Hehe. Well, thanks for entertaining other people still. But now I have to surf to www.gotobed.com.thefool wrote:@trond: No i wouldnt be able to crack it. But is that the question?
But it CAN be cracked.
Competition: Crackme!
-
Joakim Christiansen
- Addict
- Posts: 2452
- Joined: Wed Dec 22, 2004 4:12 pm
- Location: Norway
- Contact:
I once made a crack for Liberty BASIC Workshop
I think the method still work with the newest version.
But i'm never going to release it, I did it just for fun!
Used PE Explorer and HIEW, and it was quite easy...
I think the method still work with the newest version.
But i'm never going to release it, I did it just for fun!
Used PE Explorer and HIEW, and it was quite easy...
I like logic, hence I dislike humans but love computers.
I've patched TheFool's CrackMe 5. This was the method, and bear in mind this is the first time i've ever tried this so the explanation/method might suck :
Begin by having a look around - You can open the crackme in OllyDbg (there are no anti-debug tricks in this one) and you can see it has been UPXed (not sure with which version but it doesn't matter).
Set a breakpoint at the JMP at the end of that (just after the POPAD) and run the program and step-into it. It takes you to the original entry point of the (now uncompressed) code which was at 401000.
Have a scroll down and some of the code looks like gibberish, so take a guess that this is TheFools self-modifying code. Further down it looks like some code displays the "Crackme!", "Password ->", "Correct!" and "Wrong password!" messages but if you set breakpoints here the code is not reached. Just above that are a couple of odd looking strings are referenced.
Step-over the start of the code and see what happens. By the time the PUSHs are reached (40701A) you can see the code is now looking more normal, with OllyDbg highlighting the changes in red. Have a look through and there are more references to strings are revealed. Set breakpoints at them and you can see it is these strings that actually display the messages and not the strings we saw earlier. OllyDbg shows us what the registers contain and we can see the plain-text strings, including "nice one", the password.
There is a JE at 4010ED that jumps to code that displays the "Wrong password!" message so if we want to patch the exe we can NOP it and pass to the code we want. At least now, with it decompressed and unprotected, we can NOP it but the patch will affect the original compressed and protected app so NOPing it in that state will not work. Instead we can create an inline patch that will NOP it once it is unprotected in memory. But we cannot just insert code to do this because the whole thing is compressed. So instead i inserted an inline patch that creates an inline patch... :roll:
Patch the code at the end of the UPX decompression routine so that once the code is decompressed it will JMP back to our code (that's inline patch 1). Then, when our code is reached again it overwrites the JE with a couple of NOPs (inline patch 2). I didn't write down exactly what code i used but i overwrote the JMP 401000 at the end of the UPX decompression with something like this:
So that is all the patch contains. Maybe this code should have been stuck somewhere better, but it worked ok 
:Begin by having a look around - You can open the crackme in OllyDbg (there are no anti-debug tricks in this one) and you can see it has been UPXed (not sure with which version but it doesn't matter).
Set a breakpoint at the JMP at the end of that (just after the POPAD) and run the program and step-into it. It takes you to the original entry point of the (now uncompressed) code which was at 401000.
Have a scroll down and some of the code looks like gibberish, so take a guess that this is TheFools self-modifying code. Further down it looks like some code displays the "Crackme!", "Password ->", "Correct!" and "Wrong password!" messages but if you set breakpoints here the code is not reached. Just above that are a couple of odd looking strings are referenced.
Step-over the start of the code and see what happens. By the time the PUSHs are reached (40701A) you can see the code is now looking more normal, with OllyDbg highlighting the changes in red. Have a look through and there are more references to strings are revealed. Set breakpoints at them and you can see it is these strings that actually display the messages and not the strings we saw earlier. OllyDbg shows us what the registers contain and we can see the plain-text strings, including "nice one", the password.
There is a JE at 4010ED that jumps to code that displays the "Wrong password!" message so if we want to patch the exe we can NOP it and pass to the code we want. At least now, with it decompressed and unprotected, we can NOP it but the patch will affect the original compressed and protected app so NOPing it in that state will not work. Instead we can create an inline patch that will NOP it once it is unprotected in memory. But we cannot just insert code to do this because the whole thing is compressed. So instead i inserted an inline patch that creates an inline patch... :roll:
Patch the code at the end of the UPX decompression routine so that once the code is decompressed it will JMP back to our code (that's inline patch 1). Then, when our code is reached again it overwrites the JE with a couple of NOPs (inline patch 2). I didn't write down exactly what code i used but i overwrote the JMP 401000 at the end of the UPX decompression with something like this:
Code: Select all
MOV PTR [40107A], 0xhexcodetojumptocodebelow ; Start of inline patch 1, runs when code is decompressed - Overwrite PUSH code with a jump back to our code. I think this was 5 bytes
JMP 401000 ; Original last line of UPX decompression code, jump to OEP
PUSH EBX ; Start of inline patch 2, runs when code is unprotected
PUSH ECX ... ; whatever code we overwrote at 40107A still needs to run so move it here
MOV WORD PTR [4010ED], 9090 ; Overwrite the JMP with our NOPs
JMP 401084 ; Jump back to TheFools codeMat
-
LuCiFeR[SD]
- 666
- Posts: 1033
- Joined: Mon Sep 01, 2003 2:33 pm
-
LuCiFeR[SD]
- 666
- Posts: 1033
- Joined: Mon Sep 01, 2003 2:33 pm
well, I understand the methods... but I just haven't had the practice under windows lol but all the same, it is damn interesting I think I already said I was impressed just by pushing stuff outside of the exe's memory... and stuff like that is almost the holy grail to me lol. Protected memory is a new thing for an ex amiga dude like me lol
but all the same, it is damn interesting I think I already said I was impressed just by pushing stuff outside of the exe's memory... and stuff like that is almost the holy grail to me lol. Protected memory is a new thing for an ex amiga dude like me lol-
LuCiFeR[SD]
- 666
- Posts: 1033
- Joined: Mon Sep 01, 2003 2:33 pm
I knew what had to be done... I guess even how.... but my trouble is getting used to thinking about how I would do the same on the Amiga (where I could look where the hell I like) and the PC... where disassemblers fear to tread (outside of the box) lol. I will attempt number 6, same as I did with number 5... failure or success, I will have a go, just to redeem myself