

                     L                ZZZZZZ         RRRRR           SSSSS
                     L                    Z          R    R         S
                     L          aaa      Z      aaa  R    R  u   u  S
                     L            a     Z         a  RRRRR   u   u  SSSSS
               XX    L         aaaa    Z       aaaa  R    R  u   u       S
              XXXX   L        a   a   Z       a   a  R    R  u   u       S
             XXXXXX  LLLLLLL  aaaaa  ZZZZZZZ  aaaaa  R    R  uuuuu  SSSSSS
             XXXXXX       
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
       XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
             XXXXXX
             XXXXXX
              XXXX        proudly presents his 27.Cracking Tutorial (31.07.1999)
               XX                       tKC's CiA Trial CrackMe 0.99

I.    Introduction
I.1   The tools
II.   The essay
III.  BTW

I.   This essay is not only about a CrackMe, but about one of the (at least for me) most
     fascinating things you can do with a EXE file: Redirecting the flow of instructions, so
     that you are able to patch even packed files. The work on this CrackMe is actually a
     co-production of me (lame parts) and R!SC (harder parts). I will tell later who made
     which parts.

I.1  One of these rare problems, I have to lay W32Dasm away :( - So SICE is our tool today.
     A HexEditor is needed, too - I use (as always) HexWorkshop. And I nearly forgot:
     Procdump is needed, too.

II.  The essay
     The CrackMe wants you to patch away a nag-screen, get a serial and a name/serial 
     combination. Let's start with the first serial (TryMe #1) , as this is the easiest part
     of the CrackMe.
     Start TryMe #1 and enter any serial you wish: I have chosen 666999. Set a breakpoint on
     hmemcpy (bpx hmemcpy), leave SICE and push OK. SICE will break. Now push [F12] until you
     are in "useful" code. Useful is defined as code which has an adress that looks like 
     XXXX:XXXXXXXX (not XXXX:XXXX) and you don't see a "ret" in the next 5 or 6 lines. In this
     case you will come to :0045AEAB. Just trace down ([F10]) until you reach :0045AEBF and 
     enter "d edx". There you will see a *long* string (48 chars). If you enter "d eax" you 
     will see the serial you entered - It is taken to eax one line before. This looks strange
     (At least for me ;). Let's write down this char: 
     4E0A5C9B70A48ID501266ECB59423%9EAA0C58E844C7E9EE - Should this really be the first serial? 
     Try it: It is so :)
     Now let's head for the name/serial combination: Another part for me, as this is not too
     hard, either. Start TryMe #2 and enter any name and serial: I will use "LaZaRuS" and
     666999. Set a breakpoint on hmemcpy and push "OK". SICE will break. Now the CrackMe has
     read the text of *one* edit field, so leave SICE [CTRL]+[D] and SICE will break again.
     Push [F12] until you find "useful" code. This time it is :0045FA6C. Hit [F10] once and
     enter "d edx". In the first line you will see your name and one line below there is
     something that might look like a serial: $21C5249D - Delete all breakpoints, leave SICE
     and enter $21C5249D as serial for "LaZaRuS". A nice sentence appears:"Congratz! Contact
     CiA to get your trial status!" Hehe, actually we did solve the serial, but there's one
     point missing. The nag-screen!
     btw: R!SC solved the serial, too (of course). His name/serial combi is R!SC / $C9ECB75B.

     The CrackMe is packed with Shrinker and that makes patching it a little harder. I didn't
     want to unpack it, as this is lame (IMHO). So I grabbed a tutorial about patching 
     Shrinker packed files (better: Phantasm sent it to me; thanx man). This tutorial was
     presented by R!SC and I found it just great (and the best: it is really easy to 
     understand). I would say you quickly get this one (mail me if you don't find it).
     So I started to work: The byte to patch was quickly found - :00459BC2. (Actually R!SC
     found an even better one :00460164). From now on I assume you have read R!SC's tut or
     you are at least familiar with redirecting code. 
     The first thing we have to find is the entry point of program. SICE Loader will be of
     no help here, as it doesn't work. So we have to find a different way: Start Procdump
     and load the CrackMe into the "PE Editor". You will see that the entry point is 8C3DA.
     Now look in the sections and search for a section that is close to this address (look
     at "Virtual Offset"). We see ".load" is at 8B000. And in the EXE file it starts at
     Offset 2800 ("Raw Offset"). With a easy formula we find the real entry point of the
     EXE file: 8C3DA-8B000+2800=3BDA. So 3BDA is the real entry point. But how do we break
     on this one? Load the EXE file into your Hexeditor and change Offset 3BDA to CC. This
     is the opcode for the Interrupt 03. So we have to make SICE break here. We do it with
     "bpint 03". If you start the CrackMe now, SICE breaks right at the start and you can
     trace through the code. We have to make the changes undone (that means changing CC
     back to 83). We do this writing "e eip 83". Then we can start tracing. Trace until you
     reach the call at :0048C45C. If you trace over this one, the nag appears, so we have
     to enter it ([F8]). Trace on until you come to "Call [ebp-20]". This is the end of the
     Shrinker section. Write down the Hexcodes of the call and the push that is right in
     front of it. It is FF7508FF55E0. Search for it in a hexeditor and write down the offset.
     It is 3CDC. That's all nice, but what's the use of it? To explain shortly: We have to
     redirect the flow of the instructions to code that we wrote and that patches the offset
     at address :00460164 (the nag). The starting point for this is the call that is the end
     of the Shrinker unpacking. Now let's search for some unused data inside the EXE file
     where we can "code" our instructions. You will recognize it by a large row of 00h. R!SC
     has chosen 5530 (I had chosen something else, but that would have worked, too ;) so we
     take this one. To find this section in SICE we have to enter something we can easily 
     search for: I entered "lazarro". (By all means: Don't use "GotYa" or "HelloWorld". When
     I traced over them, my PC rebooted and all I didn't save was lost). Now start SICE, 
     change the CC back to 83 and trace until you come to the last "push" in front of the 
     "call [ebp-20]". Then search for "lazarro" (s 0 l ffffffff 'lazarr'). You will find it at
     :0048DD30. Enter "a eip" to change the current instruction and then enter "jmp 48DD30".
     Trace on and you will come to your code (lazarro). Now my great problem came. I thought
     the file was packed four times, but it was packed only once and encrypted three times.
     So I wanted to syncronize all packers with several instrucion redirections. It didn't
     work and I begged R!SC to help me. He recognized that it was encrypted by adding 7bh
     from every byte (3 times, so 3*7Bh). If it weren't encrypted the change would have been
     simple. After jumping to "lazarro" you would have entered "a eip" to change the 
     instructions and you would have entered:

     mov byte ptr [460164], B8  // change Call to Mov
     push dword ptr [ebp+08]    // the push that was overwritten by the jmp
     call [ebp-20]              // the call that was overwritten, too

     It is encrypted by adding 3*7Bh, so we have to subtract 3*7Bh from "B8". This will give 
     29h. So change the first line to "mov byte ptr [460164], 29". If it doesn't work you 
     made a mistake. I would suggest studying this essay and especially R!SC's essay again.
     If it works, the changes are only for one session of the program. If we restart it, it will
     display the nagscreen again. So we have to patch the EXE file. The first thing we have to
     patch is the push/call to jmp. We found earlier that is is located 3CDC. So change the code
     there to "E94F180000" which is "jmp 48DD30". You can easily get these bytes when you patch
     in SICE. Now let's go to the "lazarro" section (5530). You can get the values we have to 
     change by patching "on the fly" in SICE. They are C6056401460029FF7508FF55E0. Replace
     lazarro with them and start the EXE file. Now the nagscreen should be gone. If not, you 
     made a mistake. Read this essay again and you will surely find it. To "understand" the whys
     and wheres read R!SC's essay.
     So, that was all: At the end I want to thank R!SC for his support and Phantasm for the tut.
     You will find R!SC's help for me in the textfile risc.txt.
     The patch was made with Eternal Bliss' and Borna Janes' patch engine.
 
III. BTW
     
     Greets to: tKC, Ed!son, Moral Insanity, +Sandman, Fravia+ and everyone at #cracking4newbies,
     +Sandman's forum and Fravia+'s forum.