Code I need help with is below.
I have always been interested in learning how to better protect my software.
I am studying ASM in order to better understand how reverse engineers (as they like to call themselves) break in to my code.
The learning curve is steep - but onward I march.
I have become quite proficient in "patching" my programs. Thus far, I am unable to "fool" myself by writing time sensative software that I cannot "patch". Disappointing, but true.
Now, however, I am attempting to see if I can actually create serial numbers from an algorithm within the program. And to better understand this, I am practicing with "crackmes" found on the web.
That being said, here is my problem - a very simple program
First, I patched this thing easily enough by NOP'ing a JMP. But I want to know how this thing generates a serial.
Like lots of people recommend, I used Olly.
Here are the steps I have taken, and what I have accomplished. Again, I am new at this - and I REALLY would appreciate your explanations.
I loaded the program in Olly and ran it. I entered TROPE and 12345 as the password.
Then I set a breakpoint. I chose to set it on USER32.GetDlgItemTextA
and Olly sends me here:
004010A5 . FF15 54204000 CALL DWORD PTR DS:[<&USER32.GetDlgItemTe>; \GetDlgItemTextA
004010AB . 85C0 TEST EAX,EAX
004010AD . 75 1C JNZ SHORT Snake.004010CB
004010AF . 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
I think I know what is going on here (PLZ TELL ME IF I AM WRONG WITH ANY OF THIS), the TEST EAX, EAX is seeing if we entered our name - if not, Jump to Error. Easy enough.
Then I continued stepping by pressing F8 to go over the call. After a few times I end up here:
00401103 > E8 A2010000 CALL Snake.004012AA
00401108 . 84C0 TEST AL,AL
0040110A . 75 1C JNZ SHORT Snake.00401128
0040110C . 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
The CALL at 00401103 appears to be related to checking something, so I went into it. And got this:
004012AA /$ 50 PUSH EAX
004012AB |. 56 PUSH ESI
004012AC |. BE 00174000 MOV ESI,Snake.00401700
004012B1 |> 8B06 /MOV EAX,DWORD PTR DS:[ESI]
004012B3 |. 8326 00 |AND DWORD PTR DS:[ESI],0
004012B6 |. 83C6 04 |ADD ESI,4
004012B9 |. 85C0 |TEST EAX,EAX
004012BB |.^75 F4 \JNZ SHORT Snake.004012B1
004012BD |. BE 001D4000 MOV ESI,Snake.00401D00 ; ASCII "12345"
004012C2 |> 8A06 /MOV AL,BYTE PTR DS:[ESI]
004012C4 |. 84C0 |TEST AL,AL
004012C6 |. 74 18 |JE SHORT Snake.004012E0
004012C8 |. 3C 30 |CMP AL,30
004012CA |. 72 0C |JB SHORT Snake.004012D8
004012CC |. 3C 3A |CMP AL,3A
004012CE |. 72 0D |JB SHORT Snake.004012DD
004012D0 |. 3C 41 |CMP AL,41
004012D2 |. 72 04 |JB SHORT Snake.004012D8
004012D4 |. 3C 47 |CMP AL,47
004012D6 |. 72 05 |JB SHORT Snake.004012DD
004012D8 |> 5E |POP ESI
004012D9 |. 58 |POP EAX
004012DA |. B0 00 |MOV AL,0
004012DC |. C3 |RETN
004012DD |> 46 |INC ESI
004012DE |.^EB E2 \JMP SHORT Snake.004012C2
004012E0 |> 5E POP ESI
004012E1 |. 58 POP EAX
004012E2 |. B0 01 MOV AL,1
004012E4 \. C3 RETN
And here is where I am lost. As I said, I am new to assembly but I think I am close on this one. It appears that the program is looping through each character and doing something with it. What I am not sure though.
These lines appear to be doing some checking of some sort:
004012C8 |. 3C 30 |CMP AL,30
004012CA |. 72 0C |JB SHORT Snake.004012D8
004012CC |. 3C 3A |CMP AL,3A
004012CE |. 72 0D |JB SHORT Snake.004012DD
004012D0 |. 3C 41 |CMP AL,41
004012D2 |. 72 04 |JB SHORT Snake.004012D8
004012D4 |. 3C 47 |CMP AL,47
If I am not mistaken:
30 = ASCII 0
3A = :
41 = A
47 = G
I have tried stepping through this slowly, but got nowhere.
Can anyone walk me through this? And again, I am an absolute beginner - but will look up anything in your answer I don't understand.
Thanks a million. I am ANXIOUSLY awaiting a response.
I have spent 2 days on this believe it or not. I have to sometimes look up each and every command I don't understand.
Best Regards,
J Tropeano
Programmer / Analyst
McLeodUSA.com
Ps. WAS I EVEN CLOSE? Probably not, but I am not quitting until I understand each and every line!
I have always been interested in learning how to better protect my software.
I am studying ASM in order to better understand how reverse engineers (as they like to call themselves) break in to my code.
The learning curve is steep - but onward I march.
I have become quite proficient in "patching" my programs. Thus far, I am unable to "fool" myself by writing time sensative software that I cannot "patch". Disappointing, but true.
Now, however, I am attempting to see if I can actually create serial numbers from an algorithm within the program. And to better understand this, I am practicing with "crackmes" found on the web.
That being said, here is my problem - a very simple program
First, I patched this thing easily enough by NOP'ing a JMP. But I want to know how this thing generates a serial.
Like lots of people recommend, I used Olly.
Here are the steps I have taken, and what I have accomplished. Again, I am new at this - and I REALLY would appreciate your explanations.
I loaded the program in Olly and ran it. I entered TROPE and 12345 as the password.
Then I set a breakpoint. I chose to set it on USER32.GetDlgItemTextA
and Olly sends me here:
004010A5 . FF15 54204000 CALL DWORD PTR DS:[<&USER32.GetDlgItemTe>; \GetDlgItemTextA
004010AB . 85C0 TEST EAX,EAX
004010AD . 75 1C JNZ SHORT Snake.004010CB
004010AF . 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
I think I know what is going on here (PLZ TELL ME IF I AM WRONG WITH ANY OF THIS), the TEST EAX, EAX is seeing if we entered our name - if not, Jump to Error. Easy enough.
Then I continued stepping by pressing F8 to go over the call. After a few times I end up here:
00401103 > E8 A2010000 CALL Snake.004012AA
00401108 . 84C0 TEST AL,AL
0040110A . 75 1C JNZ SHORT Snake.00401128
0040110C . 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
The CALL at 00401103 appears to be related to checking something, so I went into it. And got this:
004012AA /$ 50 PUSH EAX
004012AB |. 56 PUSH ESI
004012AC |. BE 00174000 MOV ESI,Snake.00401700
004012B1 |> 8B06 /MOV EAX,DWORD PTR DS:[ESI]
004012B3 |. 8326 00 |AND DWORD PTR DS:[ESI],0
004012B6 |. 83C6 04 |ADD ESI,4
004012B9 |. 85C0 |TEST EAX,EAX
004012BB |.^75 F4 \JNZ SHORT Snake.004012B1
004012BD |. BE 001D4000 MOV ESI,Snake.00401D00 ; ASCII "12345"
004012C2 |> 8A06 /MOV AL,BYTE PTR DS:[ESI]
004012C4 |. 84C0 |TEST AL,AL
004012C6 |. 74 18 |JE SHORT Snake.004012E0
004012C8 |. 3C 30 |CMP AL,30
004012CA |. 72 0C |JB SHORT Snake.004012D8
004012CC |. 3C 3A |CMP AL,3A
004012CE |. 72 0D |JB SHORT Snake.004012DD
004012D0 |. 3C 41 |CMP AL,41
004012D2 |. 72 04 |JB SHORT Snake.004012D8
004012D4 |. 3C 47 |CMP AL,47
004012D6 |. 72 05 |JB SHORT Snake.004012DD
004012D8 |> 5E |POP ESI
004012D9 |. 58 |POP EAX
004012DA |. B0 00 |MOV AL,0
004012DC |. C3 |RETN
004012DD |> 46 |INC ESI
004012DE |.^EB E2 \JMP SHORT Snake.004012C2
004012E0 |> 5E POP ESI
004012E1 |. 58 POP EAX
004012E2 |. B0 01 MOV AL,1
004012E4 \. C3 RETN
And here is where I am lost. As I said, I am new to assembly but I think I am close on this one. It appears that the program is looping through each character and doing something with it. What I am not sure though.
These lines appear to be doing some checking of some sort:
004012C8 |. 3C 30 |CMP AL,30
004012CA |. 72 0C |JB SHORT Snake.004012D8
004012CC |. 3C 3A |CMP AL,3A
004012CE |. 72 0D |JB SHORT Snake.004012DD
004012D0 |. 3C 41 |CMP AL,41
004012D2 |. 72 04 |JB SHORT Snake.004012D8
004012D4 |. 3C 47 |CMP AL,47
If I am not mistaken:
30 = ASCII 0
3A = :
41 = A
47 = G
I have tried stepping through this slowly, but got nowhere.
Can anyone walk me through this? And again, I am an absolute beginner - but will look up anything in your answer I don't understand.
Thanks a million. I am ANXIOUSLY awaiting a response.
I have spent 2 days on this believe it or not. I have to sometimes look up each and every command I don't understand.
Best Regards,
J Tropeano
Programmer / Analyst
McLeodUSA.com
Ps. WAS I EVEN CLOSE? Probably not, but I am not quitting until I understand each and every line!
