Friday, May 06 2005 @ 09:52 AM CEST Contributed by: Kuya_Xhadow Views: 5239
Level : newbie
Patching the vault crackme that is meant for people just starting out with reversing.
Eiy0w Cr4ck3rs 0ut ThuR!!!
Yup, this tut came a little late..but I do believe that its not
yet too late. I know, by the time that Im typing this tute,
there are still hopeful newbies out there who are aspiring to become
The reason that I wrote this tute is because I find the solutions
for vault.exe crackme thats currently available is quite difficult
to understand for a newbie.. (Well.. Im also just a newbie..). Especially to those who are just starting, trying to look for nice crackme's to practice on. Instead of learning something, they find themselves lost not just in the codes but also in the tutorials as well, because the tuts were vaguely written and can only be understood by the experienced. Im not saying that i have the best tut for this cracme..and I have nothing against the authors of the previews tuts of the said crackme either.. Im just hoping to keep the Cracking/Reversing World alive and active by educating the starters in a more, at least, comprehensive way..
I do hope that I made a clear point here...
So I made my own version of the solution, made it more detailed,
hoping that the newbies could easily get what I am saying in this
So this tut is really intended for the newbies of the Cracking
world. For advanced crackers... well... You may not have the
need to read this tut anymore..
Tools youll need: * A Computer ---> (Of course... geez...)
* W32Dasm v. 8.xx or higher ---> (You can get this anywhere
on the net...) * Hackers View (Hiew) v. 6.xx or higher ---> (Theres plenty on the net too...) * Your full attention.. Yup,
give your attention to this tut till the end..
Knowledge on how to use W32Dasm and Hiew is a need. So I assume
that you, well, at, least, have a little knowledge on how W32Dasm
and Hiew work.
The CrackMe: * vault * The info.txt file says that we
should find the correct Name and Key for this crackme. But I
made a little twist here. We are not goin to find the correct Name
and Key, but make any Name and Key to be recognized as a correct
Name and Key! & that is called Reversing the code.. Hehie..
confused already?! I hope not... ;-]
Well be dealing with Assembly codes here, so for you newbs, if
you dont know nothin about it yet, I suggest you study about it
first, so that we will have no difficulty in understanding the terms
that Im gonna be using in this tut. Read more files about Assembly
and related topics for your dose of infos. Yup, youll really have to
read read read read read... If youre too lazy for that, then
cracking/reversing is not for you...
For those who already know, good for you.. youre one step closer
to knowledge.. There are still hundreds and thousands of steps
Okay.. Enough with the talking.. Lets Crack!
* We will be altering the codes of the crackme, so I personally
suggest that you backup the original file so that you will still
have a spare file just in case you messed with the default codes of
the original file. * Run "vault.exe". * Enter any Name and
Key...then click the Test button. * An error message should pop
up, saying "No Access!". * Try to memorize that error message
(Write it down in a piece of paper if you must... ;-] ) * Now
run W32Dasm, and disassemble vault.exe. * If its the first time
using W32Dasm, the disassembled file will have garbage characters at
first. * To get away with this : * In W32Dasms toolbar,
click Disassemble/Font/Select Font * I suggest Courier New, 10.
* Then save that font to default (You know how.. ) * In the
toolbars of W32Dasm, click that button w/ a flashlight icon (Yup,
you guessed it right...its the Find Text button.) * Type the
error message that popped up when you entered the invalid Name and
Key ("No Access!"). * After pressing enter, you should land
* Now..pay attention here.. We need to find ConditionalJumps here
(Itll be quite long if I explain it here.. So as what Ive said, read
more textfiles about Assembly language..). Scroll up a few lines
until you see something like this:
Referenced by a (U)nconditional or (C)onditional Jump at Address:
Saw that right..?
* Now scroll up a bit more and try to find the location of
004010C8. You should stop right here:
:004010C8 751D jne 004010E7
An easier alternative for this is to click the GoTo Code Location
button in the toolbars and enter the hex value.
* Notice that the clan colored highlight before now became green,
that is because we are highlighting a jump. While highlighting
:004010C8 751D jne 004010E7, the status bar on the bottom part of
W32Dasm should be:
Line:150 Pg 3 and 4 of 9 Code Data @:004010C8 @Offset 000004C8h
* The only thing we need to remember here is the Offset value,
which is 000004C8h. Recall: In hex notation, 000004C8h = 4C8 (I
dont have to explain why right...?) ;-) Copy that hex value on a
piece of paper (..or memorize it..).. It'll be used later..
* Now close W32Dasm (dont just minimize it, exit it! ;-] You will
not be able to make changes with vault.exe if it is being used or
being run by another program.. ;-] ) and run HackersView (Hiew for
short..). (I suggest you run Hiew on the same folder with the
vault.exe, so that it would be easier to browse for vault.exe)
* After Hiew-ing vault.exe, you should of course see a garbage of
characters. Press F4, and select Decode as your view mode. You can
also press Enter to switch between the view modes. Now that you are
in Decode mode, press F5 (GoTo), and type the Offset value that we
got earlier. That is...4C8 (or just 4c8...its not case sensitive...)
Now lets go back to this:
:004010C8 751D jne 004010E7
Take note of the value, 751D. In Assembly language, the value 75,
as well as jne, stands for jump if not equal. (1D is the number of bytes we ware going to jump down) That means that if
the Name and Key we entered is not equal to the correct one, the
message box saying "No Access!" will appear, telling us that the
Name and Key we entered was not the correct one. BTW: There is only
one correct Name and one corresponding Key for the crackme.
* So what we are going to do is reverse the said code, we will
reverse jump if not equal to jump if equal, or je.
In ASM Code: 75 = jne or jump if not equal 74 = je or
jump if equal
* Using Hiew, we will replace 751D with 741D.
Doing so will make the vault recognize any Name and Key to be the
correct one, and the error message will only appear if the correct
Name and Key is entered. Code Reversing...at its best! Hehie..
Okay, back to Hiew and you (O.o? Hmm...) Where are we
* Now on your Hiew window, press F3 (Edit), and replace 751D with
741D. (Notice that after changing 75 to 74, jne became je...)
After typing and changing, press F9 (Update), to of course,
update your new code for vault.exe. Then press F10 (Quit), to
exit Hiew. Note that you must press F10 after you are done or the
changes will not take effect if you just merely clicked the X button
to close Hiew.
* Awright... try to test vault.exe if our Reverse Code
Engineering worked.. ;-] Type any Name and Key.. like k5uvt0uk3
or 389utckt3u or b3re529f... etc... You can even leave both of
them blank... Press Test...And WaLLa!! ;-]
There you go.. I hope I educated someone somewhere.. & I do
hope so that you, as a newb, understood not just my instructions but
as well as what was happening while we were trying to crack the
vault.exe.. So that if there will be another program that uses
similar protection scheme as this crackme, you will already know
what to do...
And as Ive said, and what will always say, read read read read
read read read... Its one of the fastest way to learn, along
with hands-on experience..