Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Thursday, March 21 2019 @ 03:33 AM CET

Kanal23 Trial Crackme 0.1 Solution Tutorial

   

TutorialsLevel : newbie


Solution for the newbie crackme 'Kanal23 Trial 0.1', featuring kill a nag, enable a button, find serial.




Kanal23 Trial Crackme 0.1 Solution Tutorial
~~~~~~~~~~~~~~~~~~~~~~~~~~

Author : Falcon1

Target : Kanal23 Trial Crackme 0.1 ( http://www.reversing.be/binaries/articles/20060102172137356.zip )

Tool Used : OllyDbg

Date : 2-1-2005

Aimed For : Complete Newbies in reversing, with basic knowledge of assembly instructions

Part 1: Starting The Operation!!!
What we have to do:
Kill the nag ;-)
1)Enable the 'Check the serial' button
2)Find out which is the correct serial

First of all, we open our target and see what happens...
hm...we meet the desired nag screen(the messagebox).
We click OK and take a look at the form of the main program...
The button we need to click is indeed disabled...
What are we waiting for?
Lets start reversing!!!

Part2 : Some Real Reversing!!!
So...we open up OllyDbg and then click File-->Open and select our target(the Kanal23 Trial Crackme 0.1).
The first 5 lines of code are a call to the MessageBox API

Snippet from API Guide:
--------------------------------------------------------------------------------

int MessageBox(
HWND hWnd, // handle of owner window
LPCTSTR lpText, // address of text in message box
LPCTSTR lpCaption, // address of title of message box
UINT uType // style of message box
);

--------------------------------------------------------------------------------
Well, if you don't know any programming language(except win32asm which you should already know (the basics) if you want to learn reversing) let me explain: To invoke the MessageBox API we need to pass as parameters a handle to the owner window, a pointer to the text that we want to be displayed, a pointer to the text that we want to be the caption of the messagebox and the style of the MessageBox (information,error,warning,etc...).

Disassembly text from OllyDbg:
--------------------------------------------------------------------------------

00401000 >/$ 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
00401002 |. 68 23304000 PUSH original.00403023 ; |Title = "kanal23 - RCE"
00401007 |. 68 31304000 PUSH original.00403031 ; |Text = "{-- The NAG --}
0040100C |. 6A 00 PUSH 0 ; |hOwner = NULL
0040100E |. E8 C7020000 CALL original._MessageBoxA@16 ; MessageBoxA
--------------------------------------------------------------------------------

Hm....In win32asm (you should already be knowing this, but I will explain it) every call to an API is made by pushing the parameters in reverse order and then calling the API.So, as OllyDbg tells us, the first thing pushed is the style, next the title ,...,you get the idea.
Now that we know that those first 5 lines are the messagebox which nags us, we have to disable it.
Lets think...How can we disable some lines of code???
...
...
...
...
...
...
AHA!!!!
By nopping them!!!!
(in case you don't know, nopping means to change their opcodes to NOP). The solution :-)))) : Select those 5 lines, right-click on them and select Binary-->Fill with NOPS.

OK, we disabled the messagebox.

Next objective is to enable the button that we couldn't click!
How could we possibly do such a thing?
Since the crackme is written in win32asm, there are 2 ways that I am aware of:
with the EnableWindow API
with the SendMessage API sending the WM_ENABLE message
So lets scroll down until we find one of these
...
...
...


00401180 . 6A 00 PUSH 0 ; /lParam = NULL
00401182 . FF35 54324000 PUSH DWORD PTR DS:[403254] ; |hInst = NULL
00401188 . 6A 02 PUSH 2 ; |hMenu = 00000002
0040118A . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hParent
0040118D . 6A 19 PUSH 19 ; |Height = 19 (25.)
0040118F . 68 F5000000 PUSH 0F5 ; |Width = F5 (245.)
00401194 . 6A 37 PUSH 37 ; |Y = 37 (55.)
00401196 . 6A 14 PUSH 14 ; |X = 14 (20.)
00401198 . 68 00008050 PUSH 50800000 ; |Style = WS_CHILD|WS_VISIBLE|WS_BORDER
0040119D . 68 90314000 PUSH original.00403190 ; |WindowName = "Check the serial"
004011A2 . 68 4C324000 PUSH original.0040324C ; |Class = "Button"
004011A7 . 68 00020000 PUSH 200 ; |ExtStyle = WS_EX_CLIENTEDGE
004011AC . E8 F3000000 CALL original._CreateWindowExA@48 ; CreateWindowExA
004011B1 . A3 5C324000 MOV DWORD PTR DS:[40325C],EAX //The handle to the button!!!!
004011B6 . 6A 00 PUSH 0 ; /Enable = FALSE
004011B8 . FF35 5C324000 PUSH DWORD PTR DS:[40325C] ; |hWnd =//The handle to the button!!!!
004011BE . E8 F3000000 CALL original._EnableWindow@8 ; EnableWindow


As you can see, the button is created at 0x004011B1 and is disabled by calling the EnableWindow API at 0x4011BE...
Hmmm.....our objective is to enable the button so lets just select the second line above the line where the call to the EnableWindow API is made and hit the SpaceBar.In the dialog that appears, replace the 'PUSH 0' with 'PUSH 1' and click 'Assemble'.
This way, we tell the crackme to enable the button instead of disabling it (because 0 means false and 1 means true).

Snippet from API Guide:
--------------------------------------------------------------------------------

BOOL EnableWindow(
HWND hWnd, // handle to window
BOOL bEnable // flag for enabling or disabling input
...
);
If the bEnable parameter is TRUE, the window is enabled. If the parameter is FALSE, the window is disabled.
--------------------------------------------------------------------------------

Another way to enable the window would be to nop the three lines that invoke the EnableWindow API, thus letting the button be enabled(all buttons are set enabled when they are created).

Wow!!!
We finished step 2!!!
Now let's find the correct password!!!
But first, why don't we save the patched crackme to see our changes in action?
Right-click somewhere in the code, select 'Copy To Executable'-->'All Modifications' and the click 'Copy all'.After that, close the form that pops up and click Yes. Select a filename and save your patched crackme.
Minimize OllyDbg and execute the patched crackme.
...
...
...
No messagebox appears and the button is enabled!!!
We did our job correctly!!!
Leave the text in the edit box as it is and click the desired button.
A messagebox appears telling us that we entered a wrong serial (the so called 'bad_boy' message)...
Back to OllyDbg...
Right-click somewhere in the code and click 'Search For'-->'All Referenced Text Strings'
and double-click on the line where the message telling us that we entered the wrong serial resides.
Then, we are taken to the code where the bad_boy message is invoked.
Scroll up until you reach 0x401210 (just to have a clearer view of the code).
Hmmm...
00401218 . 6A 20 PUSH 20 ; /Count = 20 (32.)
0040121A . 68 60324000 PUSH original.00403260 ; |Buffer = original.00403260
0040121F . 6A 01 PUSH 1 ; |ControlID = 1
00401221 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401224 . E8 93000000 CALL original._GetDlgItemTextA@16 ; GetDlgItemTextA
00401229 . 68 72314000 PUSH original.00403172 ; /String2 = "kanal23" //This is the correct serial!!!
0040122E . 68 60324000 PUSH original.00403260 ; |String1 = ""
00401233 . E8 66000000 CALL original._lstrcmpA@8 ; lstrcmpA
00401238 . 0BC0 OR EAX,EAX //if eax is not 0
0040123A . 75 17 JNZ SHORT original.00401253 //jump to the bad_boy message
0040123A // good_boy message is invoked here...

Snippet from API Guide:
--------------------------------------------------------------------------------

UINT GetDlgItemText(

HWND hDlg, // handle of dialog box
int nIDDlgItem, // identifier of control
LPTSTR lpString, // address of buffer for text
int nMaxCount // maximum size of string
);
--------------------------------------------------------------------------------

Snippet from API Guide:
--------------------------------------------------------------------------------

int lstrcmpi(

LPCTSTR lpString1, // address of first string
LPCTSTR lpString2 // address of second string
);
If the two strings are equal, eax is set to 0
--------------------------------------------------------------------------------
So...as you can see, the crackme reads the text in the edit box and compares it to 'kanal23'.If the two strings are identical, the good_guy message is shown. Otherwise, the bad_boy message is shown...
Any comment? YES!!! The correct serial is 'kanal23'!!!
Now, we can close OllyDbg and test our serial...
And indeed it works!!!

Congratulations!!!
But hey, we can change the crackme a little more...
Open the crackme in OllyDbg again and scroll to 0x40116C

0040113E . 6A 00 PUSH 0 ; /lParam = NULL
00401140 . FF35 54324000 PUSH DWORD PTR DS:[403254] ; |hInst = NULL
00401146 . 6A 01 PUSH 1 ; |hMenu = 00000001
00401148 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hParent
0040114B . 6A 19 PUSH 19 ; |Height = 19 (25.)
0040114D . 68 F5000000 PUSH 0F5 ; |Width = F5 (245.)
00401152 . 6A 0F PUSH 0F ; |Y = F (15.)
00401154 . 6A 14 PUSH 14 ; |X = 14 (20.)
00401156 . 68 80008050 PUSH 50800080 ; |Style = WS_CHILD|WS_VISIBLE|WS_BORDER|80
0040115B . 6A 00 PUSH 0 ; |WindowName = NULL
0040115D . 68 47324000 PUSH original.00403247 ; |Class = "Edit"
00401162 . 68 00020000 PUSH 200 ; |ExtStyle = WS_EX_CLIENTEDGE
00401167 . E8 38010000 CALL original._CreateWindowExA@48 ; CreateWindowExA
0040116C . 68 7A314000 PUSH original.0040317A ; /Text = "Visit www.kanal23.net";
00401171 . 6A 01 PUSH 1 ; |ControlID = 1
00401173 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401176 . E8 71010000 CALL original._SetDlgItemTextA@12 ; SetDlgItemTextA

After the edit box is created, the app sets its text to 'Visit www.kanal23.net...'
Now, scroll a bit down to 0x401229
00401229 . 68 72314000 PUSH original.00403172 ; /String2 = "kanal23"
0040122E . 68 60324000 PUSH original.00403260 ; |String1 = ""
00401233 . E8 66000000 CALL original._lstrcmpA@8 ; lstrcmpA

Hmm...the correct serial, is held at address 0x403172.
So, in 0x40116C we can PUSH 403172 instead of PUSHing 40317A.
This way, the edit box will have the correct serial from the beginning and we won't need to change it!



That's all, I hope you learned something!!!

I was as descriptive and explanatory as I could...


Greets and thankx go to all the members of BiW




What's Related

Story Options

Kanal23 Trial Crackme 0.1 Solution Tutorial | 2 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Kanal23 Trial Crackme 0.1 Solution Tutorial
Authored by: sally on Saturday, January 28 2006 @ 12:12 AM CET
Thanks Falcon1. This was my first crack. Exciting to see it work. Now on to learn more!!!! Thanks again. Sally
Kanal23 Trial Crackme 0.1 Solution Tutorial
Authored by: d3ltr33 on Sunday, March 19 2006 @ 01:27 PM CET
Great Tutorial! Thank You
 Copyright © 2019 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 1.26 seconds