Tutorial written by Falcon
Target:
TSCube’s crackme#1
Tools
: SoftIce
Where:
http://www.tscube.cjb.net
Level
: 2-3
Essay:
Ok, crackers, today I am in the
mood of making a tutorial with some Mathematical operations, that will
be necessary for finding the serial for this little program. The protection
is good, so we must think a little bit, if we want to reverse it. The whole
protection consist of 3 loops that will give us enough information what
we must do for getting the program say ‘Registered’, instead of bad word
that says ‘Unregistered’. As always I would suggest you to print this tut
and sit in front of the program code tracing with help of it. Let’s begin….
1:-Execute the program and enter
some digits as a serial. { Why digits? You will see later…}
2:-Active SoftIce and set hmemcpy
breakpoint, typing bpx hmemcpy
3:-Press Enter and F5, and you again
in Windows, press any digit to jump to SoftIce.
4:-As you got to SoftIce, press
F11 and F12 as many times as you get here….
00401169
XOR ECX, ECX
{ After this command ECX=0…}
0040116B
MOV AL, [ECX+ESP+2C]
{ First chars of serial is MOVed to AL….}
0040116F
CMP AL, 30
{ Compares AL with 30…}
00401171
JL 00401243
{ Jump to ‘bad cracker’ if Less….}
00401177
CMP AL, 39
{ CoMPares AL with 39…}
00401179
JG 00401243
{ Jump to ‘bad cracker’ if AL is Greater…}
0040117F
INC ECX
{ ECX is increased by 1…-loop counter}
00401180
CMP ECX, 07
{ Compare ECX with 7..}
00401183
JL 0040116B
{ Jump to beginning of the loop if ECX is Less}
Note:
This is just a verification part
that checks whether your first 7 chars of serial were digits beginning
from 0 to 9. Also, if you did not entered 7 or more chars then you again
go to bad routine.
00401185
XOR EDX, EDX
{ The program nullifies the EDX register for using it as a loop counter,
as you will later see, it takes the chars of you serial as EDX is changing
by 1 each loop…}
00401187
LEA EDI, [ESP+2C]
{ Loads the address of the string where your serial is…}
0040118B
OR ECX, -01
{ ECX=ECX or –01..}
0040118E
XOR EAX, EAX
{ EAX=0…}
00401190
REPNZ SCASB
00401192
MOV AL, [EDX+ESP+10] { Here the program
is referring to another string, where, it takes some numbers for calculating
serial, from. }
00401196
NOT ECX
{ ECX= not ECX, not is a logical operation that changes all the bits of
the operand to opposite ones. Example, if you had a 1 it makes 0, and reverse…}
00401198
DEC ECX
{ Decrease ECX, after this operation in ECX will be the length of your
serial. This length will take a great role in calculating the serial number…}
00401199
ADD CL, AL
{ ADDiton; Adds to numbers-the length of your serial and the number that
is located at this address [EDX+ESP+10] , }
0040119B
MOV AL, [EDX+ESP+2C] { MOVs your char of the
serial to AL register. As your loop counter changes { That is EDX} the
program will take each loop the char that correspond to EDX value }
0040119F
XOR CL, AL
{ XORing of Sum { ADD CL, AL } and your char }
004011A1
MOV [EDX+EPS+10], CL { Storing the result at
this address}
004011A5
INC EDX
{ In this loop EDX is you loop counter,….EDX=EDX+1}
004011A6
CMP EDX, 07
{ Compares EDX value with 7, so 7 cycles will be there}
004011A9
JL 00401187
{ Jump if EDX is Less then 7}
Note:
This is our main loop where all
the calculations will take place, to make it more clear { If somebody did
not understand } the program makes this:
1:- It loads a number { a constant
}, and moves it to AL register { You can see the code }
2:- Then to this number the length
of your serial is ADDed, so there is going to form another number.
3:- This ‘another’ number is XORed
with first char of your serial.
4:- The final number is stored as
elements of array, and in the next loop they will be compared with other
values, and if they match- you are good reverser.
Constant Numbers: { This numbers are located at [EDX+ESP+10] , there are many numbers as elements of array. We do not have to regard all the numbers, ‘coz the loop counter is 7, I am going to give you more then 7, but you should take only first 7. So, when you type d [EDX+ESP+10] you should see these numbers in the data window:
35 33 42 12 29 1E 07 17 BC 54 01 01 FC 2C 02 00
Let’s see what happens in the next
loop, then we are going to make some calculations…
Some people would start calculating the serial from this point, but I suggest you to look through the code of the next loop { It helped me a lot in reversing this little program }. Let’s see the last loop..
004011AB
MOV ESI, 00404020
{ New string appears. It says TSCube. Type d ESI to see this nick, and
look at the left top of the data window, there you are going to see the
numbers
54 53 43 75
62 65 00 00…This numbers are going to be compared with values that
you got in previous loop}
004011B0
LEA EAX, [ESP+10]
{ Here they go, this numbers from previous loop, type d EAX and you will
see them, a little bit later the program will take them one by one for
comparing…This numbers you obtained after XORing process}
004011B4
MOV DL, [EAX]
{ Take one number and MOVs it to DL…}
004011B6
MOV CL, DL
{ From DL to CL }
004011B8
CMP DL, [ESI]
{ Comparing, your number with 54 (‘T’), first loop }
004011BA
JNZ 004011D8
{ Jump to bad routine if they are not equal }
004011BC
TEST CL, CL
{ Test CL, if you reach this point and CL will be equal to 0 then you may
consider that you will jump to Good message…}
004011BE
JZ 004011D4
{ Jump if Zero }
004011C0
MOV DL, [EAX+1]
{ Takes next your number that you got after xoring }
004011C3
MOV CL, DL
{ MOVe it to CL}
004011C5
CMP DL, [ESI+1]
{ Compares it with 53 that is ‘S’…}
004011C8
JNZ 003011D8
{ Jump to bad routine if they are not equal }
004011CA
ADD EAX, 02
{ Shifts the string, where your numbers (that you got after xoring ) are
located by two. So, the program will take next 2 for comparing..}
004011CD
ADD ESI, 02
{ Shifts the name also by 2 }
004011D0
TEST CL, CL
{ Checks if the value of CL=0 }
004011D2
JNZ 004011B4
{ Jump if it is not equal to 0, Jumps to the start of the loop}
004011D4
XOR EAX, EAX
{ XORs EAX and EAX, after this operation EAX=0 }
004011D6
JMP 004011DD
{ Jump to good routine }
Note:
Ok, this is our last loop from which
I have gathered enough information for reversing the program. Now, you
are ready to receive my way of reversing it. Some words about this last
loop-it is a comparison loop that is comparing all the elements of the
array you got in the previous loop and compares with the numbers:
54 53 43 75 62 65 00 00
Strategy:
So, as you all understood we somehow
should obtain these numbers { After manipulation with serial}
54 53 43 75 62 65 00 00
Let us see the constant numbers {
Just first 7 of them } : 35 33 42 12 29 1E 07
Let’s assume that as a serial you
have entered: X1 X2 X3 X4 X5 X6 X7 { Now we do not know exact
length of the serial }
Brief operations that we have seen in those loops:
Cycle #1:-It TAKES first constant,
ADDS to it length of the serial and makes XOR with first char of serial
(35+length of serial ) xor X1 and this operation should
be equal to 54
Let, length of serial be L, so :
(35+L) xor X1=54
Cycle #2: (33+L) xor X2=53
Cycle #3: (42+L) xor X3=43
Cycle #4: (12+L) xor X4=75
Cycle #5: (29+L) xor X5=62
Cycle #6: (1E+L) xor X6=65
Cycle #7: (07+L) xor X7=00
Let us use the information how to
find the serial from last cycle. Remember, in the first loop the program
was checking whether you have entered as serial only digits. And the range
of the digits is from 0-9, in hex that is from 30-39.
So, using this information the last
cycle tells us everything we should know about the length of the serial.
As, you can see, to get result zero after xoring the 2 numbers have to
be equal. For example,
5 xor 5 is 0. So the range of only
available serial length is that: 39h-07 and that is 32h (50 decimal).
So, the available length of the serial is that [7-50], but to have something zero in the last cycle you have to have the range from 29h to 32h, so you have to put instead of L these numbers { that are in the range and find X1,X2,X3,X4,X5,X6,X7. Oh, let me guess and put instead of L 32h, let’s see…
1: (35+32) xor 54=X1
67 xor 54=X1 => X1=33 and the char is digit ‘3’
2: (33+32) xor 53=X2
65 xor 53=X2 => X2=36 and the char is digit ‘6’
3: (42+32) xor 43=X3
X3=’7’
4: (12+32) xor 75=X4
X4=’1’
5: (29+32) xor 62=X5
X5=’9’
6: (1E+32) xor 65=X6
X6=’5’
7: (07+32) xor 00=X7
X7=’9’
Almost End:
You see we have found the numbers
that will provide us going to the Good Message, but you do not have to
forget that the length of our serial was chosen as 32h and 50 decimal.
We have found first 7 and after these 7 you can enter any sequence of digits
that you want. The main idea is to have first these 7 and the length of
serial 50 of digit.
Serial:
36719591111111111111111111111111111111111111111111
Greetings:
All members from Genocide Crew, {czDrillard congrats with receiving Council
status; Gandalf thanks for .gif }
http://www.genocidecrew.cjb.net/
All members from Hellforge { LaZaRuS, Acid_Cool_178, Ac|dfusion,
Dark_Wolf, Mercution…}
Enormous thanks goes to Acid_Cool_178 and Mercution for providing me with
LOGOs
http://www.kickme.to/Hellforge
tHe CrEaM members { For
their good intend to help everybody }
To every one who makes tutorials…
Cool coders:
Terminal Cilla, AntiXrist, Chafe, The+Q, LaZaRuS, defiler, Lucifer48,
CzDrillard { he is great is making good Math algos}
Reversers :
SiFLyiNG, mIST, zvem, TSCube, Marton, and everybody I forgot to add..
If you have any questions mail me:
falcon_geno@mail.ru