Level : beginner

DETTEN CRACKME #4
*****************


Cracker: figugegl
Email: figugegl_2000@yahoo.de
Date: 7.11.2001
Tools: Softice, Icedump, Procdump, IDA
Level 1-10: 3


This crackme is a little special as there's no hint about the protection. Filemon and Regmon don't show anything suspicious, there are no hidden resources either. So we should have a look at the listing - but the program is packed with UPX and can't be unpacked by the packer. We do it by hand - and that's the fun part!




Crackme : http://www.reversing.be/article.php?story=20050219154305729
a) unpacking
------------

We find the jump to the OEP after the popad command:

415F7F: jmp 401000

We make a fulldump with Procdump (Options - Rebuild IT), fix the OEP --> the program runs! But there are no Imports available in the Listing. Even though its not really necessary, i rebuild the IT by hand.

We find the IMAGE_IMPORT_DESCRIPTOR at Offset 15208h at the end of the resource section. Thats the one used by the packer, it shows only a few APIs. Scrolling through the listing we find the real IT with a lot of APIs at offset 12807h and what looks like the FIRST_THUNK at offset E8FCh. I copied the IMAGE_IMPORT_DESCRIPTOR to offset E800h (start of section "text", RVA 10000h) - that's where it should be!

I had to fix the pointer at offset 280h to point to the new location of IMAGE_IMPORT_DESCRIPTOR:

00000280: 08 7A 01 00 --> 00 00 01 00
***************************************

Then i fixed the IMAGE_IMPORT_DESCRIPTOR and the FIRST_THUNK of every dll:

0000E800: 00 00 00 00�00 00 00 00�00 00 00 00�70 00 01 00 ............p...
0000E810: FC 00 01 00�00 00 00 00�00 00 00 00�00 00 00 00 �...............
0000E820: 7D 00 01 00�B4 01 01 00�00 00 00 00�00 00 00 00 }...�...........
0000E830: 00 00 00 00�87 00 01 00�18 02 01 00�00 00 00 00 ....�...........
0000E840: 00 00 00 00�00 00 00 00�00 00 00 00�00 00 00 00 ................
0000E850: D0 76 F7 BF�A8 6D F7 BF�F8 D4 F8 BF�00 00 00 00 �v���m�����....
0000E860: 4C 25 F2 BF�00 00 00 00�9D 24 F5 BF�00 00 00 00 L%��....�$��....
0000E870: 4B 45 52 4E�45 4C 33 32�2E 44 4C 4C�00 47 44 49 KERNEL32.DLL.GDI
0000E880: 33 32 2E 64�6C 6C 00 55�53 45 52 33�32 2E 64 6C 32.dll.USER32.dl
0000E890: 6C 00 00 00�4C 6F 61 64�4C 69 62 72�61 72 79 41 l...LoadLibraryA
0000E8A0: 00 00 47 65�74 50 72 6F�63 41 64 64�72 65 73 73 ..GetProcAddress
0000E8B0: 00 00 45 78�69 74 50 72�6F 63 65 73�73 00 00 00 ..ExitProcess...
0000E8C0: 54 65 78 74�4F 75 74 41�00 00 47 65�74 44 43 00 TextOutA..GetDC.
0000E8D0: 00 00 00 00�00 00 00 00�00 00 00 00�00 00 00 00 ................
0000E8E0: 00 00 00 00�00 00 00 00�00 00 00 00�00 00 00 00 ................
0000E8F0: 00 00 00 00�00 00 00 00�00 00 00 00�07 40 01 00 .............@..
0000E900: 14 40 01 00�21 40 01 00�37 40 01 00�44 40 01 00 .@..!@..7@..D@..
0000E910: 4C 40 01 00�57 40 01 00�68 40 01 00�7C 40 01 00 L@..W@..h@..|@..
0000E920: 8C 40 01 00�A3 40 01 00�B7 40 01 00�C4 40 01 00 �@..�@..�@..�@..
0000E930: D2 40 01 00�E0 40 01 00�F4 40 01 00�06 41 01 00 �@.. @..�@...A..
0000E940: 16 41 01 00�27 41 01 00�35 41 01 00�45 41 01 00 .A..'A..5A..EA..
0000E950: 51 41 01 00�60 41 01 00�74 41 01 00�8F 41 01 00 QA..`A..tA..�A..
0000E960: A5 41 01 00�BC 41 01 00�BC 41 01 00�D1 41 01 00 �A..�A..�A..�A..
0000E970: E1 41 01 00�EC 41 01 00�03 42 01 00�13 42 01 00 �A..�A...B...B..
0000E980: 23 42 01 00�2D 42 01 00�36 42 01 00�43 42 01 00 #B..-B..6B..CB..
0000E990: 50 42 01 00�6A 42 01 00�78 42 01 00�85 42 01 00 PB..jB..xB..�B..
0000E9A0: 9A 42 01 00�00 00 00 00�00 00 00 00�00 00 00 00 �B..............
0000E9B0: 00 00 00 00�AE 42 01 00�BE 42 01 00�00 00 00 00 ....�B..�B......
0000E9C0: 00 00 00 00�00 00 00 00�00 00 00 00�00 00 00 00 ................
0000E9D0: 00 00 00 00�00 00 00 00�00 00 00 00�00 00 00 00 ................
0000E9E0: 00 00 00 00�00 00 00 00�00 00 00 00�00 00 00 00 ................
0000E9F0: 00 00 00 00�00 00 00 00�00 00 00 00�00 00 00 00 ................
0000EA00: 00 00 00 00�00 00 00 00�00 00 00 00�00 00 00 00 ................
0000EA10: 00 00 00 00�00 00 00 00�D1 42 01 00�E2 42 01 00 ........�B..�B..
0000EA20: F2 42 01 00�01 43 01 00�12 43 01 00�24 43 01 00 �B...C...C..$C..
0000EA30: 2F 43 01 00�42 43 01 00�51 43 01 00�58 43 01 00 /C..BC..QC..XC..
0000EA40: 65 43 01 00�74 43 01 00�81 43 01 00�8C 43 01 00 eC..tC..�C..�C..
0000EA50: 99 43 01 00�A5 43 01 00�B6 43 01 00�C8 43 01 00 �C..�C..�C..�C..
0000EA60: D3 43 01 00�DF 43 01 00�F1 43 01 00�00 00 00 00 �C..�C..�C......

This took me a while and it worked! Now we can disassemble and see all the names of the imports - maybe next time i use Revirgin instead :-)


b) The protection
-----------------

I soon saw the string "Well, done" in the listing:

0040116C 55 push ebp
0040116D 8B EC mov ebp, esp
0040116F 83 C4 D0 add esp, 0FFFFFFD0h
00401172 53 push ebx
00401173 56 push esi
00401174 8B 75 0C mov esi, [ebp+0Ch]
00401177 8B 5D 08 mov ebx, [ebp+8]
0040117A 80 3D 14 B1 40 00+ cmp ds:byte_40B114, 0 ; Flag
00401181 74 1F jz short loc_4011A2 ; jump if not set
00401183 6A 0A push 0Ah
00401185 6A 0A push 0Ah
00401187 68 00 B1 40 00 push offset aWellDone ; "Well, done"
0040118C FF 35 E8 B0 40 00 push ds:dword_40B0E8
00401192 53 push ebx
00401193 E8 70 FF FF FF call sub_401108 ; show string
00401198 83 C4 14 add esp, 14h
0040119B C6 05 14 B1 40 00+ mov ds:byte_40B114, 0
004011A2 8B C6 mov eax, esi
004011A4 83 F8 10 cmp eax, 10h
004011A7 7F 1E jg short loc_4011C7
004011A9 0F 84 D3 00 00 00 jz loc_401282
004011AF 48 dec eax
004011B0 74 30 jz short loc_4011E2
004011B2 48 dec eax
004011B3 0F 84 D4 00 00 00 jz loc_40128D
004011B9 83 E8 0D sub eax, 0Dh
004011BC 0F 84 60 02 00 00 jz loc_401422
004011C2 E9 4C 02 00 00 jmp loc_401413
004011C7 ; ---------------------------------------------------------------------------
004011C7 2D 11 01 00 00 sub eax, 111h
004011CC 0F 84 82 00 00 00 jz loc_401254
004011D2 2D F0 00 00 00 sub eax, 0F0h
004011D7 0F 84 BC 00 00 00 jz loc_401299 ; must jump here
004011DD E9 31 02 00 00 jmp loc_401413

This is the WindowProcedure of the main window which handles the messages. This can be veryfied when looking at RegisterClassExA (address 4014AD). The flag is being set to one at address 40130A - see X-Ref in IDA:

00401308 7E 13 jle short loc_40131D
0040130A C6 05 14 B1 40 00+ mov ds:byte_40B114, 1 ; set flag to 1
00401311 C7 05 18 B1 40 00+ mov ds:dword_40B118, 5
0040131B EB 12 jmp short loc_40132F

In order to get to this location, the program has to take the jump at address 4011D7. But which message is being used? We have a look at the code and win.h:

004011C7 2D 11 01 00 00 sub eax, 111h ; 111h: WM_COMMAND
004011CC 0F 84 82 00 00 00 jz loc_401254
004011D2 2D F0 00 00 00 sub eax, 0F0h ; 111h + 0F0h: WM_LBUTTONDOWN
004011D7 0F 84 BC 00 00 00 jz loc_401299
004011DD E9 31 02 00 00 jmp loc_401413


It's the left mouse button! Now we can analyze the code:

00401299 A1 18 B1 40 00 mov eax, ds:dword_40B118 ; counter i
0040129E 66 8B 55 14 mov dx, [ebp+14h]
004012A2 66 89 14 45 10 D3+ mov ds:word_40D310[eax*2], dx ; save xPos
004012AA 8B 4D 14 mov ecx, [ebp+14h]
004012AD C1 E9 10 shr ecx, 10h
004012B0 66 81 E1 FF FF and cx, 0FFFFh
004012B5 A1 18 B1 40 00 mov eax, ds:dword_40B118
004012BA 66 89 0C 45 18 D3+ mov ds:word_40D318[eax*2], cx ; save yPos
004012C2 83 3D 18 B1 40 00+ cmp ds:dword_40B118, 3 ; i == 3 ?
004012C9 75 64 jnz short loc_40132F ; no, jump
004012CB 0F BF 15 16 D3 40+ movsx edx, ds:word_40D316 ; yes
004012D2 0F BF 0D 10 D3 40+ movsx ecx, ds:word_40D310
004012D9 2B D1 sub edx, ecx
004012DB 83 FA 0A cmp edx, 0Ah ; (x4 - x1) < 0Ah ?
004012DE 7D 47 jge short loc_401327 ; no, jump
004012E0 0F BF 05 16 D3 40+ movsx eax, ds:word_40D316
004012E7 0F BF 15 10 D3 40+ movsx edx, ds:word_40D310
004012EE 2B C2 sub eax, edx
004012F0 83 F8 F6 cmp eax, 0FFFFFFF6h ; (x4 - x1) > (-0Ah) ?
004012F3 7E 32 jle short loc_401327 ; no, jump
004012F5 0F BF 0D 1E D3 40+ movsx ecx, ds:word_40D31E
004012FC 0F BF 05 18 D3 40+ movsx eax, ds:word_40D318
00401303 2B C8 sub ecx, eax
00401305 83 F9 0A cmp ecx, 0Ah ; (y4 - y1) > 0Ah ?
00401308 7E 13 jle short loc_40131D ; no, jump
0040130A C6 05 14 B1 40 00+ mov ds:byte_40B114, 1 ; set flag --> BINGO
00401311 C7 05 18 B1 40 00+ mov ds:dword_40B118, 5
0040131B EB 12 jmp short loc_40132F
0040131D ; --------------------------------------------------
0040131D 33 D2 xor edx, edx
0040131F 89 15 18 B1 40 00 mov ds:dword_40B118, edx
00401325 EB 08 jmp short loc_40132F
00401327 ; --------------------------------------------------
00401327 33 C9 xor ecx, ecx
00401329 89 0D 18 B1 40 00 mov ds:dword_40B118, ecx
0040132F 83 3D 18 B1 40 00+ cmp ds:dword_40B118, 2 ; i == 2 ?
00401336 75 58 jnz short loc_401390 ; no, jump
00401338 0F BF 05 14 D3 40+ movsx eax, ds:word_40D314 ; yes
0040133F 0F BF 15 12 D3 40+ movsx edx, ds:word_40D312
00401346 2B C2 sub eax, edx
00401348 83 F8 0A cmp eax, 0Ah ; (x3 - x2) < (0Ah) ?
0040134B 7D 3B jge short loc_401388 ; no, jump
0040134D 0F BF 0D 14 D3 40+ movsx ecx, ds:word_40D314
00401354 0F BF 05 12 D3 40+ movsx eax, ds:word_40D312
0040135B 2B C8 sub ecx, eax
0040135D 83 F9 F6 cmp ecx, 0FFFFFFF6h ; (x3 - x2) > (-0Ah) ?
00401360 7E 26 jle short loc_401388 ; no, jump
00401362 0F BF 15 1C D3 40+ movsx edx, ds:word_40D31C
00401369 0F BF 0D 1A D3 40+ movsx ecx, ds:word_40D31A
00401370 2B D1 sub edx, ecx
00401372 83 FA 0A cmp edx, 0Ah ; (y3 - y2) > (0Ah) ?
00401375 7E 08 jle short loc_40137F ; no, jump
00401377 FF 05 18 B1 40 00 inc ds:dword_40B118 ; i++
0040137D EB 11 jmp short loc_401390
0040137F ; --------------------------------------------------
040137F 33 C0 xor eax, eax
00401381 A3 18 B1 40 00 mov ds:dword_40B118, eax
00401386 EB 08 jmp short loc_401390
00401388 ; --------------------------------------------------
00401388 33 D2 xor edx, edx
0040138A 89 15 18 B1 40 00 mov ds:dword_40B118, edx
00401390 83 3D 18 B1 40 00+ cmp ds:dword_40B118, 1 ; i == 1 ?
00401397 75 58 jnz short loc_4013F1 ; no, jump
00401399 0F BF 0D 1A D3 40+ movsx ecx, ds:word_40D31A
004013A0 0F BF 05 18 D3 40+ movsx eax, ds:word_40D318
004013A7 2B C8 sub ecx, eax
004013A9 83 F9 0A cmp ecx, 0Ah ; (y2 - y1) < (0Ah) ?
004013AC 7D 3C jge short loc_4013EA ; no, jump
004013AE 0F BF 15 1A D3 40+ movsx edx, ds:word_40D31A
004013B5 0F BF 0D 18 D3 40+ movsx ecx, ds:word_40D318
004013BC 2B D1 sub edx, ecx
004013BE 83 FA F6 cmp edx, 0FFFFFFF6h ; (y2 - y1) > (-0Ah) ?
004013C1 7E 27 jle short loc_4013EA ; no, jump
004013C3 0F BF 05 12 D3 40+ movsx eax, ds:word_40D312
004013CA 0F BF 15 10 D3 40+ movsx edx, ds:word_40D310
004013D1 2B C2 sub eax, edx
004013D3 83 F8 0A cmp eax, 0Ah ; (x2 - x1) > (0Ah) ?
004013D6 7E 08 jle short loc_4013E0 ; no, jump
004013D8 FF 05 18 B1 40 00 inc ds:dword_40B118 ; i++
004013DE EB 11 jmp short loc_4013F1
004013E0 ; --------------------------------------------------
004013E0 33 C9 xor ecx, ecx
004013E2 89 0D 18 B1 40 00 mov ds:dword_40B118, ecx
004013E8 EB 07 jmp short loc_4013F1
004013EA ; --------------------------------------------------
004013EA 33 C0 xor eax, eax
004013EC A3 18 B1 40 00 mov ds:dword_40B118, eax
004013F1 83 3D 18 B1 40 00+ cmp ds:dword_40B118, 0 ; i == 0 ?
004013F8 75 06 jnz short loc_401400 ; no, jump
004013FA FF 05 18 B1 40 00 inc ds:dword_40B118 ; i++
00401400 83 3D 18 B1 40 00+ cmp ds:dword_40B118, 5
00401407 75 19 jnz short loc_401422
00401409 33 D2 xor edx, edx
0040140B 89 15 18 B1 40 00 mov ds:dword_40B118, edx
00401411 EB 0F jmp short loc_401422


Well, we have to trace this a couple of times before it becomes clear:


o----->-----o
|
|
Y
|
|
o-----<-----o

We have to click four times the left mouse button i.e. describing the corners of a rectangle. The distance between two points must be greater than 10 pixel, whereas the difference in the other axis must be within +/- 9 pixel.

figugegl