Tutorial for Crackme 5 by fusS
 
Info

File : Crackme 5 by fusS
Tutor : Miele
Level : Beginner
Tools : W32Dasm, SoftIce, Regedit

Comments are in blue
Tutorial

Hello, in this tutorial we'll try to crack the crackme5 by fusS. It plays around a little with the windows registry. Oops, I already told you too much :) You can download the crackme here[f_crackme05.zip - MISSING]

First, we start by loading the file in to W32Dasm. We have to find a breakpoint to make the program break into SI. And it won't break on the usual 'Getdlgitemtexta' or 'hmemcpy'...
Scroll to the program entry point.

In the beginning of the program we see some API-references like 'LoadIconA' and 'LoadCursorA'.
Also, 'ShowWindow' and some others...
This is to put the program-window on your screen.
We also see CreateWindowExA. We'll use this one to break on in SI.

But first we look for some more information...

We see the text strings like 'fusS crackme #05 coded on 03/25/01'...

We scroll a little further and we see this: 
* Possible StringData Ref from Data Obj ->"SoftWare\TrickSoft\fusS\Crackme05\"

:0040118F 68BF304000    push 004030BF     ;push string
:00401194 6802000080    push 80000002
* Reference To: ADVAPI32.RegCreateKeyExA, Ord:0149h 

:00401199 E814020000    Call 004013B2     ;Creates a registry key. 
                                          ;If the key already exists, it opens the key
* Possible StringData Ref from Data Obj ->" "

:0040119E 6827314000    push 00403127
:004011A3 684B314000    push 0040314B     ;push your name on the stack
:004011A8 68AB314000    push 004031AB
:004011AD 6A00          push 00000000
* Possible StringData Ref from Data Obj ->"UserName"

:004011AF 68E2304000    push 004030E2
:004011B4 FF3543314000  push dword ptr [00403143]
* Reference To: ADVAPI32.RegQueryValueExA, Ord:0165h    ;retrieve data from the username-key

:004011BA E8F9010000    Call 004013B8
* Possible StringData Ref from Data Obj ->" "

:004011BF 682B314000    push 0040312B
:004011C4 686B314000    push 0040316B     ;push the value in MagicValue on the stack
:004011C9 68AB314000    push 004031AB
:004011CE 6A00          push 00000000
* Possible StringData Ref from Data Obj ->"MagicValue"

:004011D0 68EB304000    push 004030EB
:004011D5 FF3543314000  push dword ptr [00403143]
* Reference To: ADVAPI32.RegQueryValueExA, Ord:0165h     ;retrieve data from the MagicValue-key

:004011DB E8D8010000    Call 004013B8
:004011E0 6A00          push 00000000
* Reference To: ADVAPI32.RegCloseKey, Ord:0145h          ;close the registrykeys

:004011E2 E8C5010000    Call 004013AC
:004011E7 E836000000    call 00401222
:004011EC FF75B0        push [ebp-50]


What does all this mean?
Well the function RegCreateKeyExA creates a key in the Windows registry or checks if a key is already there. In this case, it creates a key HKEY_LOCAL_MACHINE\Software\TrickSoft\fusS\Crackme05.
Then it tries to retrieve the value of 2 strings. These strings are UserName and MagicValue.
But they aren't there...

So, we have to create them. Create a registrykey UserName and a key MagicValue.
Press Start->Run-> type 'regedit'
Search the right directory (HKEY_LOCAL_MACHINE\Software\TrickSoft\fusS\Crackme05) and create 2 strings with the right names.

Now put your name in the string UserName. In the other string (MagicValue) put anything you want!
In this string we have to put the correct serial, but we don't have it yet...

Now this is done, we can load the program into SI. Put a breakpoint on CreateWindowExA. As the program breaks, press F12 three times. This is to let SI break on the third 'CreateWindowExA' which brings us a little closer to where we have to be in the code.
Now we start tracing...

We soon see a call to RegCreateKeyExA. We're now in the part of the code where the registrykey is created or checked (we already ran the program once)
We step further until we pass the call RegCloseKey. This is to close the registrykey again.
Next there is a call at address 4011E7. This call looked suspicious to me because it is right behind all the registry calls who read the values from the registrykeys.

Let's check out that call! (F8)
This is what we see:

:00401222 55            push ebp
:00401223 8BEC          mov ebp, esp
:00401225 684B314000    push 0040314B     ;push name on the stack
* Reference To: KERNEL32.lstrlenA, Ord:02E2h
:0040122A E871010000    Call 004013A0     ;C++ call to check the lenght of a string(name-string)
:0040122F 83F801        cmp eax, 00000001 ;cmp lenght with 1
:00401232 0F8EC4000000  jle 004012FC      ;if lower or equal ->jmp to bad-guy
:00401238 686B314000    push 0040316B     ;push serial in MagicValue on the stack
* Reference To: KERNEL32.lstrlenA, Ord:02E2h
:0040123D E85E010000    Call 004013A0     ;C++ call to check the lenght of a string(serial)
:00401242 83F800        cmp eax, 00000000 ;cmp lenght with 0
:00401245 0F84B1000000  je 004012FC       ;jmp if equal to 0
:0040124B 8D054B314000  lea eax, dword ptr [0040314B]
:00401251 33C9          xor ecx, ecx
:00401253 33DB          xor ebx, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00401267(U)

:00401255 8A18          mov bl, byte ptr [eax]     ;move letter eax to bl
:00401257 80FB00        cmp bl, 00                 ;cmp bl with 0
:0040125A 740D          je 00401269                ;if zero (no letter) jump out loop
:0040125C 8A7801        mov bh, byte ptr [eax+01]  ;move letter eax+1 to bh
:0040125F 0FAFDB        imul ebx, ebx              ;ebx * ebx
:00401262 03CB          add ecx, ebx               ;ecx=ecx+ebx
:00401264 33DB          xor ebx, ebx               ;ebx=0
:00401266 40            inc eax                    ;eax+1
:00401267 EBEC          jmp 00401255               ;jmp back to beginning of loop
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:0040125A(C)
         
:00401269 81C1E5B1BA00  add ecx, 00BAB1E5          ;ecx=ecx+BAB1E5h
:0040126F 33DB          xor ebx, ebx               ;ebx=0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00401278(C)
         
:00401271 83C102        add ecx, 00000002          ;ecx=ecx+2
:00401274 43            inc ebx                    ;ebx+1
:00401275 83FB63        cmp ebx, 00000063          ;cmp ebx with 63
:00401278 75F7          jne 00401271               ;jmp to beginning of loop if not equal
:0040127A 69C9EFBEADDE  imul ecx, DEADBEEF         ;ecx=ecx*DEADBEEF
:00401280 81E9EFBEADDE  sub ecx, DEADBEEF          ;ecx=ecx-DEADBEEF
:00401286 8D1D48304000  lea ebx, dword ptr [00403048]
:0040128C 51            push ecx                   ;push value in ecx on the stack
* Possible StringData Ref from Data Obj ->"%d"
:0040128D 682F314000    push 0040312F
:00401292 688B314000    push 0040318B
* Reference To: USER32.wsprintfA, Ord:02A5h        ;termination character at end of string
:00401297 E8F2000000    Call 0040138E 
:0040129C 83C40C        add esp, 0000000C
:0040129F 688B314000    push 0040318B 
* Reference To: KERNEL32.lstrlenA, Ord:02E2h       ;check stringlenght
:004012A4 E8F7000000    Call 004013A0
:004012A9 8D1D8B314000  lea ebx, dword ptr [0040318B]
:004012AF 03D8          add ebx, eax
:004012B1 C6032D        mov byte ptr [ebx], 2D
:004012B4 43            inc ebx
* Possible StringData Ref from Data Obj ->"[TS]"
:004012B5 6832314000    push 00403132
:004012BA 53            push ebx
* Reference To: KERNEL32.lstrcpyA, Ord:02DCh       ;copy string[TS] to the buffer
:004012BB E8DA000000    Call 0040139A 
:004012C0 688B314000    push 0040318B
:004012C5 686B314000    push 0040316B
* Reference To: KERNEL32.lstrcmpA, Ord:02D6h       ;cmp MagicValue with correct serial
:004012CA E8C5000000    Call 00401394
:004012CF 83F800        cmp eax, 00000000          ;cmp eax with 0
:004012D2 7514          jne 004012E8               ;if eax is not 0 -->jump to bad-guy
* Possible StringData Ref from Data Obj ->"Congratulations! Please send me "
->"your solution =)"
         
:004012D4 68F6304000    push 004030F6
:004012D9 FF353F314000  push dword ptr [0040313F]
* Reference To: USER32.SetWindowTextA, Ord:0259h
         
:004012DF E892000000    Call 00401376
:004012E4 C9            leave
:004012E5 C20400        ret 0004

      
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:004012D2(C)
         

      
* Possible StringData Ref from Data Obj ->" Unregistered"

:004012E8 683A304000    push 0040303A
:004012ED FF353F314000  push dword ptr [0040313F]

      
* Reference To: USER32.SetWindowTextA, Ord:0259h
 
:004012F3 E87E000000    Call 00401376
:004012F8 C9            leave
:004012F9 C20400        ret 0004

      


        I hope you where able to follow me until here. It is quite some code, 
        but it is easy to understand I think (certainly if you have some C++ programming 
        knowledge)

        Well, all this part of the code does is calculate a serial. It stores 
        this serial at address 40316B. Then it compares our serial with the correct 
        serial at address 40318B.

        If they are equal call SetWindowTextA and put 'Congratulations!' on the 
        screen.

      
Well, that's it. We only have to look at address 40318B where the 2 addresses 
        are compared and put this value in the MagicValue-key in the registry. 
        

        It worked for me! 

      
UserName "Miele"

        MagicValue "241897850-[TS]

      


        Well that was it! I know I described the routine very brief, but it is 
        fairly easy so there shouldn't be too much problems.

      
If you have any questions of if you see a mistake in this tutorial, mail 
        me @ michiel_dg@hotmail.com 
        or leave me a message at the forum. I'll probably add a tutorial on how 
        to make a keygen for this crackme too!

    		
  

  
 
     
      
Back to Tutorials