|
Cracking Immortal Descendants CrackMe 8 Tutorial : Cracking Immortal Descendants CrackMe 8. Target : Immortal Descendants CrackMe 8, http://www.ImmortalDescendants.org Tools : SoftICE v3.24, W32Dasm 8.9x, HIEW 6.x, The Customiser. Date : 13th December 1999 (Last updated : 12th February 2000). Description & Comments :- This is a very good CrackMe from WhizKid of Immortal Descendants. I have two main reasons for writing this tutorial, firstly because I would like to support the good work of the Immortal Descendants and second because I want to prove that VB programs are not as hard for newbies as they seem, sometimes, they are even easier to attack. Anyway, I would like to take this chance to greet all the Immortal Descendants members. Lastly, before proceeding, I have to remind you that your SoftICE must be correctly configured to be able to follow this tutorial easily (contact me if you don't know how to). Protection : Nag, keyfile, matrix, name/serial, serial, disabled. This tutorial is © 1999 - 2000 ManKind. Starting words |
The process
The nag on startup :- Firstly, get the CrackMe and run it. You see the nag saying that we are not registered, right? We will kill that nag. Exit the program. Go into SoftICE and set a breakpoint like so :-
bpx msvbvm60!rtcmsgbox
Why do I set the above breakpoint? because this a VB6 program and rtcmsgbox is the import function used by VB programs to generate a message box. Run the CrackMe again, SoftICE will pop up, press F11 once, the message box will show up, press the OK button and SoftICE will pop up again. You will see the code below :-
:0040FDDA CALL [MSVBVM60!rtcMsgBox]
:0040FDE0 LEA ECX,[EBP-1C] ; you will land here
Notice the CALL? I wonder whether we can bypass it. Disassemble the CrackMe with W32Dasm (or any other disassembler), select from the menu to go to code location, enter 0040FDDA and you will see the code below :-
:004FDDA CALL DWORD PTR [00401050]
Note down the offset. Go into HIEW (or any other hex editor), load the CrackMe, press Enter twice to go into hex mode, press F5 and enter the offset which you have noted down. The CALL consists of 6 bytes, so NOP (F3 to edit, change those bytes into 90) all the 6 bytes. Press F9 to save and F10 to exit HIEW. Run the CrackMe again. Hey, now where has the nag gone? :-).
The easy serial
Actually, there are three main ways that one can use to fish out
the easy serial here. I have tried all three ways and succeeded
successfully. The first is to use W32Dasm with SDR Enabler for
VB Apps from Duelist of DREAD (this way is kind of lame), the
second is with SmartCheck (you will need to show all events to
fish the correct serial, I used version 6.01) and lastly, the
third and the most approved (or standard) way is of course our
one and only SoftICE (actually, other debuggers may work too).
Start the CrackMe, enter a fake serial (put one which is quite
long since the input field is so long), go into SoftICE and set
a breakpoint like below :-
bpx msvbvm60!__vbastrcmp
Note that the __vbastrcmp has two underscores. Why this breakpoint? because this is one of the most used functions in VB to compare strings (well, you won't know exactly which one to use actually but for this target, I know this breakpoint is correct). Press the Check Key button, you will be thrown back into SoftICE, press F11 once and you will land on the code below :-
:0040E932 PUSH EAX ; prepare/load your fake serial you
entered
:0040E933 PUSH 0040BAB0 ; prepare/load the correct serial
:0040E938 CALL [MSVBVM60!__vbaStrCmp] ; compare the two serials
:0040E93E MOV ESI,EAX ; you land here
Disable the breakpoint on msvbvm60!__vbastrcmp and set a breakpoint on 0040E932 so that when that line of code is being executed, SoftICE will break, the command as below :-
bpx 0040E933
Press Ctrl+D to go out of SoftICE, the wrong serial message box will appear, press OK and press the Check Key button again. SoftICE will pop up, the command below will show you the correct serial:
d 0040BAB0
You will see something like below in the data window :-
2.3.7.8.4.6.2.8.
3.5.6.2.6.7.....
Don't worry, this is normal for VB programs (the serial is
in wide-char format), so to get the correct serial just neglect
all the .(dots). Enter the serial and press Check Key, quickly,
a messagebox will inform you that easy serial part is now completed.
The harder serial
Well, I don't know why this part is considered as a harder serial because we can use the same way as per the easy serial, I successfully fished out a correct serial for this part. From the radio menu, select the harder serial part, enter some fake info, go into SoftICE and set a breakpoint like below :-
bpx msvbvm60!__vbastrcmp
Go out of SoftICE, press the Check Key button, SoftICE will pop up, press F11 once and you will see the code below :-
:0040EC41 PUSH EAX ; prepare/load the correct serial
:0040EC42 CALL [MSVBVM60!__vbaStrCmp] ; compare routine
:0040EC48 MOV ESI,EAX
Clear the breakpoint on msvbvm60!__vbastrcmp, set a breakpoint on 0040EC41 and exit SoftICE. The wrong serial message box will be displayed, press OK and press the Check Key button again. You will land on 0040EC41 and by using the below command you can see the correct serial for this part in the data window :-
d eax
The correct serial will again be in wide-char format, so sort them out wisely and later try the serial. Another part of the CrackMe is completed (three parts out of eight).
The name/serial
This is a bit harder because we don't know which is the appropriate
breakpoint to set (__vbastrcmp won't work) but then hmemcpy should.
This will require some tracing. First, in the radio menu, switch
to the name/serial part, enter some fake into both of the input
field like I do below :-
ManKind
2319998
Go into SoftICE and set a breakpoint on Hmemcpy. Go out of SoftICE and press the Check Key button, SoftICE will pop up, press F5 once to let SoftICE read the info on the second input field (the first time only it only reads the info on the first input field), press F12 until you are in MSVBVM60!'s code (you will know by looking at the bottom of the code window). Next, press F10 until you are in CrackMe8's code, continue pressing until the white line indicator of SoftICE land on the code below :-
:0040F338 MOV [EBP-3C],EAX
Using the command "d eax" (without quotes), you will see something like below in the data window :-
I.D. .C.r.a.c.k.
m.e. .V.8...0...
B.y. .W.h.i.z.K.
i.D. .......S...
Scroll down a little and you should see your fake serial, scroll down more you can see your fake name and little more will display your correct serial (all in wide-char format). For my name, I got the following serial :-
328716234
No, I am not going to do a keygen here, I am a newbie and that's not the requirement for this part. Well, another part completed (5 out of 8). I am starting to get tired here, but I'll try my best to crack all parts of the CrackMe.
The matrix
I am not going to explain how to get valid codes (either checked
or unchecked) here because I think I am not good enough to explain.
There is more than one correct code and I have got only one valid
one which my friend (thanks ^tCM^) found out. The condition of
the valid code is as below :-
Check all the checkboxes (shocking, but true).
Though this is more likely to be some type of bug.
The keyfile
I have never successfully cracked any keyfile protection before,
this is my first. This really gave me some trouble but with an
appropriate breakpoint, it is just a piece of cake. Start the
CrackMe, don't choose the keyfile part in the radio menu yet.
With SmartCheck, I found that the keyfile's name is wk.dat and
it should be placed in the same directory as the CrackMe (you
can also use File Monitor), so we create a file in the directory
where the CrackMe is and name it as wk.dat. Go into SoftICE and
set a breakpoint like below :-
bpx msvbvm60!__vbafileopen
In the radio menu, choose the keyfile part and SoftICE will pop up almost immediately, press F11 once and you will you come to the code below :-
:0040F506 PUSH 0040BCC0 ; push something interesting
:0040F50B PUSH 01
:0040F50D PUSH FF
:0040F50F PUSH 01 ; scroll up if you can't see the above codes
:0040F511 CALL [MSVBVM60!__vbaFileOpen] ; open file routine
:0040F517 MOV EBX,[MSVBVM60!rtcEndOfFile] ; you land here
Clear the breakpoint of msvbvm60!__vbafileopen and type the command below to view the correct contents of the keyfile in the data window :-
d 0040BCC0
You will see something like below:
w.k...d.a.t.....
.... E.a.s.y., .
e.h.?.......R.e.
The nag
Since we have cracked the first nag on startup, this shouldn't
be a problem to us. Don't choose the nag part in the radio menu
first, go into SoftICE and set a breakpoint on msvbvm60!rtcmsgbox
like below :-
bpx msvbvm60!rtcmsgbox
Leave SoftICE and select the nag part. SoftICE will pop up, press F11 once, the nag will be displayed, press the OK button and you will back :-
:00412B6A CALL [MSVBVM60!rtcMsgBox] ; the call that displays
the nag
:00412B70 LEA ECX,[EBP-1C] ; you land here
Note down the call's address (00412B6A), clear the breakpoint
on msvbvm60!rtcmsgbox, leave SoftICE, disassemble the CrackMe
and go to address 00412B6A and finally note down the offset of
the address in the disassembler (you can also use Iczelion's great
Offset Utility). Exit the CrackMe and shut down W32Dasm. Use HIEW,
load up the CrackMe, press Enter twice to go into hex mode, press
F5 to go to the location we want, enter the offset that we noted
down, when we reach there press F3 to edit and NOP (change all
the 6 bytes into 90) all the 6 bytes in the call. Press F9 to
save the changes and F10 to exit. Restart the CrackMe and choose
the nag part, eh, no more nag! Yes, we killed that nag already.
That's all for this part.
The cripple part
Should this be named cripple or disabled (I think it should be called disabled, but then, this is WhizKiD's program). The matrix part and this part really gave me a headache but shortly before this tutorial is completed, I happened to speak to WhizKiD on IRC and I found out that I must use the customiser to enable the disabled button. Anyway, in order to successfully crack all parts of this CrackMe and teach you something new (there is not much material on using the customiser/resource editor), I decided to proceed to crack this part.
Start the CrackMe and The Customiser, in the radio menu of the CrackMe choose the cripple part, press the Edit Window button on The Customiser's screen. The Customiser Configuration Screen will pop up, in the radio menu choose Select, press the On button, now you can select which region of window you want to edit, choose the Disabled button of the CrackMe, make sure the following data are all shown in the Window Details tab of the configuration screen before you click on the Disabled button (with the special pointer) :-
Class:ThunderRT6CommandButton
Text:Disabled
Parent Class:ThunderRT6FormDC
Parent Text:WhizKiD's CrackMe Challenge
Then, on the configuration screen, switch to the Misc. tab and check those checkboxes with the name mentioned below:
Enable Window
Save Action
Parent Window
Resource Id
Class Name
Click the Do Now button and now switch over to the CrackMe and see what happens to the disabled button. You can click the button now and it will display a message telling you that the cripple part is completed (this proves that this part shouldn't be called cripple, should be disabled since the function of the button is working as soon as it is enabled). To make the button look nicer, you can also change the Text from Disabled into Enabled but I am not going to teach you how here since our main objective has been met. That's it for this part. Hope you are satisfied and learn something new (this is my, WhizKiD's and all other members of the Reverse Engineering Scene's main purpose). As usual, contact me if I make any mistake, give me your feedback, comments, suggestions and opinions about this tutorial and my way of presenting it.
Extra notes
Well, the year 1999 is coming to an end. I must take this advantage to thank everyone who has helped me, either directly or indirectly (especially those with names mentioned below). I must also praise WhizKiD and other Immortal Descendants members for their good work. Keep up your good work.
Ending
Thanks and greets to :-
+ORC, +HCU, Sandman, HarvestR, tKC, ytc_, Punisher, Kwai_Lo, TORN@DO, CrackZ, cLUSTER, LaZaRuS, mISTER fANATIC, yes123, WhizKiD, Volatility, ACiD BuRN, Eternal Bliss, R!SC, Kwazy Webbit, +Mammon, MisterE, Shadow, ^tCM^, WaJ, Borna Janes, Kathras, douby, Steinowitz, Lord Soth, Latigo, Lucifer48, NeuRaL_NoiSE, Fravia+, Latigo, Duelist, Alpine, flag eRRatum, Nitrus, +Frog's Print, Muad`Dib, Iczelion, Razzia, Warezpup, Bomber Monkey, llama and other crackers, individuals and organisations who have helped me, either directly or indirectly.