Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Friday, July 10 2020 @ 05:55 AM CEST

Tutorial for the Vault.exe (for real Newbies)

   

TutorialsLevel : newbie

Patching the vault crackme that is meant for people just starting out with reversing.



Eiy0w Cr4ck3rs 0ut ThuR!!!

Yup, this tut came a little late..but I do believe that its not yet too late.
I know, by the time that Im typing this tute, there are still hopeful newbies out there who are aspiring to become Crackers,/Reversers.

The reason that I wrote this tute is because I find the solutions for vault.exe crackme thats currently available is quite difficult to understand for a newbie.. (Well.. Im also just a newbie..). Especially to those who are just starting, trying to look for nice crackme's to practice on. Instead of learning something, they find themselves lost not just in the codes but also in the tutorials as well, because the tuts were vaguely written and can only be understood by the experienced. Im not saying that i have the best tut for this cracme..and I have nothing against the authors of the previews tuts of the said crackme either.. Im just hoping to keep the Cracking/Reversing World alive and active by educating the starters in a more, at least, comprehensive way..

I do hope that I made a clear point here...

So I made my own version of the solution, made it more detailed, hoping that the newbies could easily get what I am saying in this tut.

So this tut is really intended for the newbies of the Cracking world. For advanced crackers... well...
You may not have the need to read this tut anymore..

Tools youll need:
* A Computer ---> (Of course... geez...)
* W32Dasm v. 8.xx or higher ---> (You can get this anywhere on the net...)
* Hackers View (Hiew) v. 6.xx or higher ---> (Theres plenty on the net too...)
* Your full attention.. Yup, give your attention to this tut till the end..

Knowledge on how to use W32Dasm and Hiew is a need. So I assume that you, well, at, least, have a little knowledge on how W32Dasm and Hiew work.

The CrackMe:
* vault
* The info.txt file says that we should find the correct Name and Key for this crackme.
But I made a little twist here. We are not goin to find the correct Name and Key, but make any Name and Key to be recognized as a correct Name and Key! & that is called Reversing the code.. Hehie.. confused already?! I hope not... ;-]

Well be dealing with Assembly codes here, so for you newbs, if you dont know nothin about it yet, I suggest you study about it first, so that we will have no difficulty in understanding the terms that Im gonna be using in this tut. Read more files about Assembly and related topics for your dose of infos. Yup, youll really have to read read read read read...
If youre too lazy for that, then cracking/reversing is not for you...

For those who already know, good for you.. youre one step closer to knowledge..
There are still hundreds and thousands of steps though.. ;-]

Okay.. Enough with the talking.. Lets Crack!

* We will be altering the codes of the crackme, so I personally suggest that you backup the original file so that you will still have a spare file just in case you messed with the default codes of the original file.
* Run "vault.exe".
* Enter any Name and Key...then click the Test button.
* An error message should pop up, saying "No Access!".
* Try to memorize that error message (Write it down in a piece of paper if you must... ;-] )
* Now run W32Dasm, and disassemble vault.exe.
* If its the first time using W32Dasm, the disassembled file will have garbage characters at first.
* To get away with this :
* In W32Dasms toolbar, click Disassemble/Font/Select Font
* I suggest Courier New, 10.
* Then save that font to default (You know how.. )
* In the toolbars of W32Dasm, click that button w/ a flashlight icon (Yup, you guessed it right...its the Find Text button.)
* Type the error message that popped up when you entered the invalid Name and Key ("No Access!").
* After pressing enter, you should land here:

Possible StringData Ref from Obj -> "No Access!"

:004010EE 6861304000 push 00403061
:004010F3 FF7508 push [ebp+08]

* Now..pay attention here.. We need to find ConditionalJumps here (Itll be quite long if I explain it here.. So as what Ive said, read more textfiles about Assembly language..).
Scroll up a few lines until you see something like this:

Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004010C8(C)

Saw that right..?

Good...

* Now scroll up a bit more and try to find the location of 004010C8.
You should stop right here:

:004010C8 751D jne 004010E7

An easier alternative for this is to click the GoTo Code Location button in the toolbars and enter the hex value.

* Notice that the clan colored highlight before now became green, that is because we are highlighting a jump.
While highlighting :004010C8 751D jne 004010E7, the status bar on the bottom part of W32Dasm should be:

Line:150 Pg 3 and 4 of 9 Code Data @:004010C8 @Offset 000004C8h in File:vault.exe

* The only thing we need to remember here is the Offset value, which is 000004C8h.
Recall: In hex notation, 000004C8h = 4C8 (I dont have to explain why right...?) ;-)
Copy that hex value on a piece of paper (..or memorize it..)..
It'll be used later..

* Now close W32Dasm (dont just minimize it, exit it! ;-] You will not be able to make changes with vault.exe if it is being used or being run by another program.. ;-] ) and run HackersView (Hiew for short..).
(I suggest you run Hiew on the same folder with the vault.exe, so that it would be easier to browse for vault.exe)

* After Hiew-ing vault.exe, you should of course see a garbage of characters. Press F4, and select Decode as your view mode. You can also press Enter to switch between the view modes. Now that you are in Decode mode, press F5 (GoTo), and type the Offset value that we got earlier. That is...4C8 (or just 4c8...its not case sensitive...)

Now lets go back to this:

:004010C8 751D jne 004010E7

Take note of the value, 751D. In Assembly language, the value 75, as well as jne, stands for jump if not equal. (1D is the number of bytes we ware going to jump down)
That means that if the Name and Key we entered is not equal to the correct one, the message box saying "No Access!" will appear, telling us that the Name and Key we entered was not the correct one. BTW: There is only one correct Name and one corresponding Key for the crackme.

* So what we are going to do is reverse the said code, we will reverse jump if not equal to jump if equal, or je.

In ASM Code:
75 = jne or jump if not equal
74 = je or jump if equal

* Using Hiew, we will replace 751D with 741D.

Doing so will make the vault recognize any Name and Key to be the correct one, and the error message will only appear if the correct Name and Key is entered.
Code Reversing...at its best! Hehie.. ;-]

Okay, back to Hiew and you (O.o? Hmm...)
Where are we again...?
Oh..Okay..

* Now on your Hiew window, press F3 (Edit), and replace 751D with 741D.
(Notice that after changing 75 to 74, jne became je...)
After typing and changing, press F9 (Update), to of course, update your new code for vault.exe.
Then press F10 (Quit), to exit Hiew. Note that you must press F10 after you are done or the changes will not take effect if you just merely clicked the X button to close Hiew.

* Awright... try to test vault.exe if our Reverse Code Engineering worked.. ;-]
Type any Name and Key.. like k5uvt0uk3 or 389utckt3u or b3re529f... etc...
You can even leave both of them blank...
Press Test...And WaLLa!! ;-]

There you go.. I hope I educated someone somewhere.. & I do hope so that you, as a newb, understood not just my instructions but as well as what was happening while we were trying to crack the vault.exe.. So that if there will be another program that uses similar protection scheme as this crackme, you will already know what to do...

And as Ive said, and what will always say, read read read read read read read...
Its one of the fastest way to learn, along with hands-on experience..

-=Kuya Darkcide Xhadow=-
PrOuD tO bE pinOy!

Pinoys.. KeEp On RoCkin!
BiSaYa Ni Bai!!

...end of file...




What's Related

Story Options

Tutorial for the Vault.exe (for real Newbies) | 3 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Tutorial for the Vault.exe (for real Newbies)
Authored by: detten on Friday, May 06 2005 @ 11:38 AM CEST

Doing so will make the vault recognize any Name and Key to be the correct one, and the error message will only appear if the correct Name and Key is entered.
Code Reversing...at its best! Hehie.. ;-]
Why not patch it so that both invalid and valid logins work?

I would never patch from jne -> je
instead I'd recommend the following :

* JE -> JMP
* JNE -> NOP
Tutorial for the Vault.exe (for real Newbies)
Authored by: modchip on Monday, March 06 2006 @ 09:26 AM CET
Ayus pre! Keep up the good work! Mabuhay!
 Copyright © 2020 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.79 seconds