Level : newbie
Hi there, if you dont know anything about cracking then this might be a good little beginners tutorial for you.
This CrackMe is totally NOT complicated and I am going to tell you line by line what the program does and
how you can crack/modify it! I rated this newbie because this one is very simple yet good to learn if you want to start
cracking one day and you haven't really got a clue how it all works.
This program is made in assembly. That means that there is absolutley no junk code, only clean code, the code the program
needs to work. If you dontunderstand what I mean with junk code don't mind it, because you will know what I mean the further
you get. All progrma languages other then assembly are HighLevel languages (like C, Visual Basic etc) . Assembly is the lowest
language you can get. All Highlevel language Compilers convert their code to assembly before making an executable of it.
These compilers include a lot of junk code (especially the very highlevel languages), lines of assembly which you dont need.
But dont mind all this, it was some extra info. You don't need to understand this yet.
I assume you use some debugger, Whats a debugger? OMG you are very new to cracking! But ok, A debugger is a disassembler.
It turns the executable back to assembly code for you to understand, not back to its original program language!, but to
assembly. SoftIce seems to be a good debugger but I use OllyDBG, since I am used to get around with it.
So download OllyDBG and open it, it is freeware and widely used so downloading should be a problem.
Choose File -> Open -> m2.exe
Now the debugger is analyzing the code. If you did wel you will get this result in your screen. If you get a other screen,
press ALT + C to get to the main window i am talking about.
1 00401000 >/$ 2BC0 SUB EAX,EAX
2 00401002 |. 83F8 00 CMP EAX,0
3 00401005 |. 74 0E JE SHORT m2.00401015
4 00401007 |. 8D05 25304000 LEA EAX,DWORD PTR DS:
5 0040100D |. 8D1D 25304000 LEA EBX,DWORD PTR DS:
6 00401013 |. EB 0C JMP SHORT m2.00401021
7 00401015 |> 8D05 00304000 LEA EAX,DWORD PTR DS:
8 0040101B |. 8D1D 09304000 LEA EBX,DWORD PTR DS:
9 00401021 |> 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
10 00401023 |. 50 PUSH EAX ; |Title
11 00401024 |. 53 PUSH EBX ; |Text
12 00401025 |. 6A 00 PUSH 0 ; |hOwner = NULL
13 00401027 |. E8 14000000 CALL <JMP.&user32.MessageBoxA> ; MessageBoxA
14 0040102C |. 6A 00 PUSH 0 ; /ExitCode = 0
15 0040102E . E8 01000000 CALL <JMP.&kernel32.ExitProcess> ; ExitProcess
16 00401033 CC INT3
17 00401034 .-FF25 00204000 JMP DWORD PTR DS:[<&kernel32.ExitProcess>; kernel32.ExitProcess
18 0040103A .-FF25 0C204000 JMP DWORD PTR DS:[<&user32.wsprintfA>] ; user32.wsprintfA
19 00401040 $-FF25 08204000 JMP DWORD PTR DS:[<&user32.MessageBoxA>] ; user32.MessageBoxA
Are you shocked? Hopefully not, because this is one of the simplest CrackMe's ever!
If you didn't do so already, open the m2.exe in windows, not tru the debugger. Just open it and see what happens.
If everything is ok you should see a messagebox saying: "Find the secret text!" and the program closes again.
Well how do you find the secret text then? That is where we are going to analyse the code.
I am going to comment every line in the program so actually you are going to learn a new program language: Assembly!
I have numbered all the lines so it is easier to discus. You see 4 coloms in the debugger. THe first colom contains the adres of the code.
Example: 00401000 or 00401003 (these are adresses).
The next colom is not important for now.
The next colom contains the assembly code! and the colom after it contains comments which Olly adds.
Let's begin analyzing the code:
SUB is an opcode and eax is a register. What is a register?
A register is a memory type of the computer. In many tutorials they first teach you how these registers work but I choose to skip that part since it is not that easy and not motivating
to begin with cracking. And you can learn it in many tutorials.
So what does it do?
SUB decreases the first parameter with the second parameter. THis is how it works, "eax = eax - eax". if it was "SUB ebx, eax" then it looked like "ebx = ebx - eax".
So what if you decrease a variable with itself, it becomes nothing, zero. This emptys the memory register eax. eax is NULL, 0, empty, nothing now. You get it?
CMP means compare. it compares the first parameter with the second. If they are equal a flag is set that they are. (dont mind the flag, its not important now). So eax gets compared to 0.
Since eax is 0 (check the previous line) they are
JE means Jump if Equal. THe just compared values are equal so that means that we are going to jump!
Check the line we jump to "m2.00401015".
m2 is the name of the program and 00401015 is the line in the code, so the code between line 3 (00401005) and line 7 (00401015) are skipped by the jump.
So now we are at line 7.
<We skip line 4,5 and 6 which will be explained later>
THis line is a bit more difficult, yet easy enough to understand. LEA is the opcode here and eax, and the DWORD... are the parameters. The first thing you need to know is what LEA does. It puts the memory adres where the value of the second parameter is stored, in the first parameter. You can compare it with the next example:
Johan van Straten (a person which is the value) lives in Dorpstraat 1 (a address). The address only holds the value where Johan lives, but does not include Johan himself.
So the variable which is at the memoryadres is left untouched. Only the adres where it is at, is stored in eax (the memory register).
The same story as line 7. Only the adres of the memory value is putted in ebx (another memory register).
BTW DWORD means it is a 32 bit value. So it could be a word!
Line 9,10,11 and 12:
There is a new opcode again! this time it is PUSH. PUSH pushes a value on the memory stack.
You can see this stack like a pile of books where each book is a value. If you put a new book on the pile it is on top.
So if you put a new value on the stack it is on top to. So what? Just remind this for the next line.
CALL, CALL calls a function. THis time the function is MessageBoxA (see the comment made by Ollydbg).
You can guess that this must be the messagebox you see when you open the program since there is no other call to a messgebox.
The mesagebox function looks like this:
MessageBoxA, hOwner, address to text, address to title, type.
hOwner is not important here, address to text and address to title are. Type is which 'lay-out' you want, like a yes or no button. cancel and ok
functionS read the last values on the stack first. So the value (the book) which is put on the stack, (the pile) is on top and will be read first. The messagebox needs a value for hOwner first, which is pushed last. It is 0 here. And not important.
THe next value is the text (look at the function description) which is pushed as third value but accessed as second (I think you got the idea now of how the stack must work).
The next is the title of the messagebox and next comes the 'lay-out' of the messagebox which is pushed as 0. this is the standard OK layout.
A new value is pushed on the stack, this values is 0. This means it holds a value: zero. It doesn't mean this value is empty.
Dont mind the messagebox function now with the last pushed values etc. That is in the past. The messagebox is done already.
The previous pushed value (which was 0) is read here by the ExitProcess function. THe function looks like this:
ExitProcess, parameter. The parameter is 0 here.
As you might already guessed it: this exits the program.
Take some rest:
OMG that was a lot of typing. I didn't know it would get such a long tutorial! Just take a break now, let the information travel to your inner mind ;)
Or continue, just as you wish.
You might think now: "How does this get me the secret text the messagebox tells me about".
or: "How the f*ck do I ever crack games by knowing this crap?".
I like the first thought, but I dont like the second. You have to learn so much more before you can crack real apps and games.
I am just a beginner and I know nothing yet in the crackers world. (But you did learn from this tutorial! Or you would already stopped reading). This should be more like a hobby for you or something you'd like to learn.
We are going to modify the code now to get to the secret text! Finally ;)
Take a look at line 10 and 11. You see that the title and the text are pushed on the stack and later read by the function
MessageBoxA. If you look a little above you see that the values which are pushed to be read by the messagebox are the adresses in the memory of a 32-bit value. (remember What I told you about line 7 and 8).
So in line 7 and 8 the adresses of 2 values are assigned to eax and ebx which are read by the messagebox function as text!
If you take a look you at the code, you can see that there are 2 other lines which also are using LEA to put some adres in eax and ebx. But
these lines are skipped by the jump (the jump we made before, remember what I told you about line 3).
Those values where never read by the messagebox!. OK, select line 3 and click with the right mouse button. Choose Binary -> Fill with NOP's.
Have you dont this? Hit F9 (or the play button on the left corner of the screen) to start the app with your modification by runnig it trough olly!
If you did it right (which is almost impossible to do wrong ;) ) then you should see a messagebox which says: "You have cracked me!".
You did it! But what happened! Dont close the tutorial yet because this is a important part for you to understand.
What you did is erasing the jump by filling it with NOP's (=No operation). NOP's are just space and occupation of the memory which do absolutely nothing. So the jump is never made and line 4,5 and 6 are not skipped anymore.
On line 4 and 5 happens the same thing as on line 7 and 8, but with other values (the text and the title of the messagebox)
line 6 makes the code jump no mather what.
so JMP means jump.
Look after JMP (skip short) you see it jumps to this
So now line 7 and 8 are skipped! and the messagebox reads the new values you gave it by deleting the jump!
Others things you could do but I am not going to explain, try to figure this out yourself:
- You could have changed line 2. make it compare with 1.
- You could have changed the line where the code needs to jump to if the compare was equal (line 3)
- Assign the other adresses to eax and ebx (which are assigned in line 4 and 5) by changing the addres in line 7 and 8.
I hope you learned something out of this and you completely understood what I was trying to explain.
If you experience any difficulties with cracking this app in OllyDBG or you have any suggestions? You can place a comment on the article, or find my mail in my profile.
Thank you for reading this tutorial! Goodluck in the world of cracking and write some tutorial someday ;)