	  Ŀ
	                                                                 Ŀ
	                             
	                  
	                              
	                                 
	                             
	                                      
	                                                
	                                           
	                                        
	                                 
	                                 
	                                   
	                                     
	                                  
	                                                      
	                                                                     
	                            
	                  p r o u d l y     p r e s e n t s                  
	                            
	Ŀ                                              www.tscube.cjb.net 
	  


                      ͻ
                        Tutorial for Wilse ARTEMIS crackme   
                      ͼ



Ŀ
1.Intro 


For the romains, Artemis was the goddess of hunting, so prepare yourself !

This is indeed an interesting crackme; to solve it, we have 3 things to do :

1) Find out WHERE to enter our name/serial
2) Find out HOW to enter our name/Serial
3) Find a good name/serial combinaison



Ŀ
2. Let's start by having a full dead listing 



This step is not really necessary, but whenever possible, I like to have a full dead listing.

The crackme is packed with neolite (there is a .neolit section), but Procdump doesn't seem to
be able to unpack it correctly, so we'll have to do it by hand.

I don't want to waste too much time explaining how to manually unpack a proggy, so I'll just
give the main steps of the process :

- Change first section caracteristics from C0000080 to E0000020
- Use SICE loader to break on entrypoint
- 'BPX 4111D0' then F10 (to reach the end of the unpacking process) -> @4111D0 : JMP EAX
- 'A' then 'JMP EIP' (program enters in an endless loop)
- 'BC *' & F10 to let the crackme run
- Open Procdump
- Left click on 'artemis.exe' in the list of the running tasks
- Select 'Dump (full)' and save the dump ('artemis_dump.exe' for ex.)
- Again, left click on 'artemis.exe' in the list of the running tasks
- Select 'Kill task'

Now you have a unpacked crackme that you can disassemble (purists can also fix the entrypoint
but it's not necessary)



Ŀ
3. First challenge : WHERE to enter our name/Serial ? 



Hum... we got 2 buttons (Exit & About) and Genocide Crew's URL.

You can try different keys combinaisons : 'ALT R' or anything else to see if something happens... 
but nothing will happen, so let's have a look at our dead listing :


	3.1. A journey in the dead listing
	

If you look at the string references, you'll see something interesting :


* Possible StringData Ref from Data Obj ->"Name"
                                  |
:00401275 681A214000              push 0040211A

* Possible StringData Ref from Data Obj ->"EDIT"
                                  |
:0040127A 683F204000              push 0040203F


Hum... it looks like the name/serial EDIT fields are hidden ! If you scroll up a bit, you'll see 
this :


* Referenced by a CALL at Address:
|:0040123D   
|
:00401243 81FF7D010000            cmp edi, 0000017D
:00401249 0F859E000000            jne 004012ED
:0040124F 33C0                    xor eax, eax
:00401251 50                      push eax


Muhahaha : a conditionnal jump !!! 

The solution is there : if we reach the code at @40124F, the name/edit EDIT fields will appear !
(I know it because I tried ;)
Here is the code snippet that interests us :

<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040121D(U), :00401226(C)
|
:0040120F 0FB608                  movzx ecx, byte ptr [eax] <-------+
:00401212 85C9                    test ecx, ecx                     |
:00401214 742C                    je 00401242                       |
:00401216 03F1                    add esi, ecx                      |
:00401218 3BCA                    cmp ecx, edx                      |
:0040121A 7403                    je 0040121F                       |
:0040121C 40                      inc eax                           | This loop adds the ASCII
:0040121D EBF0                    jmp 0040120F ---------------------+ values of the first
                                                                    | command line parameter
* Referenced by a (U)nconditional or (C)onditional Jump at Address: | (ie : complete path and
|:0040121A(C)                                                       | name of crackme)
|                                                                   |
:0040121F 40                      inc eax                           |
:00401220 0FB608                  movzx ecx, byte ptr [eax]         |
:00401223 80F920                  cmp cl, 20                        |
:00401226 75E7                    jne 0040120F ---------------------+

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401231(U)
|
:00401228 40                      inc eax <--------------------+
:00401229 0FB608                  movzx ecx, byte ptr [eax]    | This loop adds the ASCII values
:0040122C 67E304                  jcxz 00401233                | of the second commande line
:0040122F 03F9                    add edi, ecx                 | parameter
:00401231 EBF5                    jmp 00401228 ----------------+
:00401233 2BF7                    sub esi, edi
:00401235 81FEAA0A0000            cmp esi, 00000AAA
:0040123B 7505                    jne 00401242 -> fuck off
:0040123D E801000000              call 00401243

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401214(C), :0040123B(C)
|
:00401242 C3                      ret

* Referenced by a CALL at Address:
|:0040123D   
|
:00401243 81FF7D010000            cmp edi, 0000017D
:00401249 0F859E000000            jne 004012ED -> fuck off
:0040124F 33C0                    xor eax, eax

[THE NAME/SERIAL EDIT FIELDS WILL APPEAR IF WE LAND HERE]

<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->


The interesting thing is that this code snippet is called during the crackme initialisation,
so what information can be checked ? a keyfile ? no !

:0040120F 0FB608                  movzx ecx, byte ptr [eax]

if you do a 'D EAX' you'll see something like this : "C:\CRACKME\GC\WILSE\ARTEMIS.EXE"
=> That's the command line !!!
The crackme checks the commande line to see if you're 'authorised' to enter your name/serial ;)


	3.2. The command line parameters
	


The above code snippet does the following things :

1. It computes the sum of the ASCII values of the first command line parameter, which is also
   the complete path and name of the crackme (the addition is made at @401216)

2. It computes the sum oF the ASCII values of the second commande line parameter (the addition
   is made at @40122F)

3. It substracts the 2 sums (@401235) and checks if the result is equal to 0xAAA

4. It checks if the second sum is equal to 0x17D (@401243)

Of course, when you run the crackme by double-clicking on it with your mouse, there is NO
second commande line parameter !
So, open a DOS shell, and run the crackme by typing : 'ARTEMIS 12345679'


	3.3. How to use SICE and a DOS shell
	


I'm sure most of you use SICE Loader to start debugging a proggy. But in this case you can't
because you NEED to open a DOS shell to run the crackme.
Still stucked ? Here is how to do it :

1. Use SICE loader to run the crackme without using a DOS shell and do a 'BPM 40120F X'
2. Exit the crackme, open a DOS shell and type 'ARTEMIS 123456789'

SICE should pop thanks to the previous breakpoint.

If you have a better solution, drop me a mail ! ;)


	3.4. An exemple
	


Look at the 4 steps from 3.2 :
{ sum1 - sum2 = 0xAAA
{ sum2 = 0x17D

that means that sum1 = 0xAAA + 0x17D = 0xC27 

{ sum1 = 0xC27 -> sum of ASCII values of first command line parameter = 0xC27
{ sum2 = 0x17D -> sum of ASCII values of second command line parameter = 0x17D

Let's say the crackme 'ARTEMIS.EXE' is located in 'C:\ACFBFDC', and that you run it by typing
'ARTEMIS 123456789'

first command line argument  = "C:\ACFBFDC\ARTEMIS.EXE" (don't forget the 2 ")
second command line argument = '123456789' 

{ sum1 = '"' + 'C' + ':' + '\' + 'A' + ... + 'X' + 'E' + '"' = 0x677
{ sum2 = '1' + '2' ... +'9' = 0x1DD


	3.4. It's now time to make the name/serial EDIT fields appear
	


{ sum1 = 0xC27
{ sum2 = 0x17D

Well, I know it sounds curious, but the crackme must be placed in a special directory to be
solved ! There are lots of possibilities, here are my own arguments:

first command line argument  : "C:\CRACKME\WILSE\HHHJ\ACFBFDC\ARTEMIS.EXE" (sum=0xC27)
second command line argument : JJJJU (sum = 0x17D)

That means the crackme must be placed in the 'c:\crackme\wilse\hhhj\acfbfdc' directory and
must be run with 'artemis JJJJU'

Of couse, you can use your own directory names, but keep in mind the following things :
- Use DOS names only (ie 7 letters maximum for each directory name)
- Don't forget the 2 " which are added for the first command line parameter



Ŀ
4. Second challenge : HOW to enter our name/Serial ? 



Hey, the name/serial fields are GRAYED !!! We need to ungray them before beeing able to type
anything. Since Chapter 3 was a bit long and since chapter 5 is going to be as long, I'll only 
tell you this :

==> click on 'http://www.genocidecrew.cjb.net/' to ungray the name/serial EDIT boxes

If you wanna know why, 'BPM 401378 X' and look what happens when you click on various items of
the main window.

(To be honnest, I managed to ungray them by clicking a bit everywhere in the main window, THEN I
looked at the dead listing to understand how it worked... that's called LUCK ;)



Ŀ
5. Third challenge : Finding a good name/serial combinaison 



	5.1. back to the dead listing
	

Enter your name, serial, 'BPX HMEMCPY'... etc... until you land here :


<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->

* Possible StringData Ref from Data Obj ->"Name"
                                  |
:0040152B 681A214000              push 0040211A
:00401530 6A09                    push 00000009
:00401532 6A0D                    push 0000000D
:00401534 FF3546214000            push dword ptr [00402146]
:0040153A E886000000              call 004015C5

* Possible StringData Ref from Data Obj ->"Serial Number"
                                  |
:0040153F 680C214000              push 0040210C
:00401544 6A09                    push 00000009
:00401546 6A0D                    push 0000000D
:00401548 FF354A214000            push dword ptr [0040214A]
:0040154E E872000000              call 004015C5

* Possible StringData Ref from Data Obj ->"Name"
                                  |
:00401553 BE1A214000              mov esi, 0040211A -> entered_name
:00401558 8BFE                    mov edi, esi
:0040155A 83C744                  add edi, 00000044 -> EDI points to clipboard content !

(see below for more explanations)

:0040155D 33C9                    xor ecx, ecx
:0040155F 8BD9                    mov ebx, ecx
:00401561 41                      inc ecx
:00401562 C1E103                  shl ecx, 03 -> ECX=8
:00401565 51                      push ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401588(U)
|


begin_loop_1
-------------

We will loop 8 times (name and clipboard_content must have at least 8 letters)

:00401566 0FB606                  movzx eax, byte ptr [esi] -> name[i]
:00401569 85C0                    test eax, eax
:0040156B 7442                    je 004015AF -> fuck off
:0040156D D40A                    aam
:0040156F 03D8                    add ebx, eax
:00401571 0FB607                  movzx eax, byte ptr [edi] -> clipboard[i]
:00401574 85C0                    test eax, eax
:00401576 7437                    je 004015AF -> fuck off
:00401578 8AE0                    mov ah, al
:0040157A D50A                    aad
:0040157C 99                      cdq
:0040157D 0FAFC3                  imul eax, ebx
:00401580 03D8                    add ebx, eax
:00401582 49                      dec ecx
:00401583 46                      inc esi
:00401584 47                      inc edi
:00401585 67E302                  jcxz 0040158A
:00401588 EBDC                    jmp 00401566

end_loop_1
----------


:0040158A 59                      pop ecx
:0040158B 51                      push ecx
:0040158C 2BF9                    sub edi, ecx

* Possible StringData Ref from Data Obj ->"Serial Number"
                                  |
:0040158E BE0C214000              mov esi, 0040210C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015A8(U)


begin_loop_2
------------

We loop 2 times

:00401593 83E904                  sub ecx, 00000004
:00401596 8B07                    mov eax, dword ptr [edi] -> first or second DWORD of clipboard
:00401598 33D8                    xor ebx, eax
:0040159A 331E                    xor ebx, dword ptr [esi] -> first or second DWORD of serial
:0040159C 85DB                    test ebx, ebx
:0040159E 750F                    jne 004015AF -> fuck off
:004015A0 85C9                    test ecx, ecx
:004015A2 7406                    je 004015AA -> registered
:004015A4 03F9                    add edi, ecx
:004015A6 03F1                    add esi, ecx
:004015A8 EBE9                    jmp 00401593

end_loop_2
-----------


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015A2(C)
|
:004015AA 58                      pop eax
:004015AB 83E803                  sub eax, 00000003
:004015AE C3                      ret -> REGISTERED


<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->


Well, when I reached this line :

:00401571 0FB607                  movzx eax, byte ptr [edi]

I said to myself : "what is stored at the address pointed to by EDI ?". 
It's not the name, it's not the serial, it's not an argument of the command line...

So, I did a 'BPM EDI', then I ran the crackme again to see when this address was read/written.

finally, I landed here :


:00401433 68BF214000              push 004021BF
:00401438 FF7508                  push [ebp+08]
:0040143B E891010000              call 004015D1 -> BEGINPAINT
:00401440 6A00                    push 00000000
:00401442 E8D8010000              call 0040161F -> OPENCLIPBOARD
:00401447 6A01                    push 00000001
:00401449 E8AD010000              call 004015FB -> GETCLIPBOARDDATA
:0040144E 85C0                    test eax, eax
:00401450 740E                    je 00401460
:00401452 8BF0                    mov esi, eax
:00401454 BF5E214000              mov edi, 0040215E
:00401459 A5                      movsd -> SICE pops here because of the 'BPM EDI'
:0040145A A5                      movsd
:0040145B E877010000              call 004015D7 -> CLOSECLIPBOARD


If you haven't heard of these API's, take your WIN32API refs... yeah, you got it : the crackme
uses the content of the clipboard to check if the serial is correct !!!

(for absolute newbies, the clipboard is where Windows stores the infos after a CTRL^C (copy))


	5.2. Time for a keygen
	

As I said (!) a few lines above, the crackme uses the name/serial/clipboard_content to check if
you are registered.

I've included a keygen that uses bruteforce to generate all possible serial/clipboard_content
values. To understand better the serial check routine, look at the 'check()' function which is
a 'C' translation of the dead listing

here is a possible serial for me :

Name : The Skiing Cube
Clipboard_content : 00001718 (select this number and do a CTR^C to place it into clipboard)
Serial : Azck1718


Ŀ
6. Outro 


Sorry if I've left a few dark points, but I didn't wanted to make a too long tut. Anyway, feel
free to mail me if you have questions.

For additional informations, I'll tell you that "SigSoftware Email Effects 1.6" also uses
the clipboard in the serial check routine.

Quote from the crackme .nfo file : "[This crackme is] still a piece of cake (I hope I'm just 
being modest)"... REALLY ???? ;)


    ________     _______     _______
   /__   __/\   /  ____/\   /  ____/\
   \_/  /\_\/  /  /\___\/  /  /\___\/
    /  / /    /  /_/_     /  / / 
   /  / /    /____  /\   /  / /
  /  / /     \___/ / /  /  / /
 /  / /     ____/ / /  /  /_/_
/  / /     /_____/ /  /______/\
\__\/      \_____\/   \______\/ 02/07/2000


www.tscube.cjb.net