sobota, 15 września 2018

Few cracking notes

After a while I decided to go back to resources from crackmes.de (mirror I found here).
As usual, my main goal was to (more) understand ASM and (finally) print the 'congratulation' message. Let's try to do it... :)

I. Environment / tools

I tried to solve all of the cases described below on fresh install of Windows 7 (32bit).

Tools I found useful during 'the game':
- OllyDbg
- PEiD


More resources you'll probably find in Reference section below.


II. Simple sample

Checking available examples:


If you want to try it too, few cases are still there unsolved ;)


(Few of them you can also find here already described.)

Ok, one of them below...

KeyGen-me#1

You can solve this in a two ways: open the file in OllyDbg and search for all strings. You should be able to find this location:


You can simply change JNE instruction to JE:


 

Now, hit F9 to see:




Another way to solve it is presented below.

Let's open the target file again in OllyDbg. Scroll down to this code:

We will set a breakpoint here and run the program (F9), check it out:


Run the program now. After you will type the name and serial value, click 'Okey!':


Here we are:


As you can see there is our value ("Name") - 'test'. If you will hit F9 again, we will jump to another breakpoint. But this time there is a little change on address 00401178:


 Hit F9 again, see some changes here:

Few more (F9) hits and you'll see our code too:


 Now as you can see it all depends on the comparison:


If it's wrong - we will go to the BadBoy. If it's ok, we will print a 'congrats' message...


 ... or we can re-use the code like this:

When 'correct serial' is loaded in EDX, and our CMP will go to the 'badboy', we can get the value (loaded already) from 00401185 and use it as an input for MessageBoxA function:

 To do:

 

And we will use the value like below:
 

Now right-click and go to 'Edit' to dump new exe:


 In the new window, right-click again and save the new file:


 I decided to name the new file 'newfile.exe':


 Open it to check our changes:


As you can see, now if we will type 'wrong serial' - the 'good one' will be presented in new message box. Checking:



Looks good :)



III. Reference 

If you're looking for more text about it, maybe you will find it useful:

[1] : Fravia / +ORC / +HCU
[2] : 'Enlil notes'
[3] : tuts4you.com
[4] : RTFM



Special thanks goes to +AW who invited me to the Fravia's world.
I appreciate it.


Questions/comments?



Cheers






Posted by at
Labels: , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)