ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º CrackMe 1 by MM@ º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ This Tutorial is best viewed in Terminal font :) Tools: W32Dasm v8.93 Hex Editor (Can be anything as long as it can search for "strings" ;) This CrackMe doesn't need much explanation because it's a very easy one :) The first time i checked the CrackMe, i used SoftICE. But i'm not in the mood right now to explain the stuff from SoftICE in this Tutorial ;) So i'm going to use W32Dasm + Hex Editor (It's also faster to explain). Let's Begin. As always we first run the CrackMe to see what's going on. Open the CrackMe and we'll see a nice (Familiar?) Delphi window :) Press the button "Check" to find any kind of clues, and we'll get an Message Box saying: Mm_crackme1 You have to type the correct serial STUPID!! Take it easy, i'm just exploring a little bit ;) Ok, type some kind of fake Serial in the Editbox and press "Check" again, now we'll get: Mm_crackme1 Nope, wrong serial Ah ok, so we may not leave the first text in the Editbox ;) Remember the second error message (Nope, wrong serial) and close/exit the CrackMe. Now open up W32Dasm and disassemble this CrackMe (It can take a few seconds/minutes). When the disassembly is done click on "Refs/String Data References" or on the little button at the top which says "Strn Ref" ;) Ok, and now we're going to search for that error message . . . . . . . Ah! found it! :) When you've found it, double click on it and we'll be taken to the correct (Or should i say wrong?) place. Hmm... look a little up, do you notice a nice "readable" line there? ;) It reads "Well Done". That sounds good no? :) If you scroll a few lines up (Actually 1 line is enough ;) then you can see the typical Delphi way of comparing 2 strings :) You should see this piece of Code now: ------------------------------------------------------------------------------------------------- :0044464F 8B45F8 mov eax, dword ptr [ebp-08] - Probably fake typed serial. * Possible StringData Ref from Code Obj ->"..sd..f" | :00444652 BA08474400 mov edx, 00444708 - Probably the good serial :) :00444657 E814F6FBFF call 00403C70 - Compare these 2 strings. :0044465C 750C jnz 0044466A - If not equal jump to Bad Boy. * Possible StringData Ref from Code Obj ->"Well Done" | :0044465E B850474400 mov eax, 00444750 - Good Boy Message. :00444663 E80CF9FFFF call 00443F74 :00444668 EB0A jmp 00444674 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044465C(C) | * Possible StringData Ref from Code Obj ->"Nope, wrong serial" | :0044466A B864474400 mov eax, 00444764 - Bad Boy Message. :0044466F E800F9FFFF call 00443F74 ------------------------------------------------------------------------------------------------- For most people this stuff looks familiar i think ;) So the right Serial should be: ..sd..f Ok, close W32Dasm and run the CrackMe again. Now type this new found Serial in the Editbox and press "Check", we get this: Mm_crackme1 Nope, wrong serial Not good ;) Now we need our Hex Editor (Or any kind of string searcher). Because "..sd..f" isn't the complete serial (I already know that ofcourse, i cracked it before heh ;). So open the CrackMe in your "String Searcher" and uhm... search for that string :) And you'll find this big/weird string: ..sd..f~}{:.@....?......>?^&*(..)*&&^^.%.$£".."d.d..d.d.d.a]. And now try to enter this string in the Editbox and press "Check". Guess what? Yeah you got the correct Serial hehe ;) Ok, that's all i need to tell about this CrackMe, one weird thing was that this Serial (And the compare routine) appears twice in the CrackMe. I don't know if it has any purpose and i also don't want to figure that out now, so i'll leave that up to you :P Maybe it holds some secret stuff......(Katjing!) --- Comments Not much to say, just again the same/familiar HardCoded Serial Routine ;)) Hmm... maybe i should still check that second Compare stuff..... Nah, i don't wanna (CoDe_ cries)...grr... waf! waf! --- Greetings Ofcourse MM@ for this CrackMe (That's your real nick right? ;) And ofcourse: "Everyone i know and everyone who knows me !!!" Don't trust the Outside, Trust the InSiDe !!! Cya... CoDe_InSiDe Homepage: http://members.home.nl/code.inside Unpacking page: http://www.lunarpages.com/codeinside Email: code.inside@home.nl