Sorry this update took so long. This update is also a bit longer and has a little less guidance as it will simply require you to make use of some of the previous lessons to build your C code.
Let’s get to work on the rest of the key generation algorithm. First off, remember we have to call subChangeQWORD() four times and skip every 9th letter. The disassembly at 0x40111A shows this happening but it’s inlined instead of looped. The programmer wrote this in straight assembly but this may have been written as a loop that was unwrapped by the assembler to improve performance at the cost of a larger binary.
Anywho, here’s our new main() that will operate on the full 35-character serial instead of just the one segment we did previously:
Well, that was quite a diversion. Back in Part I we’d started with the code just before this, labeled GetTextBoxSerial.
I don’t have nearly the free time I did when I decided to turn the BratAlarm crackme into a tutorial. I’m still working on it though! I just end up getting 10-20min here and there, half of which is spent re-reading half of what I wrote the last time.
I squeezed out a couple little things for the sprite editor too and did a little more spring cleaning. As usual, I got distracted with some side projects. I wanted to brush up more on my C so I started doing more exercises. I also bought all the components to build my new VDI server, as well as a better router – with DD-WRT to boot.
My VDI server went from an old Core 2 Duo with 8GB of DDR2-RAM to an i7-3820 with 16GB of DDR3-RAM (expandable to 64GB). Luckily, the Asrock X79 Extreme6 board uses the same Intel RAID controller so I was able to just migrate the VM RAID array over without issue. Ditto for the Debian host drive. I got tired of the cludgy performance too so I converted all my VirtualBox VMs to KVM and serve that up via Spice. I’m still a bit hamstrung by bandwidth though; the server’s 100mbps wifi connection through a range extender struggles with streaming a 1080p desktop. I picked up another three 300GB VelociRaptors to eventually add some mirroring to the array, as well as a 3TB WD Red for file storage and backups.
I’m almost done with Part IV of the Bratalarm Crackme tutorial series. I’ve been plugging away at it little by little but I’m still working on a few other projects as well.
I started sifting through code in old backups and dumping anything halfway useful or interesting to GitHub. I also started working on a sprite editor for Seven Kingdoms, one of my favorite games of all time. It was released as open source a few years back and I’ve been following the project closely for a bit. It’s definitely helped me brush up on my C++. I have a lot of fun altering the AI moreso than anything else, though I’ve helped out with a couple bugs too.
I’ve always hated just about anything to do with graphics and design and that was part of what drew me to working on the sprite editor. I realized it’s one (of the undoubtedly many) element of programming I’ve pretty much never dealt with. My first project with graphics was a mini Zelda clone proof-of-concept in QBASIC.
I got my Raptors in. It took a bit to figure out how to get everything working correctly, especially the RAID. Turns out the RAID is technically software RAID provided by the SATA controller.
Once I set up the volume in the RAID configuration utility (by pressing CTRL+I during POST), I had to mount it from /dev/mapper/isw_bbahhidib_raid… not a device handle I’d expected. Afterwards, mkfs.xfs did the trick.
Next up was copying all the VMs over. I still haven’t had time to set up anything in KVM yet but I can tell I’ll need to to squeeze a wee bit more performance out of this poor little Core 2 Duo. For now, VirtualBox does the trick via [phpvitualbox] (http://sourceforge.net/projects/phpvirtualbox/), with special thanks to this tutorial.
One of the reasons I took a pause from reversing the Bratalarm Crackme and the Zender virus* is because I acquired a few goodies from a RadioShack that was closing up shop.
Among the many things I acquired at a fantastically-low price, I got an entire POS system. It’s an HP rp5700 with a Core 2 Duo, 1GB RAM and an 80GB WD Blue. It’s no powerhouse but I did get excited seeing the small form factor and the commensurate 240W power supply. It’s a bit hamstrung by the Core 2 Duo @ 2.13GHz and 1GB RAM – and the motherboard can’t take the Core 2 Quad I had laying around. At least it can run with 8GB RAM though so I picked that up on eBay for $30. The other desktop machine I have is that Core 2 Quad, 3-point-something-GHz, but the Gigabyte EP31-DS3L mobo is capped at 4GB and the architecture is a bit aged so it runs pretty warm and the four 120mm case fans are incredibly loud. Coupled with the FoxConn GeForce 9800GTX due to the lack of onboard video, it’s also not terribly conservative of electricity. It’s pretty much sat dormant for two years now. I’ve stuck with running multiple VMs on my very capable MSI GE70 with a Core i7.
Right off the bat, I want to talk about the ethics of “keygenning.” Bottom Line: Pay for your software. If you can’t pay for someone else’s creative works, you should use something else. If you’re a student, look into student programs through your school, or programs like DreamSpark. The crackme (or “keygenme”) we’re using was created by someone for fun, for us to crack for fun. Reversing someone else’s code with a specific, achievable goal in mind is fun for me.
Notice there’s another loop, so we’re not done messing with the Name field. Rather than sit and watch this, set a breakpoint at the DIV instruction, three lines past the end of the loop and let it run.
We’re going to go over a crackme from CrackMes.de. I’m going to assume you have a bit of background in x86 Assembly and some other high-level language with C-like syntax (C, C++, Javascript, Java). You should also have at least played around with a debugger, like OllyDbg, and a disassembler, like IDA Pro.
This particular crackme can be found here. You’ll need an account to download it. I’ll note that I’ve used this site with my real email address for several years and have never experienced any spamming or security issues. YMMV, of course, but don’t be too afraid.
At the time of this writing, there were two other solutions with tutorials posted. One of them is quite extensive but concentrates on a mathmatical shortcut based on a hint provided by the programmer. The other is just very straightforward and meant for those who have experience with crackmes and are just moving on to this slightly more difficult one. This tutorial will focus on recreating* the algorithm in C. As I said above, I assume you already have a bit of experience or at least know enough to be able to acquire and set up IDA and OllyDbg yourself. You should always be wary of downloading and running software from unknown sources. As far as I can tell, this code is safe but that could change between now and the time you download it so I can’t stress enough how much I recommend you use VMs. I run IDA and OllyDbg in a Windows XP VM and do all this writing on a Linux VM, both of which are running on VirtualBox.
* Not really “recreating” since the code was originally written in assembly but the point is to create higher-level code from a dissassembly.
To begin, let’s fire up the crackme and see what it does.