, program will give nag screen Or shell stop working and will be disabled. Dongle Protection - Spread in Big Protected shareware's. This protection is used by a I/O LPT port (hardware) You will need the registration Cart attached To your PC's parreral port Or other in order to make The program fully work, otherwise it will be Expired after xxDays / xxUses /rippled or wont work at all Hard to crack, depend on Dongle protection company. Dongles as: HASP / Sentinel are most commonly used. Dongles uses DLLs/VxD to check the "is registered" Using the Dongle API as well for some checks. CrippleWare - Some will meet such Protection, Cripple = Disabled functions. You will notice some apps have Disabled Buttons [Save, Save As..] That will be enabled once you will register You copy of shareware. VisualBasic - Allot of apps nowadays, Are coded in the Visual Basic Programming language, this Is what makes Cracking a little Harder, as visual Basic does not Save all the information on the EXE File, instead it uses DLLs to call the Functions. Even Serial/name could be hard [depend] In a programs who has been coded in VBasic. DLLs - Some apps will use DLLs as a Protection Scheme. Time-Lock is one of them and Used to disable program after xx Time. Misc. Protections - Matrix Protections [Not related this tutorial] Packing [Advance Topic] CD games Protection [Not related to this tutorial] Zip password protection [Not related this tutorial] CD-Protections - The most commonly used nowadays Almost any new game is PACKED and Protected by EXE packing programs Since the Pirate has gone too far Game's companies Believe that the only Way to protect the game is to use Anti Piracy Packers such as: ScureROM / SafeDISC * Also be aware that some of the protection above (except for Dongle) can, * Be used in other files than the original EXE, Meaning that some Serial/name, * Protection can be hidden in a DLL that is invisible in the dir. * Cracking the DLL will be the regular way :-) [Day 4] Yesterday we have been talking about Variants of protections, and what everyone of them Is capable of doing. Today we will analyze each protection [hopefully] And assume it's weak points, and ways to attack such Protection. Anti Protections: ----------------- Registration Key - You already know what it is Doing and how it works, now if You downloaded a shareware that Need only 1 reg Number to make the Program registered, we can assume 2 Things: 1. Real serial is hidden/Unhide 2. Eventually is will be compared with fake serial. How to find the serial: Method 1: --------- 1. Disassemble shareware 2. Clicking the Strn-Ref Button 3. Just search for an Unusual Alphabetic Number 4. Copy it and try filling it in the registration text box *This method works on apps, which the Coder was too lazy To hide his serial, and missed his money :-) Method 2: --------- 1. Run the shareware, enter fake serial 2. Press ok/check Button...you will get a Bad message 3. Write the bad serial message, and disassemble file 4. Click the "Strn-Ref" button, we will get allot of text 5. Search for the bad message String. 6. Double click on the founded text in Strn-ref 7. we will be taken to the ASM code where the string is appear 8. Looking for a UN/Conditional Jump..there is..folow it 9. We should be in a Jump (Je/Jne) from here we have 2 options: A: Reverse the jump (JNE->JE / JE->JNE) B: searching for a CMP instruction, break with SoftICE and Trace until we will be at that address, and do: D or ? Should show us the good/bad serials :-) *If you reverse the Jump, than no matter what serial *You are giving it will always be acceptable *As long as you don't enter the right serial...:-) Serial/Name - This alittle complicated, but still You know the Idea behind it. For every name there should be Specific Serial number, this happens threw an Algorithm inside the Program code, For every name passed the Algo do the Math calculations produce a working serial And finally at the end it should compare it With your fake serial. The algorithm can be hard, long, easy, annoying..etc :-) From this we can assume 2 things: 1. Real serial is produced by Algorithm 2. Fake Serial at 70%+ will be Compared Someway or another to the Real Produced Serial. How to find the serial, Primary Attacks: Method 1: --------- 1. Entering a fake serial/name 2. Write the bad message you get from the program 3. Disassemble Shareware and do a search for the string 4. Locating where the string is called from, and we trace 5. We should be in a Jump (Je/Jne) from here we have 2 options: A: Reverse the jump (JNE->JE / JE->JNE) B: searching for a CMP instruction, break with SoftICE and Trace until we will be at that address, and do: D or ? Should show us the good/bad serials we call it: "Serial Fishing". *If you reverse the Jump, than no matter what serial *You are giving for any name, it will always be acceptable *As long as you don't enter the right serial/name...:-) Method 2: --------- In here we do the same thing as above but We wont reverse a jump, but looking for a Flag. * Flag is actually can be 1 or 0 * Meaning: registered / unregistered * The Flag can be set by many ways (i.e: xor eax,eax ) (dec eax / inc eax) * And so on. * Locating the flag sometimes can make us a * Cleaner crack, better than reversing a jump * While fooling the flag and changing his content * The Shareware/program actually believe it is registered. * This is a good way and faster to crack (depend) Method 3: --------- This method is a bit Advanced and Required a good Brain :-) and time. This method Is called "KEYGENING" The Idea is that the Cracker will Trace and find the produced serial First. Than he will find the CALL that leads to the Algo who produce the key from name, Learn, analyze, the specific Algo And than switch to SoftICE to see how the Algo Behaves on the name (mathematical Notation) And how the registers are being used, And finally Imitate, Rip, Code is new Program Which Create the Serial for any Name entered This is called "KEYGEN". KeyFile - The KeyFile attack is somehow Easy to recover, Shareware's whose Uses key (small xx k file) with Information inside of it (Encrypted or NonEncrypted) Tend to search the KeyFile while The program is loaded, if n KeyFile Is found, or KeyFile information is invalid Program is Unregistered. We can assume 2 things: 1. KeyFile must have a serial/name 2. KeyFile can be Encrypted/unencrypted Method 1: --------- Using SoftICE to Recover the KeyFile Name, is 1 way we can try. The "CreateFileA" API is used for that And will 80% work in the given apps. For a big hint, Dumping EDI register At almost 4-5 traces of code will recover The KeyFile Name (not his content) Method 2: --------- Second way to recover the KeyFile Is by using a file/reg monitor This system of recovering is at Almost 100% Successful since we will Be shown by every file is called/read/write By the given Program we attack. * The problem in recovering a KeyFile, * Is not hard, but just take a few minutes to, * Locate it, but what does make the trouble is, * To recover the good serial/name inside the KeyFile * For that brain/SoftICE is used. Multiple Serial - 1 way to attack this Kind of protection is logically Break on each text input box and Trace the code, once found the serial Continue Break on the other text box left Once finished, you should recover the serial. * Those kind of serial have allot different of serial, * That can be used in the same app, Hench the Multiple. Crypto Serials - One of the Hardest to attack, Same tracing system as regular Serial/name procedure i have been Talking about, but this time with Additional 100% Protection who can Drive you crazy :-) When I say Crypto, I mean Crypto Algorithm Is being used to create the serial. Possible attacks: 1. Understanding the Crypto Algo 2. Using a Factor numbers Keygens 3. Tracing threw SoftICE & analyzing. Nag Screens - We already know what is it, And what it does for his Porpoise. Possible attacks: 1. NOPing the caller (No Operation Code) 2. Deleting the Resource Nag 3. Jumping over (Code Redirection) 4. Jump reversing which causes the Nag to appear. Time Limit - Well time limits has some Advantages and disadvantages, We already know the Advantages, Let see the disadvantages. Possible Attacks: 1. Setting timer forward to make The shareware to expire, So that we will get the nag screen. Here the disadvantage is the nag screen Searching the string of the nag in the disassembler Will finally take us to the caller, here you kill The jump. 2. If the application uses a xx amount Of Time (I.E: 30 days) we can make it For our own good. 30 in Hex is IEh, this can help us as well Searching 000000IE in the disassembled code Will finally take us to the code where it makes The decision whatever the program has expired Or not, Modify the jump or the code which makes The decision will kill the Time Limit. Another way is to increase the Time that we can use Use Limit - Use time, is actually the same As Time limit but the only difference Is how many times you used the application. Same attacks could apply on this Protection. Dongle Protection - Very hard topic, it wont Be discussed in this guide, as it Require more skills (or luck). Attacking the Dongle requires his Technical Information such as Services, regcodes, version, etc Primary Attacks: 1. Jump Reversing / Patching / Code Injunction 2. Reverse engineering the Dongle protection Main routine in order to emulate the Dongle CrippleWare - Known Protection since the win95 days The crippled (Limited) app can be cracked. In some cases Programmers will not include The crippled code in the app, which make it Alittle Impossible to reverse. Primary/Possibly attacks: 1. Using the EnableMenuItem API And enable the Disabled (Crippled) button. Setting the Flag to 1 does this. 2. Using Hooks to find the Handle of the Button And using a Spy tool to enable the Button. VisualBasic - This Topic will not be touched In the guide, Cuz I am not a VB Cracker and I must say it does not Interest me, although I do know how to. Using a VB Disassembler we can attack our Shareware's, the Disassembler is called: "SmartCheck" and it comes from Numega's Software's As well. Possibly Attacks: 1. Loading the app into SmartCheck and Running the app, while SC analyze it It will produce the list of the functions/calls That is used by the app, also it will produce of what The user is doing on the fly, meaning: if you clicked An OK button, S will produce a "+Klick_1" Hierarchy. Expanding it and exploring will be worth the trip. Good against Name/Serial protection. *A good reading is by the VB cracker: Eternal_Bliss DLLs - A good way to "confuse" cracker. None to say it won't work, Eventually It will be discovered. Optional/Possibly Attacks: 1.Patching DLL / Reversing code Misc Protections - Attacks on Misc. Protections Is what we call "Self Reading" A good Knowledge about CryptoLogy will Make you understand the "PlainText Attack" on The zip password protection, and etc... Good knowledge is never wasted it only here to serve us. ------------------------------Page 5------------------------------------------ [Day 5] First Test Field: ----------------- Listen up new ones, Today we are doing a first Cracking test to see what we have Learned until today. TARGET: Bengali's First CrackMe (http://crackmes.cjb.net) PROTECTION: Serial/Name POSSIBLE ATTACKS: Patch/Fishing Ok students, we have Got some Good references on Protections/Attacks A got Test field will get you on the right track. SoftICE / HexEditor / Win32asm are setup, We wont need More than those 3 tools. We will Attack the CrackMe (Program tend to teach crackers hoe to attack the protection) Using the Patching / Fishing Attacks. [Stage 1]-Observation --------------------- Run the CrackMe, Insert Fake name/Serial Press the "Check" button and we will Get a error Message: "BAhh...Loser Goto: Krobar.cjb.net" This message Is very Interesting us, as it could Serve Us cracker very Well All we need to do now is to disassemble the CrackMe, using Win32DASM (I told you to get it Didn't I? :-) ). Ok, finished Disassemble the File, Now you can see some Buttons that are Blue Active, The Button that Interest us the Most is the "Strn-Ref" Button, as it will show us any Available Strings In the Resource of the EXE. While we press it, we will get the list of Strings, here: ============================================================================+ " CrackMe - 1" | "1 or more chars needed" | "Bahhh...Loser, goto: Krobar.cjb.net " <---------| | "Bengaly" |Possible Attacks | "Great Job..." <--------------------------------| | "MainWindow" | "This Is My First CrackMe Created " | "This Is My First CrackMe Created " | ============================================================================+ Now, Lets try the Bad message Attack, Click the "Bahhh...Loser, goto: Krobar.cjb.net " (Double Click) on the string and we will be taken to where the String Reference is Found, Here: =======================================================================================+ * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: | |:004011DC(C), :00401204(C) <----Called from | | :0040121B 6A00 push 00000000 | | * Possible StringData Ref from Data Obj ->" CrackMe - 1" | | :0040121D 68E3304000 push 004030E3 ;Save the Above String to Stack | | * Possible StringData Ref from Data Obj ->"Bahhh...Loser, goto: Krobar.cjb.net " | ->":-)" | | :00401222 6812314000 push 00403112 ;Save the Above String To Stack | :00401227 6A00 push 00000000 | * Reference To: USER32.MessageBoxA, Ord:01BBh | | :00401229 E8C2000000 Call 004012F0 ;Call the MessageBox with the Above Strings. | =======================================================================================+ Ok, First Lesson that you should know, this Code above is called "Dead-Listening" Because we are not dealing with SoftICE which is Live Cracking, dealing with Code Text is a Dead Cracking (AKA: Dead-Listening), good we cleared that one up. Another important stuff, most of StringData Ref is called from somewhere inside The apps, meaning that "Bahhh...Loser..." String has been called from another Instruction Within the app. Now I ask you, How can we know who's called this String? Win32dasm give us the solution, here: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004011DC(C), :00401204(C) <= addresses ^^^^^^^^ ^^^^^^^^ Caller 1 Caller 2 Now we can Go to those addresses and analyze the code, if We found what we needed Than we can crack it With the Attacks i have been pointed in day4. Let see what is hidden in Addresses 004011DC / 00401204, Click the "Search" tab in win32dasm's Menu bar, and select "Find Next" Enter the First Address 004011DC With Direction UP. *Note we set it to UP because in 70% we are backtracking up where the code is most Likey there. Ok we have search for the address 004011DC and we landed here: * Reference To: KERNEL32.lstrlenA, Ord:02E2h | :004011D4 E847010000 Call 00401320 :004011D9 83F801 cmp eax, 00000001 :004011DC 743D je 0040121B <======== This Jump called the String. :004011DE 50 push eax :004011DF 6836304000 push 00403036 :004011E4 E862000000 call 0040124B :004011E9 50 push eax :004011EA 6876304000 push 00403076 Students, From here we can see that this Address has nothing to do with the Serial/name Procedure, how can we tell? Well actually This Address get the Length of the String, because we have *KERNEL32.lstrlenA*. What Kernel DLL has something to do with our Name/Serial ??...None... So actually this Address is useless, buy remember we had another Address that the Bad string has been called from?? Yeah, it was 00401204 Do a search again with direction Down cuz we have Passed it :-) We should see this code: Address Opcodes Disassembly Remarks --------- ---------- ------------- ----------- :004011EF E82C010000 Call 00401320 :004011F4 50 push eax :004011F5 6876304000 push 00403076 :004011FA E885000000 call 00401284 ; algo :004011FF 5B pop ebx ; Get info ;-) :00401200 3BC3 cmp eax, ebx ; compare good/fake serial :00401202 3BC3 cmp eax, ebx ; compare good/fake serial :00401204 7515 jne 0040121B ;If not Equal Call The Bad Message (Bad_Guy) :00401206 6A00 push 00000000 There is not much to say, we have here a classical Form of comparing / Jumping Do you remember what Attacks I have explained about in Day4? Read again, and the code from the CrackMe will be Self-Explained. At address 00401204 we have a "Jump if Not Equal" Conditional jump which means that If the Serial we enter does not match to the real our produced by the name, we are Giving a Bad Message "bahh..looser..." Look at Method 1 attack A/B, this is what we are going to do here. Actually they both give the same Result, but Option B is more Likely Cleaner. Option 1 - Patching: --------------------- As I said the patching is a fast crack, that *can* produce the Same effect as the Serial key. (Unless the coder has used some Techniques to make patches useless, a good example for that is A program that reads the good serial/name from an INI file, This will make the patch useless unless you patch the code that Responsible or opening/reading the INI file :-) ) As for our example, we can see that address 00401204 has a Conditional Jump (JNE), as I mentioned, we can patch (Reversed) the Jump So any fake serial number/name we will enter will be acceptable, unless You have entered the good serial for the name. We will always use the HexEditor to modify the EXE code. First thing u have Noticed that W32dasm has a scrolling cursor that Change its color on particular Instructions. (Yellow / White) Yellow: means that we are on a Jump/Call instruction and we can Enter/follow it White: any other instructions. If you put the cursor on address 00401204 you will see it turned to Yellow. Now we can follow the jump by pressing the Right Key or pressing the "Execute Text" From the Menu and selecting the "Execute Jump", this will take use to the Bad message Routine we have found earlier ("ahh..looser..."). If we want to return from the Jump We simply press the CTRL + Left key (Or in the Menu "Execute Text" -> "Return From Jump"), Those very basic needs in W32dasm and will serve you allot due Cracking experience. Another good thing we need to know is to find the OFFSET of a Address, this is because HexEditors uses Offsets and not Addresses (again depend which). So in order to know the Offset in win32dasm, be with cursor on address 00401204 and Look at the StatusBar of win32dasm, you will see this: Line:337 Pg 7 and 8 of 15 Code Data @:00401204 @Offset 00000604h in File: Crackme1.exe ^^^^^^^^^^^^^^^^ This is the one So the Offset for 00401204 is 604 (Memorize or write on paper) Now Make a copy of the Crackme.exe and load it in the HexEditor, I highly recommend: HackersView32 (Hview), it's a very powerful and easy to use. So from now on i will refer to the only HexEditor as in Hview, and will use it only. So load up the Backup exe in Hview. Press F4 and choose the DECODE mode (Disassemble) Now we need to make a search, Press F5 and enter the offset we got (604) And press , Great we are at the right address :-) Now in order to patch it lets switch to Edit Mode, Press F3. Now you can change to whatever Opcode you will, but we need to change it to the Correct Opcode, move the cursor to the 75, And simply change it to 74 and press Now you have modified the ASM code, and it should be like that: :00401204 7515 je 0040121B (Jump only if we enter the correct serial ;) ) Save the File with F9 and exit with F10. Crack is done. Option 2 - Live Fishing: ------------------------ For this Mission I shall use my Second CrackMe, As the First one is not a good example for Live Fishing. The second CrackMe is the same only with different small Algo. This Approach will be your First Sice test Field, as you will "fish" the serial From the Memory and make the program Fully registered and not modified in Code. In Day2 we have been talking about APIs / Bpx Functions, as well as the Shortcut keys SoftICE uses. All together with ASM knowledge will be mixed to one Big Attack ("Serial fishing") Starting with Running the CrackMe, Enter a fake Serial/Name. Now as I told you students, we need to make SoftICE break so we can Trace the ASM code, without Breaking we couldn't do allot. So run now SoftICE and set a breakpoint at: : BPX GetDlgItemTextA : BPX GetWindowTextA *I used those 2 APIs because it is better to set Multiple *APIs when attacking, because you never know which APIs the app is importing. *Note: you can check in win32dasm the Import/Export Functions. After you set the Breakpoints, exit SoftICE with F5 (or etc) and press the "Check" Button on the CrackMe, SoftICE will Break immediately. Now first thing to know is that in a Serial/Name programs there is Most Likely 2 edit boxes, 1 for the name, and 1 for the Serial input Boxes. In order to crack the program Live, we shall always break on the Second Text box Which is the Serial input box, because most likely there is a check with the entered Serial and the Real serial Generated from the name, so always break on the second! Ok, we Pressed the Check Button after setting SoftIce breakpoint and We immediately Breaks and SoftIce pops, we will Press F5 to force SoftICE to exit And automatically read the second Input text box (Serial Text Box). Than, we will be landed in this First code snippets: [First Break on the Second Exit Box] ----------------------------------------------------------------------------+ EAX=00000003 EBX=0066FC08 ECX=80007028 EDX=800072B0 ESI=00008C2C | EDI=0066FBBC EBP=0066FBB4 ESP=0066FBA0 EIP=BFF51743 o d I s z a P c | CS=0177 DS=017F SS=017F ES=017F FS=1387 GS=0000 | -----USER32!SetDlgItemTextA+0023-------------------------------------PROT32-| 0177:BFF51740 RET 000C | USER32!GetDlgItemTextA | 0177:BFF51743 MOV CL,A4 | 0177:BFF51745 PUSH EBP | 0177:BFF51746 MOV EBP,ESP | 0177:BFF51748 PUSH ECX | 0177:BFF51749 SUB ESP,3C | 0177:BFF5174C PUSH WORD PTR [EBP+08] | 0177:BFF51750 PUSH DWORD PTR [EBP+0C] | 0177:BFF51753 CALL KERNEL32!SMapLS_IP_EBP_16 | ----------------------------------------------------------------------------+ Notice that we have Break on "GetDlgItemTextA". Now, I must tell that the first Break is useless to use, because first we are not in our app's code, and secondly we are now in a Kernel Dll code. So this above code is kinda Useless, Now let's go back to Day2 and remember The short-Cuts keys we have learned: F8 - Usage: F8 key usually traces into a CALL/JUMP While we debug, we will trace into a call/jump, So we could inspect/analyze the code in it. F5 - Usage: F5 key Exit SoftICE, simply eh? :-) F12 - Usage: F12 Stepping/Returning out of a DLL/Function (p ret jump) F11 - Usage: F11 Return to the Caller. F10 - Usage: F10 is a trace code, single step traces one by one. It is clear now what to do, F12 will take us out of this call, and will Send us to the GetDlgItemTextA, so Press F12 and we will be here: I will comment the Asm code so it will be more Understood. ------------------------------------------------------------------------------+ EAX=00000005 EBX=0066FC08 ECX=80007028 EDX=800072B0 ESI=00008C2C | EDI=0066FBBC EBP=0066FBB4 ESP=0066FBB4 EIP=004012D8 o d I S z a P c | CS=0177 DS=017F SS=017F ES=017F FS=1387 GS=0000 | ----------------------------------------------------------------------PROT32--| 0177:004012D3 CALL USER32!GetDlgItemTextA ; Read Serial Text Input Box | 0177:004012D8 CMP EAX,00 ; Did we entered any text?? | 0177:004012DB JZ 004012DF ; Nope, jump to message say so + | 0177:004012DD JMP 004012F6 ; Else we jump here to code | | 0177:004012DF PUSH 00 ; Jump to here <--------+ | 0177:004012E1 PUSH 00403462 ; "Please Fill in | 0177:004012E6 PUSH 00403000 ; 1 more char" | 0177:004012EB PUSH 00 ; | 0177:004012ED CALL USER32!MessageBoxA ; Display The message | 0177:004012F2 LEAVE | ------------------------------------------------------------------------------+ Now we are in the Correct Place (the CrackMe Code). From now on, we need to know 2 things: 1. ASM 2. Using the shortcut keys. *Note: in X86 memory there is what we call Segment/Offset, * xxxx:yyyyy is how it look like, Now in nay computers the Segments may be, *Be different because of the Memory, but the Offsets are always the same. * I.E: 0177:004012F2 ^^^^ ^^^^^^^^ Segment:Offset Any way lets go on with our Practice, At offset 004012F2 we have a jump That will lead us to the Code where serial will be generated/compared and other Bunch of stuff that may be. So in order to jump, we need to trace in SoftIce to that instruction and trance into it. Now: F10 - Usage: F10 Is a trace code, single step trace one by one. So press F10 until you get to the JMP and F8 - Usage: F8 key usually trace into a CALL/JUMP So press F8 and you will be here: --------------------------------------------------------------------------------------+ EAX=00000005 EBX=0066FC08 ECX=80007028 EDX=800072B0 ESI=00008C2C EDI=0066FBBC EBP=0066FBB4 ESP=0066FBB4 EIP=004012F6 o d I s z a P c CS=0177 DS=017F SS=017F ES=017F FS=1387 GS=0000 --------------------------------------------------------------------PROT32------------+ 0177:004012F3 RET 0010 ; Return From a call 0177:004012F6 PUSH 00403038 ; After pressing f8 we will be here 0177:004012FB CALL 00401430 ; Unimportant 0177:00401300 XOR ESI,ESI ; ESI = 0 0177:00401302 MOV ECX,EAX ; ECX = EAX (Lenght of the Name entered) 0177:00401304 MOV EAX,00000001 ; EAX = 1 0177:00401309 MOV EDX,[00403038] ; EDX = Addres of the name 0177:0040130F MOV DL,[EAX+00403037] ; DL = First char of the name 0177:00401315 AND EDX,000000FF ; Clean up EDX (leave only the Low Byte) 0177:0040131B MOV EBX,EDX ; EBX = EDX 0177:0040131D IMUL EBX,EDX ; EBX = EBX * EDX 0177:00401320 ADD ESI,EBX ; ESI = ESI + EBX 0177:00401322 MOV EBX,EDX ; EBX = EDX 0177:00401324 SAR EBX,1 ; Shift Archimatic EDX Right by 1 0177:00401326 ADD ESI,EBX ; ESI = ESI+EBX 0177:00401328 SUB ESI,EDX ; ESI = ESI-EDX 0177:0040132A INC EAX ; EAX +1 (Next character on name) 0177:0040132B DEC ECX ; ECX = ECX-1 (Counter) 0177:0040132C JNZ 00401309 ; Jump to 00401309 while ecx != 0 0177:0040132E PUSH ESI ; Save ESI to Stack 0177:0040132F PUSH 00403138 ; Push to stack 0177:00401334 CALL 00401383 ; Convert ESI to Decimal 0177:00401339 POP ESI ; ESI = last stack information pushed 0177:0040133A CMP EAX,ESI ; Compare entered serial with ESI 0177:0040133C JNZ 00401353 ; If they are not equal Jump to Bad message + 0177:0040133E PUSH 00 ; Else | 0177:00401340 PUSH 00403462 ; Push Caption | 0177:00401345 PUSH 004034B8 ; Push good message Text | 0177:0040134A PUSH 00 ; Creat | 0177:0040134C CALL USER32!MessageBoxA ; Show MessageBox | 0177:00401351 JMP 00401366 | 0177:00401353 PUSH 00 ; Create Message <--------------------------+ 0177:00401355 PUSH 00403462 ; Push Caption 0177:0040135A PUSH 00403486 ; Push bad message Text 0177:0040135F PUSH 00 ;Create 0177:00401361 CALL USER32!MessageBoxA ; Show MwssagebOX 0177:0040137A RET 0010 ; eXit the call -------------------------------------------------------------------------------------+ Ok, that's good, everything we need is in front of our eyes, now If you know asm or at least basic, there should be no problem for you To understand this. What basically it does in this Algo is to get the Length of the entered Name, Put it on ECX as it is the Counter Register, and make a calculation on every Char from the name we entered, and than build up a serial number out of it. The final serial will be converted to decimal and will be compared with the Entered Fake serial in address 0040133A. What we need do is to Trace the Algo with F10 until you will be reach to address 0040133A And try get the data EAX / ESI holds. Now as I said, there are 2 ways to see the data is with: D / ? Commands But because we know that the Serial is in decimal form (Converted at address 00401334) We assume there is no ASCII data, so basically at address 0040133A CMP EAX,ESI You simply do: :? EAX :? ESI Example: Lest say I entered those fake information: Name: Bengaly Serial: 12121212 I trace the code untill the Compare address routine, and do : :? EAX 00B8F47C 0012121212 "Έτ|" (Our fake Serial) :? ESI 00011BB1 0000072625 "±" (The real Serial) ^^^^^^^^ ^^^^^^^^^^ ^^^ Hex Decimal Ascii Do you see the Right serial? :-) Of course you do Name: Bengaly Serial: 72625 Enter this following information in the CrackMe (crackme#2) and you should Be greeted with a good message. *Students, this is the end of the test field, I hope you understand today's lesson. *Tomorrow we will talk about more stuff. -----------------------------------Page 6--------------------------------------------- [Day 6] Protections, And more Protections: ---------------------------------- Today we won't talk about Shareware protections, But we will Learn about Protection against Cracking Tools. And also how to Attack and destroy them. SoftICE Attacks: ---------------- 1.Melt-SoftICE: By saying Melting SoftICE we mean that this is Some kind of ANTI-SoftICE trick. The main idea of Melt-Ice is to detect SoftICE. I.E some program uses MeltICE trick to Detect SoftICE, And if it found it, it will give us a message saying that: "DEBBUGER IS ACTIVE" and Program won't load. The Melt-ICE trick is using what we call VxD detection. The trick is to search for the SoftICE Vxd called: ///.SICE// It could also be for WinNT, search for ///.NTICE// We can Attack this Protection by searching the ///.SICE// string in A HexEditor and change to other string, No more troubled :-) Misc. Protections: ----------------------- There are allot of ways other than MeltICE To search if Sice is active, Others can be using Interrupts such as: INT 68 / INT 03 Searching those interrupts in HexEditor and eliminate them should Do the job as well. Some others can search if a BPX is entered at SoftICE and Detecting it on memory. Some can check the Memory, More Installed file by SoftIce, Checking "BCHK" (BoundChecker) with SoftIce, and many many more. All those kinda or protections can be automatically blocked By: IceDUMP This is also another option IceDUMP do (Anti-Anti SoftICE). More Protections can be used against disassemblers as well. For example, A protections against "Win32dasm". Although w32dasm is a good disassembler, it does have his weakness Until the author will fix them of course :-). Those weaknesses can help projectionists to use it for their on good. Protections: 1. Infinite Jumps (EBFE) <= make w32dasm to crash 2. Big Resource size <= make W32dasm to stop respond 3. Inline Calls: Call [Call xxx] makes W32dasm to loose data 4. Unreachable Jumps. Those kinda of weaknesses can help Programmers against Crackers. I think its very good protections who's very annoy to crack at least to me :-). PACKING: -------- Another known and very spread today is the PACKING system. The packing system has 3 Main options it can perform (if chosen): 1. Size Reducing 2. Encrypting the PE of a EXE / Manipulating APIs / Scrambling Import Tables and more 3. Anti Debugging Options. There are many PE file packers, the most familiars are: ASPr / ASProtect / tElock / PeTite / PeShrinker / UPX...etc. Encryption / CryptoLogy: ------------------------- This is almost the secure way to protect your application Or actually protect against crackers, main idea of Encryption Is to avoid Outsider to Read the message, or in software World To crack it, Software companies uses Encryption's for their Serial/Name Also for Keyfiles, and many others. They Imbed the Serial by using a Very hard Algorithm, that someone without This knowledge could ever find the serial, Examples to programs who uses Encryption's are: FlashFXP / CuteFTP Some uses RSA xxBit, Some uses others, a good way to reverse it would be To learn CryptoLogy and become "Cryptoanalyst" and use it to reverse the Chipper. *When i talk about Crypto, I mean Crypto in Software's (Serials protections) ------------------------------------Page 7--------------------------------------------- As for this is A guide, I can not dwelve into more basic cracking and examples. I think you should gain a very basic knowledge by now, the very first thing You should do, is to READ allot, the Library has allot of information stored and Written by very Gifted Reverses, This camp gave you the very first Glimpse into the world of cracking and what it has to offer, a very hard work and time will finally make you, A fine talented reverser, and for achieving this goal you shall teach others, This what makes us good reverser's, Teach & Learn and work well for others. [Day 7] +-----------------------+ +***ADVANCED CRACKING***+ +-----------------------+ The advanced Cracking field is by far the most time consuming and hard work From a cracker point of view, but by far the interested one. What Sections in Cracking is Advanced?? The section we call them advance is the sections that Makes crackers A brainstorm...Those should be the: Unpacking (Manual): ------------------- Unpacking is a very hard Section in cracking world, Allot of reverses having time cracking it, while others succeed. Packing a file that is main idea is to Reduce the size to Block A Cracker. Will make the reversing part Hard and very much Time consuming. In order to crack Packed files, the first thing to do is to learn about the PE structure of a file (EXE), this by far the most important knowledge. Than alittle ZEN :-) won't harm anyone (+ORC essays). Let's see what a PACKER do: (LAYER of packer ( Original Code ) LAYER of packer) Well this is the main Idea, may do something else, as Encryption, API manipulations, anti-debugging tricks, fake calls, and many more. The only thing we can rely on against a packed file are the tools. Tools: Brain by God :-) Revirgin By +Tsehp ImportREC by MackT ProcDump by G-ROM PE-Editor By Yoda/M.o.D HexEditor (Any) SoftICE by NuMega IceDUMP (TraceX / ScreenDUMP functions) By IceDUMP team (I'll call them TeamICE ;-) Those are the only tools that can help you unpack any kind of packer, Remember it's only TIME until you will unpack never say Never. Basic manual unpacking (MUP): 1. Calculating the Raw Offset (From PE Editors) 2. Putting CC (INT 3) on the found Offset with HexEditor (for SoftICE) 3. Breaking, and tracing for the Original Entry Point (OEP) With SoftICE. 4. Using Infinite Loop EBFE to Isolate the Original Code From the Packer's Code (Still SoftICE) . 5. Dumping the Isolated File using IceDUMP / ProcDump 6. Manually (HARD) / Auto : Import Table Fixing (Using Revirgin / ImportREC) *Learning how to use Revirgin / ImportREC is a very Good idea so you can Use them to FIX the Import Table of the file (dumped), (if damaged). This is by Far the easy part, some PACKERS has really hard options which only Holds skilled crackers for some time, but eventually will be breached. Another achievement will be to CODE your own Unpacker, this is somehow The best at all this Unpacking world. ---------------------------------------------------------------------------------------- Manually UnPacking of EP_v0.2: ---------------------------------------------------------------------------------------- This is not very hard Packer, it only does small things So this tutorial will make clear of everything. --------------------------------------------| Writer: Bengaly | Author: CoDe_InSide | Protection: Encryption & scrambling IT | URL: http://codeindise.cjb.net | Tools: SoftICE v4.00 | Hex-Editor (any) | ProcDump v1.6.2 | ImportREC (MackT.cjb.net) | --------------------------------------------| Let's get started: ------------------ In this example I will use CoDe_InSide's EP_v0.2 (PE) packer/Encrypter. So I will encrypt Calculator.exe After encryption you will get calcc.exe . Ok, let's open PrucDump. choose "PE EDITOR" and load calcc.exe You will see a window with this in formation: Entry Point: 00017000 <= this is the Virtual Offset Size of Image: 00018000 Image Base: 01000000 Ok, now that we know the virtual offset (00017000), click the "Sections" button, You will see all section Information in a tab. Always look at the final section (so we will patch the offset in HexEditor) Ok, so look under Virtual Offset of the last section, you will see 00017000, but we must Know the Raw offset, so look under Raw Offset of the section, it is 00017000 too, Wow we got lucky it's the same offset, (some may use different offsets), ;D But here it's the same, now we know the Raw Offset. (00017000) Open up hex editor (any), and look for 17000 You will see this in Hex-Editor: 17000: 6A 00 60-E9...... Now, in order to use sICE to break when we load the program (Breaking on BPINT 3), We need to Change the 6A -> CC (CC = int 3, a dos breakpoint) So in hex editor just change: 6A To: CC Now it will be like this -> 17000: CC 00 60-E9...... Save the file and exit HexEditor. Now load sICE (Ctrl+D). Set a breakpoint: BPINT 3 Press enter, and exit sICE (Ctrl+D) Load the encrypted file (Calcc.exe), SICE will pop up here: ----------------------------------------------------------------------------------+ EAX=01017000 EBX=00520000 ECX=81653AB0 EDX=81653AF0 ESI=81653A90 | EDI=00000000 EBP=0056FF78 ESP=0056FE3C EIP=01017000 O d I S z a P c | CS=0177 DS=017F SS=017F ES=017F FS=5607 GS=0000 | -----------------------------------------------------------------------PROT32-----+ 0177:01016FFE INVALID | 0177:01017000 INT 3 <= we brake here | 0177:01017001 ADD [EAX-17],AH | 0177:01017004 ADD [ECX],EAX | 0177:01017006 ADD [EAX],AL | 0177:01017008 ADD [EAX],AL | 0177:0101700A ADD [EAX],AL | 0177:0101700C INC ESI | 0177:0101700D INC EDI | 0177:0101700E DIV DWORD PTR [BFF70000] | ----------------------------------------------------------------------------------+ Now we need to change the "CC" back to "6A" (the original value), Because if we wont then sICE will exit ...so just press: E EIP You will see this: --------------------------------------------------byte--------------PROT---(0)-- 0177:01017000 CC 00 60 E9 01 01 00 00-00 00 00 00 46 47 F7 35 ..`.........FG.5- 0177:01017010 00 00 F7 BF 5C 70 01 00-30 70 01 00 00 00 00 00 ....\p..0p...... 0177:01017020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0177:01017030 D4 76 F7 BF AC 6D F7 BF-00 00 00 00 C2 01 4C 6F .v...m........Lo -------------------------------------------------------------------------PROT32- Change CC 00 to 6A 00 So it will be like this: 0177:01017000 CC 00 60 E9 01 01 00 00-00 00 00 00 46 47 F7 35 (Only the first byte is changed) Press ALT+D to return to the Command Window, Ha...much better, now we can trace the code ;D We will trace the code to find the OEP (Original Entry Point), and we well trace the Original Import Table so we could be able to fix the table later (encryptor f*ck up the IT) 1.============================The Hunt For OEP======================================== Ok, so we changed the int3 back to the original value so we can trace in sICE, A very quick way to the the OEP is for looking the POPAD instruction (most Encryptors use PUSHAD and then POPAD instruction..begining and ending of code) A good way to see the POPAD is to scroll the code with CTRL+Down It will take a while but you will see in the end of the code the POPAD & RET commands..so When seeing the POPAD instruction, double click on it (mark it with white) and type: HERE Hehehe, we are breaking on the POPAD instruction: EAX=01017000 EBX=00520000 ECX=81653AB0 EDX=81653AF0 ESI=81653A90 EDI=00000000 EBP=0056FF78 ESP=0056FE3C EIP=01017000 O d I S z a P c CS=0177 DS=017F SS=017F ES=017F FS=5607 GS=0000 --------------------------------------------------byte--------------PROT---(0)---+ 0177:01017000 6A 00 60 E9 01 01 00 00-00 00 00 00 46 47 F7 35 j.`.........FG.5 | 0177:01017010 00 00 F7 BF 5C 70 01 00-30 70 01 00 00 00 00 00 ....\p..0p...... | 0177:01017020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ | 0177:01017030 D4 76 F7 BF AC 6D F7 BF-00 00 00 00 C2 01 4C 6F .v...m........Lo | -------------------------------------------------------------------------PROT32--+ 0177:01017208 POP EAX | 0177:01017209 ADD ESI,14 | 0177:0101720C MOV DWORD PTR [ESP+20],010119E0 <= OEP | 0177:01017214 JMP 01017170 | 0177:01017219 NOP | 0177:0101721A REPZ STOSD | 0177:0101721C POPAD <= you will break here | 0177:0101721D RET | 0177:0101721E ADD [EAX],AL | 0177:01017220 ADD [EAX],AL | ---------------------------------------------------------------------------------+ How did I know how trace until here? Well as I told you, look for a POPAD instruction and a RET..that will insure You can find the OEP there...well most of the times Now, go over the RET instruction (f10), and while you are on the RET instruction Type F10 again..u will be here: EAX=01017000 EBX=00520000 ECX=81653AB0 EDX=81653AF0 ESI=81653A90 EDI=00000000 EBP=0056FF78 ESP=0056FE3C EIP=010119E0 o d I s Z a P c CS=0177 DS=017F SS=017F ES=017F FS=5607 GS=0000 --------------------------------------------------byte--------------PROT---(0)---+ 0177:010119E0 55 8B .. .. .. .. .. .. .. ..and ect <= notice here | 0177:010119F0 A1 00 00 00 00 50 64 89-25 00 00 00 00 83 C4 98 .....Pd.%....... | 0177:01011A00 53 56 57 89 65 E8 C7 45-FC 00 00 00 00 6A 02 FF SVW.e..E.....j.. | 0177:01011A10 15 B8 10 00 01 83 C4 04-C7 05 78 3F 01 01 FF FF ..........x?.... | -------------------------------------------------------------------------PROT32--+ 0177:010119DF INT 3 | 0177:010119E0 PUSH EBP <= you break here | 0177:010119E1 MOV EBP,ESP | 0177:010119E3 PUSH FF | 0177:010119E5 PUSH 01001570 | 0177:010119EA PUSH 01011D60 | 0177:010119EF MOV EAX,FS:[00000000] | 0177:010119F5 PUSH EAX | 0177:010119F6 MOV FS:[00000000],ESP | 0177:010119FD ADD ESP,-68 | ---------------------------------------------------------------------------------+ Also notice that EIP use the Original Entry Point (010119E0) EAX = First Entry Point (01017000) Now We are going to use the "EBFE" trick (infinite Loop)! , Do this in sICE: E EIP EBFE : Change 558B to EBFE (Don't forget to remember 558B!) ALT+D : To return to the Command Window ---------------------------------------------------------------------------------------+ 0177:010119E0 EB FE EC 6A FF 68 70 15-00 01 68 60 1D 01 01 64 <= it will be like this | 0177:010119F0 A1 00 00 00 00 50 64 89-25 00 00 00 00 83 C4 98 | 0177:01011A00 53 56 57 89 65 E8 C7 45-FC 00 00 00 00 6A 02 FF | 0177:01011A10 15 B8 10 00 01 83 C4 04-C7 05 78 3F 01 01 FF FF | -------------------------------------------------------------------------PROT32--------+ 0177:010119DF INT 3 | ==> 010119E0 JMP 010119E0 (JUMP) ; the trap | ---------------------------------------------------------------------------------------+ So we set a trap on the OEP ;D, now let's clear all breakpoints : BC * Again set a breakpoint on BPINT 3 , and leave sICE Load calcc.exe, sICE breaks, type: E EIP edit the CC->6A and press Now leave sICE again (without clearing the breakpoints)..calcc.exe runs like a baby Well what's the point of it?? The point is that u wont get a error message when loading calcc.exe (without bpint3,cc->6a) That way I can dump it in ProcDump while the program is loaded and don't crashing ProcDump When trying to DUMP it. Now let's open ProcDump again...now in the TASK window, scroll down and look for The Directory u have the encrypted file, mine is: D:\Dont Tuch\notepade.exe If not there, right click on mouse...press REFRESH LIST...ohh here it is :=) Now select the file, right click with mouse and choose: DUMP (FULL)..if ProcDump still Crash Then I recommend to dump the file using PARTIAL, DUMP (PARTIAL) <= click ok all the time. Save the new dump anywhere u like, choose a name of course ;D (I prefer the name DUMP.EXE ;D) Now again right click on it again and choose: KILL TASK (press ok after u get a message) Now, The dump we made does not run yet, We need to modify it to make it run...duh! ;D So click "PE Editor" and choose the new dump file we made. Now the entry point is still 00017000, so change it to the real OEP: 119E0 It will be like this now: Entry Point: 000119E0 Now on the "Apply Changes Method:" choose "To PE File" <= so we can kick the encryption Code. After choosing "To PE File", click "SECTIONS" button. Now right click on the last section with mouse and choose: "Kill Section" This will ensure that the encryption code wont be on the dump.exe anymore ;D Now we will change the Size of Image of the dump: Size of Image = Last Virtual Offset + Last Virtual Size (last section) So because we killed the last section, we will use the last section, To fix this take now the: Offset = 00014000 Virtual Size = 00002618 Size of Image = 00014000 + 00002618 = 00016618 Click "CANCEL" button and we back to the Header Info screen, We see that the "Size Of Image" = 00018000 <= which is not correct! (at least here it is) :-) Change "Size Of Image" = 00018000 -> 00016618 Press OK to rebuild the structure of dump.exe ;D Exit ProcDump. Try running the file (dump.exe)...what's going on, it's not working...why! >:/ Well it won't work because it runs in a loop that provides form the program from working! Remember: 558B -> EBFE? So open hex editor again and go to the OEP we found (119E0). Change back EBFE -> 558B Save the file... Run Dump.exe...IT CRASH AGAIN!!!!!!!!... >:| Wtf...why :-( ? well the main reason is because the EP v0.2 encryption routine, it basically F*CKING UP THE IMPORT TABLE... To know more about IT I suggest reading some tutorials about it! :-) Or some documents about the PE structure. 2.=======================The Hunt For Original IT======================================= Ok, open up sICE, set a BPINT 3 breakpoint, exit sICE, load the encrypted file (not the dump) SICE pop..just E EIP to bring back the original value so we can trace with sICE.. E EIP CC 00 To: 6A 00 or Alt+D Now we can tracing...it wont take a while..try find it your self Didn't find?? So notice this In SoftICE: --------------------------------------------------------------------------------------+ EAX=01017020 EBX=00520000 ECX=00000000 EDX=7461644F ESI=01012020 ;Original IT | EDI=00000000 EBP=01000000 ESP=0056FE18 EIP=01017170 o d I s z a p c | CS=0177 DS=017F SS=017F ES=017F FS=1127 GS=0000 DS:0101202C=000122A2 | --------------------------------------------------byte----------------PROT---(0)------+ 0177:01017000 D4 76 F7 BF AC 6D F7 BF-00 10 00 00 00 20 01 00 .v...m....... ..- 0177:01017010 00 30 01 00 00 10 00 00-00 00 00 00 20 20 01 00 .0.......... .. | 0177:01017020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ | 0177:01017030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ | ----------------------------------------------------------------------------PROT32----+ 0177:01017163 JMP 0101713C | 0177:01017165 ADD ESI,04 | 0177:01017168 LODSD | 0177:01017169 TEST EAX,EAX | 0177:0101716B JZ 01017175 | 0177:0101716D ADD EAX,EBP | 0177:0101716F XCHG EAX,ESI | 0177:01017170 MOV EAX,[ESI+0C] <= ESI move to EAX, EAX = IT | 0177:01017173 TEST EAX,EAX | 0177:01017175 JZ 010171F6 | --------------------------------------------------------------------------------------+ A quick: ? ESI Will show you ESI=01012020 So we can assume that Original is starting at 12020 (write it down) 3.======================Fixing Broken Import Table==================================== So once that we know the start point of the IT, we open ProcDump again, Choosing the "PE EDITOR" Button, And choosing our dump.exe that we have created! Now in order to change the IT starting point click the "DIRECTORY" button: You will see: Import Table: RVA Size 00017008 00000034 But we know 00017008 is not the real starting point of the IT, so just edit it and replaced It with the real RVA 17008->12020 Click OK, and OK again..dump.exe is rebuild. Now we need to use a program called "ImportREC" which will fix us the broken Import Table. How to use and fix throw ImportREC?? ===================================Fixing Threw ImportREC============================ 1. Load the encrypted file (not dump) using the CC->6A trick in sICE, (wich in the case wont Crash the program) and that will make it active to use in ImportREC. 2. In the "attach to an active process" choose our program -> d:\dont tuch\calcc.exe 3. Enter the correct OEP+IT at "IAT INFOS" OEP = 000119E0 RVA = 00012020 SIZE = 00001000 4. Press the "IAT AutoSearch" button, and u will get the message "Found something!" , And some RVA and OEP information's Click OK! 5. Click the "Get Import" button 6. Click the "Fix Dump" button, and choose the dump.exe we made * Note, sometimes you will get an error Message but you can ignore it ;-) Otherwise it works fine. 7. Exit ImportREC Ok so we fixed the dump.exe with good IT..it's time to check the program. You will see a new file is created dump_.exe ;) click it!! It works ;-) EP.v0.2 Is Totally Unpacked / Reversed & Removed! --------------------------------------------------------------------------------------- Well my students, it was a long journey but you finally did it, I said it takes time to learn, you can't master at something you haven't Trained on. So I again says "Read & Practice" nothing is perfect until you make it Perfect. Keygenning: ----------- Another fascinating Section in Cracking is the Keygenning field, this is the Total Reversing of a given Protection and by far known as the BEST Crack. Creating the actual Keygen is not the problem, but to Understand The ALGO it self may give some brainstorm, also to find the actual Generation routine can be very Frustrating part :-) , But as I said, Time and only Time, nothing actually can hold good reverser, unless It is impossible, but another can crack what that has been made by Human. A simple ALGOS won't hold a Skilled Cracker but will a beginner. A good ASM knowledge will by far do 50% of the job, only 50% left is your Brain's Effort This is a simple Key-Hashing no more. Math will play a Big roll, ALGO is based on Math whatever it's simple -> harder. SoftICE is the most useful tool, as it shows us how the Algo behave and what does it to For every instruction, a good way is to imitate the Algo (Rip it) or to write your own Algo which will produce the same key from name (no matter the programming language). A good example of a simple Algo is used in Day5 of our Training. The Crackme2 has a very easy Algo that creates a serial out of the name based on the Length of the entered name, a few math instructions is being used. Good way is to rip the Algo if you are an ASM coder. Else just understand it and create your own routine in you Favorite Programming Language. I.EXAMPLE (Keygen routine in C/C++ for Crackme2): ================================================= //Simple routine from the ASM code converted to C len = strlen(name); for (i=0; i WinNT VxD versions of SoftICE | +---------------+ MASM include files | | SoftICE win9X versions (Dos as well) In this dir you should see allot of Dirs Every dir represents SoftICE version, Starting from DOS->Windows SoftICE versions. Also there are some other Dirs for small Utile (mp3 player..) The first thing you do before running the IceDUMP exe file (VxD) Is to ensure your SoftICE version, you can do that by loading SoftICE And press VER You will be given The SoftICE information. For example, my SoftICE version is: SoftICE 4.0.5 (Build 334) Copyright (c) 2000 Compuware Corporation. All rights reserved This means i have SoftICE 4.05 Build 334) So I Run SoftICE for Windows98, so in IceDUMP Dirs for w9x I need to enter the sub dir called: 4.05.334 And load the specific VxD for my SoftICE version. *You don't need to put IceDUMP files in SoftICE directory. My IceDUMP is installed at: D:\Dont Tuch\My Ducoments\Cracking\Ice Dump\w9x Where SoftIce is installed at: C:\Program Files\NuMega\SoftIce95 You see, there is no need to move any files, when running the right IceDUMP VxD Version for your SoftICE it will automatically patched in memory and be ready to use. And you can use more options IceDUMP have :-) Have Fun. Another Troubleshooting ppl have been Talking about is that they can't use SoftICE in WinXP/2000/ME Setting SoftICE for WinNT/WinME (XP/2000): ------------------------------------------ First thing to know, that NuMega has made patches that will Load SoftICE in the newer Windows. WinME - has a problem as well, as it does not uses autoexec.bat And that's bad, since we can't modify SoftICE to run in Windows Boot Load. Once Solution has been brought to us by IceDUMP Team (TeamICE, or IceMen :-) ) But the patches they have added are not 100% and you could have problems loading SoftICE, More solutions brought by NuMega as well, In their page you can find the right Patches. Win2000/XP - Same Problem, NuMega has made new DriverStudio (2.5) that (hopefully) support WinXP, Also there are Patches for SoftICE (NTice) in their home page (www.NuMega.com) Get Them. Misc troubleshooting: ----------------------------- Q. I can't use Hmemcpy under Win2000, why? A. Win2000 does not support the Hmemcpy that's why you can't use it. As for Replacement you can use the MemCpy function (not the same, but better than nothing) Q. I am trying to set a breakpoint on an API and i get "Symbol is not defined" why? A. Probably you haven't told SoftICE to load the DLLs at boot time, Remove the ';' at the important DLLs, From Winice.dat and than Reboot. Q. I AM Cracking a visual basic app but I can't break at SoftICE why? A. Visual basic uses it's own DLLs such as Vb40032.dll and more for Vb6. I suggest you to go to: http://ebliss.cjb.net/ It has all needed information about VB cracking. Also I suggest you to get SmartCheck VB debugger. Q. I heard about Search Function in SoftICE, what is it and, how to use it? A. The search function is very powerful once you know how to use it For example, if you enter your name in a text box: Bengaly After breaking (BPX) with the right API we are doing a search For our name, instead of manually locating it, it works like that: S 0 L FFFFFFFF 'Bengaly' *S = Search *0 = From starting Address 0 (zero) *L = Unknown, could be for Until *FFFFFFFF = end of the address to search. Now SoftICE will break at where the name Bengaly has been located in memory It does not say it's in t he program, but in Memory (cuz we are doing a LONG-RANGE search). A good way to know where the name could be set is after the Address of 8xxxxxxx I.E: :s 0 l ffffffff 'Bengaly' Pattern found at 0030:82F1A89B (82F1A89B) ^^^^^^^^ Over 8xxxxxxxx This system is though us +ORC in his fantastic tutorials. All you need to do is to set a breakpoint at the address's Range and break: I.e.: BPR 0030:82F1A89B + 6 R | | Name Length-1 <---+ +----> Read There is a good Searching Tutorial at (I think): http://fooder.cjb.net Q. How can I take a snapshot of SoftICE? A. Well a regular snap shoot you can't take, but another snapshot Can be takes and be saved to TXT/HTML. The snapshot function is brought us by IceDUMP, very strong utile. First thing to do is loading Proper IceDUMP Vxd, once loaded you can use the Function, like this: /ScreenDUMP Now, ScreenDUMP has some options (Modes), Every mode take snapshot in a different Way, press several times /SCREENDUMP will switch Case the modes. The best mode to use is: mode 01 (Text mode) To take the snapshot you do: /ScreenDUMP .txt (Mode 01) I.E: /SCREENDUMP D:\A.TXT Q. I used this /ScreenDUMP function, but it Looked up my Computer, what to do? A. Yes this is a common Bug, to fix this you should always break on some API, It seems /ScreenDUMP won't take a shoot unless you are in some Code. Q. I heard there is an MP3 player under SoftICE, where is it? A. Yes there is, the mp3 player is in \Ice Dump\w9x\mp3\bin But i must say, The Mp3 player will lookup your machine unless you know How to use it, I tried Looked my PC, maybe it's not yet working, don't know :-) I really recommend putting a CD in the CD-ROM and playing it using the CD-ROM Buttons Q. I heard about A TraceX command, what is it? A. Well TraceX command actually a tracer that normally used to single step Some stream of instructions and, Because of this it is able to intervene at any point and act accordingly. * I recommend reading the Tracer.TXT from the Docs dir in IceDUMP Dirs. Once Tracing, take your time, it takes a while For Sice to Break (depend on memory?) Q. It seems W32dasm Stuck/Crash when i load some apps, why? A. As I said before, some uses the TRICKS against W32dasm, Some Programmers could raise the Resource Size and this makes Win32dasm Stuck/Freeze, others use FAR jumps, Infinite Loops, and etc. Q. Why can't I see the String-References of a VB application in w32dasm? A. In order to do that you need the Win32dasm patch for VB applications. Q. I have disassembled a file, but i can't see any ASM code, why? A. This is because the File is packed, the packer hide the asm file. What you can do is to unpack the file and disassemble again. Q. I got the File unpacked, I see the ASM code, but there is no Strn-Refs, why? A. This because you haven't changed the Characteristic of the file, Run PE-EDITOR, load the file and press the "Sections" Button, Select each section, right click and choose the: Change to E0000020 Options do this to all Sections. (It will Auto Update the file). Now try to Disassemble the file, you "should" have strn-Refs. Q. Where can I get the full API list? A. You can dl the Win32.hlp from The internet (try Microsoft.com) :-) or try: http://Protools.cjb.net --------------------------------------- Page 9 ------------------------------------- +=======+ | Links | +=======+ The way to learn about Cracking is to search over the net, download The tutorials, and read/practice, here I will give you the best Web pages you can download the free tutorials/tools from: -----------Cracking Tutorials:--------- 1. +HCU Academy - http://Tsehp(dot)cjb(dot)net (Academy - Best) 2. The Krobar Collection: http://Krobar.cjb.net (Recommended) 3. CoDe_InSiDe - http://codeinside.cjb.net (Mine/CoDe's tutorials) 4. Eternal_Bliss - http://ebliss.cjb.net (Visual-Basic) 5. +Sandman - http://www.idca.com/~thesandman/index2.html (Best - Recommended) 6. Icezelion's Win32Asm - http:/win32asm.cjb.net (Coding) 7. tHE Egoiste - http://egoiste.da.ru (Great page with Crypto Stuff) 8. CrackMe's Page - http://crackmes.cjb.net (Recommended, dl all CrackMe from here) --------Cracking Tools:--------- 1. Programmers Tools - http://protools.cjb.net (Best) 2. Play Tools - http://playtools.cjb.net (Great) 3. EXE Tools - http://exetools.cjb.net/ (Average) 4. Aaron's Tools - http://mud.sz.jsinfo.net/per/aaron/index.htm (Average) 5. http://ProcDump32.cjb.net 6. Freak2freak.cjb.net 7. www.sysinternals.com (FileMon) 8. http://rpi.net.au/~ajohnson/resourcehacker 9. http://muaddib.immortaldescendants.org 10.http://frog.fsn.net (May be down) -----------Groups:----------- 1. PGC - http://www.pgc-force.com (I am in that group) 2. The Millenium Group - http://tmg.da.ru/ (Keygen Factory :-) 3. HellForge - http://www.hellforge.org/ 4. The Cracking Answer - http://tca2k.da.ru/ 5. Immortal Descendants - http://www.immortaldescendants.org 6. TrickSoft - http://emc2k.com/tricksoft/ 7. DOOM - http://deadlyzone.virtualave.net/Html/load.htm 8. http://www.suddendischarge.com/ And many more :-) , well I can't put all Sites here, So I just put the links to the most useful for crackers. +========+ | Thanks | +========+ First Thanks goes to all who made Reveres-Engineering Posible: -------------------------------------------------------------- In No specific Order: +ORC, reverser+, +RGC, +greythorne, +ReZiDeNt, +Xoanon , SiuL+Hacky, The+Q (Home Made), +Spath, +Mammon_, Frog's print, +gthorne, +daQ, razzia, +MaLaTTiA, Quine, +Alt-F4, +DataPimp, The+Chineese, +Hackmore, +Indian_Trail, bajunny, +Sandman, +Aesculapius, Shaman, +Aitor, Dr Fuhrball, MaD, TWD, +SNikKkEL, +Sync, Flipper, +Spalj, +Tsehp, A+heist, The Undertaker, Civetta, +Zer0, +drlan, +PopJack. Thank for my Cracking Skills To: -------------------------------- CoDe_InSiDe, fusS, _Nordic_, Muad'D1b, gogamoga, ManKind, PGC, +HCU Academy, +ORC, +Sandman, +Fravia (+reverser). The+Q (For being a cracker from the same country as I). Thanx to my real friends as well (even if some don't know what I do) :-) Work Well And Have Fun. By Bengaly 2001