This one was challenging for me, and took me several hours, but was fun. I got caught up on certain parts that may not have been too difficult, but, yeah…
http://crackmes.de/users/tripletordo/ice9/
You can download the executable here Ice9.zip.
The first thing I noticed is probably the ‘trick’ which was simply a call to isdebuggerpresent. I modified the assembly immediately after from JNE to JE so that it only runs if a debugger is present, allowing me to attach my debugger.
00401071 74 0A JE SHORT Ice9.0040107D
This took a lot of trial and error. My strategy was to replicate the logic. Once I got to the point ‘ecx at 0040119c’ I was home free.
#include <iostream> #include <string> using namespace std; void main (int argc, char *argv[]) { if ( argc != 2) { cout<<"Bad usage, enter a name > 4 letters"<<endl; return; } string name = argv[1]; string ostring = name; int i; //first reverse the string for (i=0; i<name.length(); i++) { name[i] = ostring [name.length()-i-1]; } if (name.length() < 4) { cout << "name must be more than 4 letters chief"<<endl; return; } int v1 = 0; int cum = 0; for (i=1; i<name.length(); i++) { v1 = name[i]; if (name[i] <= 90) { if (v1 >= 65) v1 += 44; } cum += v1; } //ecx at 0040119C cum = 9 * (12345 * (cum + 666) - 23); char chr_403119 [122]; unsigned int v; i=0; //no bounds checking do { v = cum; cum /= 0xA; chr_403119[i++] = v % 10 + 48; } while (v / 10); chr_403119[i] = '\0'; printf ("%s", chr_403119); string serial = ""; //reverse the string for (; i >= 0; --i) { serial += chr_403119[i]; } cout<<serial<<endl; //append all chars except the 'first' three to the end for (i=3; i< ostring.length(); i++) { serial += ostring[i]; } cout<<serial<<endl; }
My plan on this one, since it was interesting enough and because it’s relatively easy to break at the final value, is to break this a completely different way. I’d like to write a python debugging script that bypasses the isdebuggerpresent and just grabs the final value in the compare at 004011FF. This should be relatively straightforward, and hopefully a good ‘hello, world’ to the world of python debugging. Stay tuned.