HELLFORGE 2000 |
| Author | Falcon |
| Target | Duelist's Crackme #2 |
| Public Release | Sunday,18 of June,2000 |
| Author Contact | falcon_geno@mail.ru |
| Dedication | Irwin Shaw |
| Difficulty Level (1..7) | 2-3 (EASY-MEDIUM) |
| Tools Required | SortIce 3.xx.;Hex WorkShop |
Disclaimer: Please note, the information herein is copyright to Hellforge. No portion of this text may be duplicated. Furthermore, damage or problems arising after reading this text is left to the users disposal. Neither Hellforge, nor its members can be held responsible for any direct or indirect result of following this text. The full liability of following this text is on the reader (YOU). The information is provided for educational purposes, misuse of this information is strictly prohibited. If you do not agree with this agreement, then please hit the "back" button on your browser, and go to hell. - Mercution.
Introduction |
Ok, crackers, today I am in the mood of making a tutorial
with keyfile protection.The crackime,we're going to examine requires restoring some
text,in the file, to make the program say that we are registered user.There are three
steps to do it:
First and Third are necessary to find
right contents of the keyfile,second it for indicating the user.Here you are going to see
ADDITION and XORing.It will not be so hard to restore the codes for the file.
That's my first tutorial for keyfile,so I will try to make
it very clear, if you're ready then...
Tutorial |
Let’s begin….
1)-First thing we need to do is to find correct keyfile,
if we do so then we can calculate the correct contents of it. We need to set a good
breakpoint that will give us the name of the keyfile.So, Activate Soft-Ice and set
bpx CreateFileA.
2)-Press ENTER and you should be back to Windows.
3)-Execute the program...and you should Press once F5 and
then F11 and you will see this code...
00401073 CALL
Kernel32!CreateFileA {This Procedure will check if in the same
folder you have the right name of keyfile.After this command EAX register takes certain
value that will be check whether there was error}
00401078 CMP
EAX,-01
{Compares EAX with -01,EAX takes value of FFFFFFFF(=-01) if it could not find the
right name of file.}
0040107B JNZ
0040109A
{If it finds the right file then jump to 'Good Routine'.}
So,how to find the right file?
As you got to this code you have to scroll a little bit you
code window (Press Ctrl+Up arrow), there you see...
00401069 PUSH
C0000000
0040106E PUSH
00402079 {This PUSH is very interesting for
us. Press d 0040106e and in the data window you have to see the name of the right file.}
So,the name of file is stored in stack and then CALL
Kernel32!CreateFileA checks if this file exists in the same folder with this crackme.
Ok,the name you had to find should be due-cm2.dat
So,you have to create a new file or you can find another
file and just change the name and extension of it.
When you do so,I advice you to change contents of the file
too.You need this,'coz it will be better to recognize when program takes information from
the file.
Let's see what should be the contents of file...
We trace the code further and we land here...
0040109A PUSH 00
0040109C PUSH
00402173
004010A1 PUSH 46
004010A3 PUSH
0040211A
004010A8 PUSH EAX
004010A9 CALL
KERNEL32!ReadFile {As you can see the address 0040211A was pushed into the stack.At
this address you will see text from your file.Just when you reach this point type d
0040211a and the text will be there.}
004010AE TEST
EAX,EAX
{Checks if there was any text in the file}
004010B0
JNZ 004010B4
{If there is,then jump to 'Good Routine'}
004010B2
JMP 004010F7
{If nothing,then JuMP to 'Invalid Keyfile'}
Comments:
Ok,this peice of code checks if in your file has
something.If it is empty then it jumps to 'Invalid Keyfile',so if you made as
I said (if you modified it for better recognition), then you are not going to have any
problems here...So,let's move further...
004010B4 XOR
EBX,EBX
{XORes EBX with EBX,after this operation EBX=0}
004010B6 XOR
ESI,ESI
{XORes ESI with ESI,after this operation ESI=0}
004010B8 CMP DWORD
PTR [00402173],12 {If you reached this point that 46h and 12h are
CoMPared}
004010BF
JL
004010F7
{Jump to 'Invalid KeyFile',if 46h is Less then 12h}
004010C1 MOV
AL,[EBX+0040211A]
{MOVes char from your file to AL}
004010C7 CMP
AL,00
{CoMPares AL with 00h}
004010C9
JZ
004010D3
{Jump if AL is equal to 00h,(this situation see below)}
004010CB CMP
AL,01
{Compares AL with 01}
004010CD
JNZ
004010D0
{Jump if AL is not equal to 01}
004010CF
INC
ESI
{Here ESI is our counter that counts how many chars with 01 code}
004010D0
INC
EBX
{EBX:=EBX+1. Shifts address to next char from your file}
004010D1 JMP 004010C1
{JuMPs to the start of this loop}
Comments:
This peice of code checks how many chars with (01h) code
are in the file till char with (00h) code.
For example, you have a sequence of codes like this...46 61
6c 63 6f 6e 01 20 21 23 01 01 00
In this sequence we have 3 such chars,
So,let's see how many does the program wants us to have in
our keyfile...The final amount of the chars with 01 code is stored in ESI register.
004010D3 CMP
ESI,02 {CoMPares ESI
with 2}
004010D6
JL 004010F7 {Jump if
Less to 'Invalid KeyFile', it means that we have to have 2 or more such chars with 01
code...}
We have to modify a little our file.As you can see we
need two chars with 01 code in our keyfile,so open Hex WorkShop and then your file.Edit it
so that it satisfies the condition we just saw.
Let's move further and we reacj to the First Step I was
talking about at the beginning.Here we need to calculate the codes of the chars from our
file.Let's see the program code...
004010D8 XOR
ESI,ESI
{XORes ESI with ESI,after this operation ESI=0}
004010DA XOR
EBX,EBX
{XORes EBX with EBX,after this operation EBX=0}
004010DC MOV
AL,[EBX+0040211A] {MOVes char from your file
to AL}
004010E2 CMP
AL,00
{CoMPares AL with 00h}
004010E4
JZ
004010EF
{If AL is equal to 00h,then it Jumps to CoMParison line (004010EF)}
004010E6 CMP
AL,01
{Compares AL with 01}
004010E8
JZ
004010EF
{If AL is equal to 01h,then it Jumps to CoMParison line (004010EF)}
004010EA ADD
ESI,EAX
{ADDition:ESI:=ESI+EAX...}
004010EC
INC
EBX
{EBX:=EBX+1. Shifts address to next char from your file}
004010ED JMP 004010DC
{JuMPs to the start of this loop}
004010EF CMP
ESI,000001D5
{CoMPares two operands, compares ESI with 1d5h}
004010F5
JZ
00401114
{Jump if they are equal,if they're not,then goto 'Invalid Keyfile'}
Comments:
In this piece of code the situation is like this:
If program meets char with code 00h or 01h then it JuMPs to
comparison address (004010EF), if it does not then it adds your chars from then file.As
you understood the sum must be 1D5h or 469 decimal.All you have to do is find any sequence
with this sum.There are very many such sequences, but my advice is that. To make your
calculations easier enter,in Hex WorkShop,a sequence that has: length
(sequence)=length(name)-1; This will allow you calculate numbers for you name easier.
So,length of your name must be decreased by one and it will be you sequence:
Situation:
If <char code>=0 or <char code>=1 then
COMPARE ESI with 1D5
Else ESI:=ESI+EAX
I want to sequence of codes for my name: that's
Sequence: 48 65 6C 6C 50 and the
sum of them is 1D5 (You for sure can insert your sequence,but make sure the sum is
correct)
Ok,when you do all that was explained before let's trace
the program code and you have to be here...
As I said before the examination of this code in not
necessary,this piece of code is for getting your name in the field that tells that you're
registred user,you do not have to calculate anything. But,do not you want to see your name
in that field? If yes, let's examine it carefully...
00401114 XOR ESI,ESI {XORes ESI with ESI,after this operation ESI=0}
00401116 INC
EBX
{EBX:=EBX+1. Shifts address to next char from your file}
00401117 MOV
AL,[EBX+0040211A] {MOVes next char
that goes right after char with 01 code}
0040111D CMP
AL,00
{CoMPares AL with 00h}
0040111F
JZ
00401139
{Jumps to beginning of the next loop}
00401121 CMP
AL,01
{CoMPares AL with 01}
00401123
JZ
00401139
{Jumps to beginning of the next loop}
00401125 CMP
ESI,0F
{CoMPares ESI with 0Fh}
00401128 JAE
00401139
{If Above or Equal then Jumps to beginning of the next loop}
0040112A XOR
AL,[ESI+0040211A] {XORes AL with char that goes from the
beginning of the text}
00401130 MOV
[ESI+00402160],EAX {Store result of XOR at this address}
00401136 INC
ESI
{Increse ESI by 1.Shifts to next char from beginning of the text}
00401137 JMP 00401116
{Jumps to beginning of this loop}
Situaltion:
Here we have generation of the name for the fiels that
indicates the Registered User name.The situation is like that:
If <char code>=00 or <char code>=01 then goto to Next Loop
Else
Xor <char in the second part of the text> with <char that is in the beginning of
the text>
Let me explain: If you using my sequence 48 65 6C 6C 50
then let's suppose that your nick it x1x2x3x4x5x6
So,to get the right code for the second part of the text in
the file you have to do this:
This second part of the code starts at the first cycle in
the last loop at address (EBX+0040211A)
1) Second_part_code1:= x1 XOR 48
2) Second_part_code2:= x2 XOR 65
3) Second_part_code3:= x3 XOR 6C
4) Second_part_code4:= x4 XOR 6C
5) Second_part_code5:= x5 XOR 50
6) Second_part_code6:= x6 XOR 01
When you calculate these chars,again open Hex WorkShop
and enter them, but do it wisely, remember where you have to do it...
As you calculated them let's roll further..
00401139
INC
EBX
{EBX:=EBX+1. Shifts address to next char from your file}
0040113A XOR
ESI,ESI
{XORes ESI with ESI,after this operation ESI=0}
0040113C MOV AL,[EBX+0040211A] {MOVes
next char that goes right after char with 01 code}
00401142 CMP
AL,00
{CoMPares AL with 00h}
00401144
JZ
0040114F
{If AL is equal to 00h,then it Jumps to CoMParison line (0040104F)}
00401146 CMP
AL,01
{CoMPares AL with 01}
00401148
JZ
0040113C
{There will be a infinitelly many loops if you have more chars with 01 code in third
section, so you have to prevent it}
0040114A ADD
ESI,EAX
{Addition of ESI and EAX..ESI:=ESI+EAX}
0040114C INC
EBX
{EBX:=EBX+1. Shifts address to next char from your file}
0040114D JMP 0040113C
{Jumps to beginning of this loop}
0040114F CMP
ESI,000001B2
{CoMPares if sum of your chars is 1B2h}
00401155 JNZ
004010F7
{If it is not then Jump to 'Invalid KeyFile'}
Comments:
Here again you have the same situation as in the first our
step,again we have summation of chars that do after second 01. Here are no limitations
with taking chars.The program is adding your chars until it meets char with 00 code, as
long as it is not 00,to ESI is added the value of EAX...
Just the sum and that's all.Now you can choose your
sequence. Mine is that: 50 65 6F 70 1E
Again open Hex WorkShop and edit it,inserting the sequence
you found.
That would be all what you had to do with this crackme, hope you got any information how to deal with Keyfile protection.Soon,there will be more tutorials from me concerning this topic.
Final Thoughts |
A good practice crackme.You have to try
it again and indicate your Name as registered user.All you have to do is to XOR correctly
and everything will be cool.
Greetings to... |
All members from Genocide Crew, {Welcome
two members; krak4o and p_AXXAHR, }
http://www.genocidecrew.cjb.net/
All members from Hellforge {
Mercution, Acid_Cool_178, Ac|dfusion, Dark_Wolf, BiSHoP…}
Enormous thanks goes to Acid_Cool_178 and
Mercution {his design of this tut}for providing me with LOGOs
tHe CrEaM members { For their good intend to help everybody }
To every one who makes tutorials…
Cool coders:
Terminal Cilla, AntiXrist, Chafe, The+Q, LaZaRuS, Lucifer48, FatboyJoe (great coder)
CzDrillard { he is great in making good Math algos}
Reversers :
Yates,TSCube, and everybody I forgot to add..
The end. |
Any mistakes, corrections, or comments may be mailed to the members individually, or to the group : hellforge@hellforge.org.