Cracking for the beginner
by Y0SHi
06/05/97
mm/dd/yy
Hi.
My name is Y0SHi, and I cracked my first program today. I'm a
beginning cracker offering this tutorial to people who are also
beginning crackers (or for people who refuse to admit that they are
beginning crackers =). In this tutorial, we will crack the file
"
pw.com" together. You will need Soft-Ice ver 2.62 for Dos. If you
have any questions, comments, or observations, email me
at gargos@
juno.com. I hope this helps you learn! NOTE: It took me
about 15 minutes to crack this program on my own with
no external help (like this tutorial) =).
About the target (
PW.COM)
PW is a very small file I found on Lord Caligo's website, which
contains various programs and tutorials on how to crack (like
this one). Anyway, in the Programs section, you'll find pw, it is
EXTREMELY small, something like 202 bytes unzipped. This
file is very useful in getting you off on the right foot on how to
crack. Download it, study it, learn it, CRACK IT!
The actual cracking part
Ok, first run the target, pw, a few times to see what's going on.
First, you are prompted to enter your password. If your input
was successful, you get "Password Ok !!", and if not, "Password
Wrong !!".
Load the program into Soft-Ice (using the command "ldr
pw.com" [ldr is
Soft-Ice's program loader]). Begin tracing through
the code by pressing "p". You will soon see something similar to the
following:
mov ah, 09
mov dx, 0123 ; 0123=offset of "Enter Password: "
int 21h ;dos function display a string (similar to C's printf(" ")
and
;BASIC's print, string's offset is stored in dx
You know now that to print out the strings, dos function 09, int 21 is
used. While you're still in Soft-Ice, set a breakpoint on int
21, ah=09 (type in "bpint 21 ah=09"). This will make the program
return to Soft-Ice before every displayed string.
To see where "Password Wrong !!" is printed out, return to the program
and type in any old password. You now should be
back in Soft-Ice. You will see "INT 21H" is highlighted.
1662:01BF INT 21H
To get a clearer view of what's going on, type rip.
IP=01BF (could be different on your PC)
IP=
Type in "01B0"
NOTE: The reason for 01B0: It is a few instructions behind the grim
printing of "Password Wrong !!". You could have typed
in 01A0 orng.
SECOND NOTE: Undoubtedly the IP will be different in your machine.
Just type the IP number after subtracting 10-20 from
it.
Bingo! You land right in the following code.
OR AL, [BX+DI] ; SEE IF AL = BX+DI
JNZ 01BF ; IF NOT, JUMP TO THE DISPLAYING OF "PASSWORD WRONG !!"
LOOP 01A8
MOV AH, 09
MOV DX, 0133 ; OFFSET OF "PASSWORD OK !!"
INT 21H ; DISPLAY "PASSWORD OK !!"
JMP 01C6 ; JUMP TO MEMORY LOCATION 01C6 (THIS WILL VARY ON YOUR
MACHINE)
01BF: MOV AH, 09
MOV DX, 0155 ; OFFSET OF "PASSWORD WRONG !!"
INT 21H ; DISPLAY IT (THIS IS THE SAME ADDRESS WE GOT CALLED TO
ORIGINALLY)
01C6: MOV AH, 4C
INT 21H ; THIS FUNCTION IS USED TO TERMINATE A PROGRAM
Did you get all that? I think I commented it well enough for people
with little assembly knowledge. Anyway, we DON'T
waassword Wrong !!" to be shown. We are looking for something to
bypass 01BF. Hmm... got it! After "Password Ok !!" is
shown, it skips the address where we landed first and terminates the
program with ah=4ch/int 21h.
If al and bx+di are not equal, it performs the showing of "Password
Wrong !!", but if they are equal, "Password Ok !!" is
shown, "Password Wrong !!" is skipped and the program is ended. So, if
we want to show the "Password Ok !!" message,
we change jnz 01BF to jz 01BF (which means to show "Password Wrong !!"
if AL and BX+DI are equal, and to show
"Password Ok !!" if they aren't.
To permanently fix this, open up
pw.com in a hexeditor such as PSEDIT
and search for 750B (the mnemonics for jnz 01BF)
and replace the 75 part with 74. This will cause the program to
display "Password Ok !!" if you got the wrong password and
"Password Wrong !!" if the password is right. This would be very
useful to do to a network, so all of the users couldn't get in
but you and anyone else with the wrong password could.
Case two:
crackme.com
Get
crackme.com from Lord Caligo's
website
Crackme is a program very similar to the above
pw.com, except that it
actually has some sort of protection loop; nevertheless,
it is still a very easy crack; all the program does is display a
message and get user input, then runs the input through a
protection scheme to see if the password is correct. However, in this
crack, I won't use a bpint 21 ah=09; this is cheap and
unreliable, it doesn't even work in this case. No, in this scenario I
actually choose to single-step through the code, although this
sometimes wastes a lot of time.
I won't go into much detail in the asm code in this one, but to start,
load up
crackme.com with ldr; in the beginning, we see an
unconditional jump (the signature of all .com files) to the start of
the code; first, the message is displayed, and then input is
received and run through a protection loop. From this loop we could
figure out what the actual password is, but making the
user type in the right password would be a pain in the ass to them, so
we just make it so every password is considered right.
Anyway, find the string display function (as described in the pw
section) and then immediately afterwards, the input is received
and run through the loop. There is no mistaking in finding where the
loop begins; it starts right after the "get_keyboard_input"
function. Anyway, trace through it until you reach the conditional
jumps referencing to the address where "bad password" is
displayed (the most abundant) , and simply skip over it using RIP.
Keep doing this for a while until you reach the MOV AH,
09 / INT 21 function; make a note of the address. Go back to the
beginning of the protection schema; trace through one
instruction, and write down the mnemonics of the code; the mnemonics
are 8BF2.
Now, we want the protection loop to skip through the loop and go
straight through to the "password ok!" payload, so we
assemble "jmp the_address_that you_wrote_down" on top of the second
instruction of the protection (why the second
instruction? No real reason, it just felt better) and after that, just
to insue no "Invalid Opcode" faults, put in an "inc ax" and after
that, a "dec ax". Now, go back to the beginning of the code "rip 0100"
and run the program the whole way through. And now,
after the user input, it says "Correct Password!"
Making it stick
Load up PSEDIT or Hexworks or whatever and search for "8BF2". Replace
it with E9AE004048 (that's the mnemonics for
jmp valid_user, inc ax, and dec ax.) Now, whenever you enter in a
password, it'll be right!
Contacting the Author
To contact me on IRC, DON'T look for Y0SHi, this is some stupid bot
for
www.y0shi.comthat's not my web page). Look for
YOSHi on EfNet.
Email: gargos@
juno.com
Contacting Lord Caligo: caligo@
lords.com, |lAShEr| on efNet
Cracking for the beginner - Part two
by Y0SHi
06/12/97
mm/dd/yy
In part two of this beginners cracking tutorial, I examine one of Lord
Caligo's own creations;
try_me.com. This file was
altogether not too difficult, and can be found on Lord Caligo's
website.
And now, the cracking!
Ok, the first thing I did was to dissassemble the program with
Sourcer. The listing looks like this:
in al,21h ; port 21h, 8259-1 int
IMR
xor cx,cx ; Zero register
mov bx,12Ah
mov dx,16Ch
call sub_1
call sub_3
call sub_4 ; Sub does not return
here
loc_1:
inc ch
loc_2:
int 21h ; DOS Services
ah=function 00h
; terminate, cs=progm
seg prefx
jmpn loc_3
db 31h, 32h, 33h
sub_1 proc near
or al,2
retn
sub_1 endp
sub_2 proc near
and al,0FDh
retn
sub_2 endp
sub_3 proc near
cmp al,0AAh
jne loc_4 ; Jump if not equal
retn
loc_3:
inc cl
inc bx
cmp ch,3
je loc_5 ; Jump if equal
cmp al,[bx]
je loc_1 ; Jump if equal
call sub_5
jmpn loc_7
loc_4:
mov dx,164h
jmpn loc_6
loc_5:
mov dx,offset data_2 ; ('')
loc_6:
mov ah,9
int 21h ; DOS Services
ah=function 09h
; display char string
at
ds:dx
loc_7:
int 20h ; DOS program
terminate
sub_3 endp
sub_4:
out 21h,al ; port 21h, 8259-1 int
comands
sub_5 proc near
cmp al,0Dh
jne loc_2 ; Jump if not equal
jmp short loc_4
sub_5 endp
db 0C3h
db 0Ah, 0Dh, 'false$'
db ' - TRY*ME v1.00 '
copyright db '(c) by Lord Caligo -
In the above code, basically we see that in loc_3, ch is compared with
3, and
if they are equal, data_2 ("right") is put into dx and then is
printed, after,
the program is terminated with int 20. So, all we really have to do is
change
loc_3 to read jmp loc_5 (actually, we'd have to chane loc_5 to some
sort of
memory location). So.... the crack for
try_me.com:
search for: the mnemonics for je loc_5 (7516)
replace with: the mnemonics for jmp loc_5 (EB1C)
WTF???
It seems that when we modified the program, no longer is the prompt
for the
password shown; the password is automatically right, you don't have to
enter
anything! Tres bizzare! (I'm not french; this is appropriate though. I
am
the only American cracker I know)
Why I chose to accept this crack
The reason I didn't go back and alter this crack to ask for a password
is
that if you've ever downloaded a cracked password crippled game, you
notice
that most of the time you don't have to enter a password anyway, the
cracker
did a good job. So I thought "What the hell, no one wants to enter a
password anyway".
Contacting the Author
To contact me on IRC, DON'T look for Y0SHi, this is some stupid bot
for
y0shi.paradise.com (no, that's not my web page). Look for YOSHi on
EfNet.
Email: gargos@
juno.com
Contacting Lord Caligo: caligo@
lords.com
Cracking for the Beginner - Last Part
by YOSHi
Yes, you read me correctly; this is almost the last part. Well, on
password cracking, anyway. I feel that by the end of this
tutorial, you should be able to find and remove most basic password
protections. Next tutorial, I might actually use real
programs (not ones written to be cracked). Without further ado, I
introduce
test1.com and
try_me2.com.
Test1.com
LordByte seems to want to help us; he has made five different programs
for us to try to crack, asking for the password, not a
patch. In this tut, I show how to find hard-wired passwords (passwords
not scrambled or rotated or anything). Ok, I use ldr to
load up the program and I enter a dummy password. I typed in "s ds:0 l
ffff "1234"". Hmm, one result; we will call it xxxx:xxxx.
I first checked it out with a ed xxxx:xxxx. Definately my password. I
then typed in "bpr (the value of xxxx:[xxxx - 20]) (the
value of xxxx:[xxxx + 20]) rw" (thanks Intruder for teaching me the
finer points of this trick.) Rw means "all read or write
access to the area between the two given addresses".
Ok, I typed "x" and it brought me back to S-ice. Then, my caffine rush
kicked, and suddenly I didn't want to crack anymore.
So I pressed x a few times, watching the dump window as I did, and at
my last "x", I saw the word "hardware" written next to
my password. Odd, so I ran test1 again w/o ldr, and I typed "hardware"
as my password. It told me good job, ask LordByte
for the next task. I'll do that eventually.
"The crack?" you might ask. Well, when s-ice pops up, you'll see some
code (obviously) and in this code there will be a
conditional jump to the address of the bad_ps termination. Simply
change it to "jmp location_of_good_termination". But why
do that? I gave you the password.
Try_me2.com
You cand find
try_me2.com on Lord Caligo's page This was an
extremely easy crack; I'll only show you how I found the
password. I loaded up
try_me2.com into PSEDIT, my hexeditor, and I
was looking for the strings that showed if the pass was
good or bad. I see:
...123...blah
..blah.blah.b
.....etc.....
Is this serious? Anyway, I quit psedit and re-ran
try_me2.com, with
the pass "123", and what do you know, it worked. Next
time, Lord C, at least xor it with
something.
(Comment by Lord Caligo: I didn´t crypt the pwd, because you should
crack the file so everybody could enter *every* word... I knew that
the
pwd is included in the .com, btw, it´s the
same in Try ME v1.0)
Contacting the Author
NOTE: To the observant reader, I've changed my nick to YOSHi (you can
have your fucking nick Y0SHI, I think
you suck and are a lame liar - "I've got friends in LOA (hacking
group.)" Yeah, right. I personally know all the
members of LOA, and I've talked to them about your
lameness. This is war fucker.
To contact me on IRC, DON'T look for Y0SHi, this is some stupid bot
for
y0shi.parodius.com (no, that's not my web page).
Look for YOSHi on EfNet.
Email: gargos@
juno.com
oirtoi3jtrwiojtewojwerojtweroirew
