|
How to become a solid cracker (Advices for beginners).txt
Last days I'm receiving pretty often messages and mails with the same question: "what do I have to do to be skilled reverser/cracker, what tools do you use?". Well, there is no golden rule :(. I suppose it's composed by three elements: WORK, WORK and... WORK. Anyway, if someone is it still wondering where she/he should begin, please read these advices.
A set of must have tools: LordPE - PETools - PEExplorer - ProcessExplorer - Revirgin - ImportRec - Advanced Registry Tracer - SoftSnoop - ApiMonitor - FileMon - RegMon - Spy&Capture - ResourceHacker - ResourceTuner - ResourceBuilder - OllyDbg - W32Dasm - SoftIce - IDA - Dede - EnhancedDebugger (it's GREAT) - BDasm - Debuggy - HexEditor - WinHex - UltraEdit - Med - MASM (remember to update link.exe and ml.exe from VS NET) - TASM - packers/unpackers - any C++ compiler (Borland, Microsoft, DJGPP...). Tutorials: TKC - Fravia - +ORC - Iczelion - manual unpacking (aspack, asprotect, telock, armadillo, etc.) - dongle removing (envelope, dumping...) import table rebuilding - exceptions - adding visual functions to any program - Assembly Style - Art of Disassembly - Opcodes help - Intel Pentium Instrucions Reference - PC Assembly Language (it's GREAT) - Art of Assembly Programming (yes, it's HUGE but there's no need to read it all, 20-30% is enough) - Windows API - Codebreakers - The Assembler Environment - PE Format Explained (or other good PE tutorials). Cryptography: First of all, cryptography knowledge doesn't make You much stronger in cracking. It can make You more serious in reversing and protecting. I know that most of You are discouraged when hear about MD5 IDEA RC4 etc. Believe me, in the beginning You don't need it. Just try to ask any SKILLED cracker what is a "collision", what does "Floyd's cycle finding algo" do, what's faster: MD4 or MD5?, what MD5, SHA and RIPEMD have in common? These are only few principles of cryptography. Not to blame these crackers - I can bet 95% of them doesn't know the correct answer just because they don't need it at all. As a proof let's take Armadillo and ExeShield. Both of them use STRONG CRYPTOGRAPHY but in order to full crack them You need (I'm assuming the amount of time) about 3-7 hours for Arma and 1-2 hours for ExeShield. Why? Only because cryptography is less important. The real power is hidden in antidebug antidump and antitrace tricks and that's what You should have learn . Ok. let's stop it as it begins turning into a tutorial :) and we don't need it. Titles: - Handbook of Applied Cryptography - Cryptography Theory and Practice. I hear You all.... "What this jerk is talking about?! That would take 80% of my free time! I've no willingness for these stupidities! I want to become famous! NOW!... ". Well, then go and masturbate urself in some public toilet or start singing with Britney Spears. If You want to become famous then You're in a wrong place -there is no space here to explain why. If You'll read and understand the mentioned titles and provide Yourself with this software, You should become more than an average cracker -You should be ON THE TOP. Then, someday, I'll be glad to have the chance to ask You for help. Please remember that all You've read above is only my private opinion. I hope that helped at least one solid and honest furthcoming scene member (to be truthful: I'm not scene member :(). Greetings and regards to all the people visiting ExeTools forum (especially the pleasant ones: Wassim and Jay :). |
Well said :) In the end, all it really takes is a lot of READING and WORK.
-Lunar |
..omg
time - that is all what you need trust me.. |
a beginner is no winner (yet)!
Hey dynio,
why don't you prepare a 'beginner's package' in which you include all your tuorials and then upload it. Think would be nice and fun. Greetings. |
yes, time is all you need... and sometimes help from professional crackers. and of course much tutorials
|
why not crypto thread ?
Why not open a crypto thread here, where the expirienced "decrypter" would share their basic and advanced technics with the curious ones ?
|
Quote:
|
Tutorials
OK guys, I'm glad to hear some of You have found it useful. About tools: I'm not sure all the tools I'm using are free to distribute but if You have strong reasons... why not?
Get ready for cryptographic intro I'll post during 1-2 days. I've chosen ExeShield as a target because it uses Rijndael, SHA and MD5. Moreover it's protected with Xtreme Protector. Yeah, I was a bit surprised too. As far as I know, Xtreme Protector is the hardest one, so prepare for a lot of fun. I could post it today, but during writing, it has growed to more than 20kb! I must cut out the Xprotector subject because it's too big, and the way I've played with it was not so birght (I don't think You want to write a SoftIce macro which patch over 100 bytes). What You'll get is a cryptographic intro which will show You the way the most popular algorithms are working (the principles) and how keygenrators are builded. After reading You will be able to keygenerate ExeShield without touching it's code or changing anything inside the file . Regards. |
dynio: Thanks for you time, and to all who wrote tuts...
Regrads |
Did you break Xtreme-Protectors protection?
A about that would be nice :) Isn't that strange? Someone protects his *OWN* protector with *ANOTHER* protector by another company? :rolleyes: [I know I already asked this in the Software Release forum. Why do you think that it is protected with Xtreme-Protector?] |
Xtreme Protector
Hehe, as I said: v2.8a is Xtreme protected. I'm sure because I've spend few hours dancing with this protector (over 100 patched bytes LIVE inside the code). Be ready... And I agree with You, I was a bit surprised too (protecting a protector with another competitive protector).
Regards. |
That's strange.....
Every Xtreme-Protector app contains the following things:
These messages are ALWAYS put into a Xprot app no matter what protection options you choose. However, I couldn't find ANY of the things mentioned above :confused: I also bypassed the s-ice detection by simply loading icedump. That's neither possible with the first release (1.0) nor with the current version (1.05) (of Xtreme-Protector) Xtreme-Protector does NOT allow you to turn off debugger detection. Sorry..but I'm a bit confused.... |
However, I'm looking forward to your
tutorial :) |
Great deal
Sounds like a great deal, Dynio. Go on!
|
My, oh my...
Arc: How often do I need to write the same words? :) Check this out: exeshield homepage . Download the file.
You are right about vxd/sys/envelope etc. The problem is You are playing with old version of ExeShield. And forget about any SoftIce hidding tools and tricks. THEY DOESN'T WORK WITH XTREME PROTECTOR. It was some fun for me to rip the ExeShield 2.8 code. Bad news: I wouldn't write a solution for XProtector because I know they are reading this forum. As I've written in other previous posts: I don't want to learn them. I've finished the tutorial, but it's explaining protection scheme (MD5) in ExeShield 2.8 - not the XProtector itself. All what I can tell You about XProtector is: it's not so hard to turn it off during work. The only problem was to find the incovex ideas (not these well known). I've found three methods to skip this protector. As I would like to help as much as I can I'm open to help You all with certain applications protected with XProtector (dump, reverse, disassemble...). Also if You're interested in some fragments of XProtector feel free to ask me. Regards. |
thats normal..
armadillo pimps read allmost forums too :) |
Re: My, oh my...
Quote:
Please tell us what the three methods are. If you do not want to post public please PM information to me. We like to know how you crack Xprotector, I can say I cracked Xprotector and keep information to myself hahahahaha :) |
it looks to me like childs play - my brother is bigger:eek: , no no no my is much much bigger than yours:eek:
:D if dynio wrote that he break xtreme protector he knows why (s)he wrote that, everybody can take last exeshield and look if it is protected by xtreme protector if exeshield is xtreme protected and dynio keygened it that is a proof that (s)he breaks xtreme protector just my 2 cents |
1 Attachment(s)
Gorge: You are very strange, again. As I said before, it's cracked and the protection tutorial is ready (the last thing I'm doing is cutting it as much as I can - I don't want do make You all boring during reading - it's 12kb at the moment and I think that's ok). If I say that after reading You'll be able to keygen it Yourself without touching its code, how could I know the steps if I wouldn't crack it????. I won't publish XProtector tutorial because I know they are searching the web for their protector tutorials and tools, also I know they are reading this forum (more about a so called "Xtreme Protector Team" in my tutorial). Thanks to Xobor I know there are still few serious persons. Download this attachment and see it Your self.... Intentionaly I haven't smudged anything, You can check the addresses Yourself - what do You say then, Gorge?
Regards. |
dynio please don't be angry...
I'm just confused... I mean: I already protected some apps with Xtreme-Protector... So I know that you CANNOT fool the s-ice detection by simply loading Icedump... But that's what I did... And the app runs.... I have a normal version of icedump...nothing is patched... Also I have the LATEST version of ExeShield I have attached a screen shot of my ExeShield version... (2.8a) I have taken this picture while Softice AND icedump were loaded... When I try to run a Xprot app and S-Ice/Icedump are loaded I get at first a blue screen and afterwards the message that a cracker's tool was detected... (Win98 System) But this doesn't happen when I run exeshield... Once Icedump is loaded exeshield runs w/0 probs... And that's REALLY strange... Or they used a kind of insecure lite version of Xtreme Protector... Who knows.... [Notice: I did not attach the file because it didn't work] |
Quote:
I already have keygen but don't waste my time, more interested in Xprotector and how it works internally and what techniques you used. Here to learn share your knowledge :) |
First: who said I've used IceDump???. I haven't used any SoftIce extension. The system I use is WinXP.
Second: "username and string"??? You miss. It's username+bios date+computername+string+.... but i suppose You know what....(?) Third: You have keygen for 2.8??? Show us by posting it one the forum and the I'll crack any application protected by Xtreme Protector for You (once). If You won't post it I'll assume You're laying. Regards. |
dynio: read your PMs pls ;)
|
Ok. George, I can't hide I'm pissed...
If You're judging someone then make it clear to the end. I've showed You it's registered and properly disassembled. So, now what??? You didn't anwser this subject. Also You're talking about a keygen for 2.8- does it exist??? As I said, if You'll show us durng 2-3 days this keygen, I'll crack any application, chosen by You, which is XTreme protected. Let's call it a challenge. And please, don't write things You haven't verified. The final key, is MD5 indeed (as I've written in previous post) but how the fu*k can someone reverse "within few hours" MD5 hash with input lenght of more than 20 bytes?????? , even when the collision occurs?. George, I'm disappointed. I suppose You'll learn something about that in my tutorial. Grow up, then someday, we will take seroius discussion. Regards. |
dynio my friend, dont waste ur time with these stupid lam0rs
maximize ur skills and have phun" and discussion about public tutor? fuck that.. rspct |
Quote:
file is exeshield2.7b.zip. I have hidden the last byte of key with '?' so you know it is me. You can compare my keygen with Orion to test results, they are identical. You are still the master Dynio :D Regards |
Hmm.. dynio specifically said a keygen for version 2.8, not 2.7...
|
that is sweet, dynio. Hope I can get that good eventually. :)
Ya skamer is right, Arma pimps frequent this board. I wont share any more latest (easy) unpacking techniques because of that. But I have DLL/OCX unpacker 98% done for newest ARma...hahahahah take that Chad. -Lunar |
Quote:
as algorithm from early test or it is hidden and I am blind :rolleyes: |
Tutorial - wassup ?
Tutorial - wassup ?
|
Tutorial - wassup ?
May I remind the involved once of the announced Tutorial ? Excuse my inpatience....
Uban. |
1 Attachment(s)
well...IMHO exeshield v2.8a downloaded from their server is NOT xprotected.
size of my exeshield.exe: 1111478 bytes (2003/08/18 13:21) xprotector (v1.05): - clears interrupt 1 (set offset to 0xFFFFFFFF) - clears interrupt 3 - hooks interrupt 0e (page fault) - hooks NT service 0xba (NtReadVirtualMemory) - hooks NT service 0x101 (NtTerminateProcess) - creates file %windir%\\system32\\drivers\\xprotector.sys if not exists (ring0 driver) - creates a lot of (20+) threads, beside the original ones. Exeshield.exe have only 1 thread. To bypass this exeshield.exe's protection, you only have to change kernel32!IsDebuggerPresent API's return value. See attachment. I have WinXp, used windbg. |
OK girls and guys.... Sorry for the looong delay with tutorial... Check the "General Discussion Forum" within one hour. I'll post there whole tutorial. Also, I see there are still some questions like: "it's Xtreme Protected"? To make You sure, within one hour I'll upload my version to the FTP under ExeShield2.8.
Taipan: my version creates more than 20 threads. Gorge: everything is just fine, I think we are missing the points sometimes... :) Regards. |
The tutorial was posted. I'm still encountering problems with uploading ExeShield 2.8a to FTP (password doesn't work). I'll be still trying.
Taipan: The ExeShield.exe file I'm talking about and describing in tutorial is 2.629.632 bytes long. And guess what? I've visited their site now and they have removed Xtreme Protector envelope in 2.8b. I dunno why?? I'll upload the version I'm talking about to the FTP. |
Quote:
"As special offer, we give you the opportunity to get your program fully protected for free with Xtreme-Protector and release your product on internet and see the results that you get. If after a month or so you are satisfied with the results, you can buy Xtreme-Protector, if you are not happy you give us NOTHING." I guess their trial ran out ;) |
Exactly, man.... and I suppose they have heard (or maybe read this forum) that 2.8a was pulled out of Xtreme Protector. Anyway, I'm still VERY surprised they used XProtector.
Greetings. |
LOL. What a challenge they put forth, kinda egotistic...especially if they were prior cracker themselves (dyn!o's hint in the tute). Perhaps Daemon? or +Splaj from Fravia board? hmm...
-Lunar |
Lunar Dust: You missed :):).
Of course I could be wrong because HE DON'T KNOW ME, nor I don't know him... But I'm pretty sure I've traced him... :) If You know reversers/crackers scene for at least 3-5 years You should guess him too... He always wanted to be on the top (and he did it) also he was VERY OFTEN OFFENDED. Please don't ask me... :) Regards. |
I can still dump xprotected app using a little trick up my sleeve :) of course still has some junk bytes. All in good time
also, they are not the only ones who can write system drivers -Lunar |
Sure they don't.
Also this is not impossible to write an unpacker... The driver should only gain the lowest control, it don't need to be full of procedures - I see using this level only for initialization, then giving back full control to main thread. Most of the people are scaried with XProtector because SoftIce extensions doesn't hide this debugger - Then legends about XProtector are being written... :) Syd (Stripper author) was the first one writing efficient ASprotect unpacker with device driver routines. And I have a big respect for him for that. |
| All times are GMT +8. The time now is 05:39. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX