This one was challenging for me, and took me several hours, but was fun. I got caught up on certain parts that may not have been too difficult, but, yeah…
http://crackmes.de/users/tripletordo/ice9/
You can download the executable here Ice9.zip.
The first thing I noticed is probably the ‘trick’ which was simply a call to isdebuggerpresent. I modified the assembly immediately after from JNE to JE so that it only runs if a debugger is present, allowing me to attach my debugger.
00401071 74 0A JE SHORT Ice9.0040107D
This took a lot of trial and error. My strategy was to replicate the logic. Once I got to the point ‘ecx at 0040119c’ I was home free.
#include <iostream>
#include <string>
using namespace std;
void main (int argc, char *argv[]) {
if ( argc != 2) {
cout<<"Bad usage, enter a name > 4 letters"<<endl;
return;
}
string name = argv[1];
string ostring = name;
int i;
//first reverse the string
for (i=0; i<name.length(); i++) {
name[i] = ostring [name.length()-i-1];
}
if (name.length() < 4) {
cout << "name must be more than 4 letters chief"<<endl;
return;
}
int v1 = 0;
int cum = 0;
for (i=1; i<name.length(); i++) {
v1 = name[i];
if (name[i] <= 90) {
if (v1 >= 65)
v1 += 44;
}
cum += v1;
} //ecx at 0040119C
cum = 9 * (12345 * (cum + 666) - 23);
char chr_403119 [122];
unsigned int v;
i=0;
//no bounds checking
do {
v = cum;
cum /= 0xA;
chr_403119[i++] = v % 10 + 48;
} while (v / 10);
chr_403119[i] = '\0';
printf ("%s", chr_403119);
string serial = "";
//reverse the string
for (; i >= 0; --i) {
serial += chr_403119[i];
}
cout<<serial<<endl;
//append all chars except the 'first' three to the end
for (i=3; i< ostring.length(); i++) {
serial += ostring[i];
}
cout<<serial<<endl;
}
My plan on this one, since it was interesting enough and because it’s relatively easy to break at the final value, is to break this a completely different way. I’d like to write a python debugging script that bypasses the isdebuggerpresent and just grabs the final value in the compare at 004011FF. This should be relatively straightforward, and hopefully a good ‘hello, world’ to the world of python debugging. Stay tuned.
