	  Ŀ
	                                                                 Ŀ
	                             
	                  
	                              
	                                 
	                             
	                                      
	                                                
	                                           
	                                        
	                                 
	                                 
	                                   
	                                     
	                                  
	                                                      
	                                                                     
	                            
	                  p r o u d l y     p r e s e n t s                  
	                            
	Ŀ                                              www.tscube.cjb.net 
	  



                      ͻ
                       Tutorial for Krypton crackme #1  
                      ͼ


note : the crackme crashes under NT




Ŀ
1.Intro 


This Win32Asm crackme features :
- Keyfile protection
- SICE detection
- Encryption
- Self-modifying code

The keyfile protection is not very interesting : the 21 bytes of the keyfile are checked one by 
one, nothing more. The interesting thing is rather the encryption/self-modifying code.

The other interesting thing for you (I hope ;) is the fact that I've also included a FULL 
commented dead listing of the crackme...



Ŀ
2. I want a clean dead listing !!! 


Really ? But Krypton says that "you cant use disassembler and patch the programm" !
You don't care ? OK ! ;)

If you directly disassemble the crackme, you'll end up with garbage code because the crackme is
crypted. Luckily, the decryption routine is only executed during the launching of the crackme
(this is also the case for all ready made encryptors). That means that when the crackme is
completely running, it's completely decrypted.

So, run the crackme. Then run Procdump, right click on 'krypton.exe' in the list of the running
tasks and choose 'Full Dump'. That's all there is to it : you now have a non-crypted version of
the crackme that you can disassemble (however, don't run it).

As I said before, I've included a full commented dead listing of this crackme : keep it under
your hand while you read this tutorial.



Ŀ
3. First trick : the CreateProcess API 


If you debug the crackme with your favorite debugger, you'll see that you "lose control"
at @401048, which corresponds to the CreateProcess API.

This idea was ripped from a Stone's source file... which is also included with this 
tutorial -> 'stnspw.zip'

The crackme spawns another copy of itself then kills itself and let the spawned copy run. The
command line is used to know if we are in the original instance or in the spawned instance (read
Stone's sources for more details). This method can be used to fool basics process patchers and 
maybe also to fool newbies ;)

To bypass this trick, use 'BPM <address> X' instead of 'BPM <address' and you're done !



Ŀ
4. Second trick : the decryption loop 


Nothing very fancy here, just a XOR decription :

:004017F8 B859104000              mov eax, 00401059 -> we'll start the decryption here
:004017FD BA9D174000              mov edx, 0040179D -> we'll end here

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040180A(U)
|
:00401802 4A                      dec edx <-----------------+
:00401803 3BC2                    cmp eax, edx              |
:00401805 7405                    je 0040180C               | Decryption loop
:00401807 803211                  xor byte ptr [edx], 11    | (simple XOR)
:0040180A EBF6                    jmp 00401802 -------------+



Ŀ
5. Fourth trick : SICE detection 


A simple INT 68 (read Frogsice documentation for more details)

:0040185B B443                    mov ah, 43
:0040185D CD68                    int 68
:0040185F 663D86F3                cmp ax, F386
:00401863 7409                    je 0040186E
:00401865 C6054B23400063          mov byte ptr [0040234B], 63 -> SICE NOT detected
:0040186C FFE3                    jmp ebx -> 'JMP 40181B'

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401863(C)
|
:0040186E C6054B23400017          mov byte ptr [0040234B], 17 -> SICE detected
:00401875 FFE3                    jmp ebx -> 'JMP 40181B'



Ŀ
6. Finally, the keyfile check 


The keyfile starts at @401407 and ends at @401798 : look at the dead listing !

As you can see, this crackme is not very well coded because the SAME 13 lines are repeated
21 times... maybe the author has never heard the word 'LOOP' ? ;)

Anyway, I've included a keyfile generator.

Don't forget to hide SICE before testing the keyfile !



Ŀ
7. Outro 


I dedicate this tutorial to the French Soccer Team... which has taught us an important lesson :
don't count one's chickens before they're hatched 

Nous on dirait plutt : ne pas vendre la peau de l'ours avant de l'avoir tu.

 
    ________     _______     _______
   /__   __/\   /  ____/\   /  ____/\
   \_/  /\_\/  /  /\___\/  /  /\___\/
    /  / /    /  /_/_     /  / / 
   /  / /    /____  /\   /  / /
  /  / /     \___/ / /  /  / /
 /  / /     ____/ / /  /  /_/_
/  / /     /_____/ /  /______/\
\__\/      \_____\/   \______\/ 03/07/2000

www.tscube.cjb.net