ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º [v0!d] CrackMe v0.02 º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ This Tutorial is best viewed in Terminal font :) Ah, another CrackMe ;) Ok, according to the Readme from this CrackMe we only need to find a Serial. No Patching allowed, and you need to write a Tutorial. Well, i think that's what i'm doing now doh! ;) oh yeah and fourth point is "Keygen is optional" hehe no Keygen needed, you can make a Keygen but then you need to Code a random Key generator, i actually don't see the point in that kind of Keygen so i'm not going to do it (It's optional...) ;) So let's start the CrackMe and we see a nice little window with one EditBox and 2 Buttons. Now press the "Check" button... Hmm... ok nothing happens :P Fill in some Serial and get into SoftICE (CTRL+D). Now put a Breakpoint on "GetDlgItemTextA" (bpx GetDlgItemTextA). Get out of SoftICE (X [enter]) or (CTRL+D) or (F5) and press the button "Check". SoftICE should popup and we're now at the GetDlgItemTextA Code :) Press (F11) to get out of that Code and you should be landing+looking at this piece of Code: 00401169 call [USER32!GetDlgItemTextA] 0040116F push 00405030 <- Here we are (00405030 Offset to our Serial). 00401174 call 00401000 <- Serial checking routine. 00401179 add esp, 04 <- Fix stackdump. 0040117C mov [004056A0], eax <- Save returned value. 00401181 test eax, eax <- EAX == 00 ? 00401183 jz 004011BC <- Yes jump to BadBoy, else continue to GoodBoy. 00401185 mov edx, [00405698] 0040118B push 40 <-\ 0040118D push 00405160 | 00401192 push 00405130 | GoodBoy Message Box :) 00401197 push edx | 00401198 call [USER32!MessageBoxA] <-/ 0040119E mov eax, 00000001 004011A3 ret 0010 Ok, this looks like simple Patching Code but remember, we may not Patch this CrackMe. Argh, too bad ;) Enter the "call 00401000" instruction with (F8) and you should face the following Code: 00401000 push ebx 00401001 push ebp 00401002 mov ebp, [esp+0C] <- Move Serial Offset in EBP. 00401006 push esi 00401007 push edi 00401008 mov edi, ebp 0040100A or ecx, -01 <- Prepare ECX for scanning. 0040100D xor eax, eax (- EAX == 00, means search for the 00 character. 0040100F repnz scasb <- Scan Serial string for its size till 00 found. 00401011 not ecx <- make it a positive value ;) 00401013 dec ecx <- Don't include the 00 character. 00401014 cmp ecx, 10 <- Compare ECX (Serial size) with 10h (16 Dec). 00401017 jnz 004010B0 <- If not equal jump to the end, 00 return value. This is an important part because in this piece of Code we can see that our Serial needs to be 10h Bytes long (16 Decimal). If it's more or less then 10h we jump to the end of the Serial checking routine, 00000000 will be moved in EAX and we return from the call, and there it performs the check if we succeeded or failed (Check top deadlist) ;) Now the Serial size will probably fail (Unless you entered a Serial of 16 chars), if it fails run the CrackMe again and enter a Serial of 16 chars, use the same Breakpoint and return to this place :) After this check you see the following "Char Checking Code": 0040101D mov bl, [ebp+00] <- Move first char/number in BL. 00401020 xor esi, esi <- ESI == 00. 00401022 mov dl, 30 <- Move 30 (0) in DL. 00401024 test bl, bl <- BL == 00 ? 00401026 jz 0040103E <- Jump to the next number check, else continue. 00401028 mov al, bl <- AL = BL. 0040102A mov ecx, ebp <- ECX = EBP (ECX now points to the Serial). 0040102C cmp dl, al <- Compare AL with DL. 0040102E jnz 00401031 <- Not equal skip next instruction, else continue 00401030 inc esi <- Increase ESI. 00401031 cmp esi, 06 <- ESI == 06 ? 00401034 jge 004010B0 <- If equal or greater jump and we fail. 00401036 mov al, [ecx+01] <- Move next char/number in AL. 00401039 inc ecx <- Increase pointer in ECX. 0040103A test al, al <- AL == 00 ? 0040103C jnz 0040102C <- If not equal repeat the check again. 0040103E xor esi, esi <- ESI == 00. 00401040 inc dl <- Increase DL (DL is now 31 (1)). 00401042 cmp dl, 39 <- Compare 39 (9) with DL. 00401045 jle 00401024 <- Repeat this process if lower or equal then 39. This is a funny little routine :) To put it very simple what the routine does: Here it checks if your Serial doesn't contain numbers (0-9) that appear 6 or more times. If they do appear 6 or more times we fail, else it's alright and we go on ;) I'm talking now about "char/number" because you can enter any char/number you want ;) But let's continue with only numbers. Now we come to the real Serial checking. There are 3 little stages let's look at the first stage: 00401047 movsx eax, [ebp+03] <- Move 4th number in EAX. 0040104B movsx ecx, [ebp+02] <- Move 3rd number in ECX. 0040104F movsx edx, [ebp+01] <- Move 2nd number in EDX. 00401053 add eax, ecx <- Add ECX to EAX. 00401055 movsx ecx, bl <- Move BL in ECX (BL == the 1st number). 00401058 add eax, edx <- Add EDX to EAX. 0040105A lea edx, [ecx+eax-00C0] <- EDX = ECX+EAX-00C0 00401061 cmp edx, 16 <- Compare 16 with EDX. 00401064 jnz 004010B0 <- If not equal we fail, else to stage 2. Ok, it's very simple ;) As you can see now, it uses the first four numbers from our Serial. Add all those numbers together and Subtract 00C0 from the total, and we must have a value of 16 in EDX as result :) So just reverse the procedure. We have 16 as result. Add 00C0 to 16 which is: 000000D6 Now you may think "but how are we going to reverse the instruction Add?". Well the opposite of Add is Sub but that won't help us :P It Add's four numbers to get the value D6. So just Divide D6 by 4 :) D6 / 4 = 35 (5) When i found the 5 i entered them in my Serial and checked it again but it wasn't good ;) And you know why? Because: 35+35+35+35 *ISN'T* D6, it's D4 :P So to make this check correct we need to make 2 of these four numbers 1 higher. Now we have the first four numbers for our Serial: 5665 Ok, you can also put some different numbers then "5" and "6" but the result must be D6 ;) Ok, enough crap about this i think you (no you should) understand it now what i mean !!! ;P Err... so i first draw on a little piece of paper this uhm... structure ;) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F (16 Decimal) 5 6 6 5 Now i could draw exactly what what is hehe ;) *ahem* let's continue to the next stage, stage 2: 00401066 movsx eax, [ebp+0D] <- Move 14th number in EAX. 0040106A movsx ecx, [ebp+0A] <- Move 11th number in ECX. 0040106E movsx edx, [ebp+07] <- Move 8th number in EDX. 00401072 add eax, ecx <- Add ECX to EAX. 00401074 movsx ecx, [ebp+04] <- Move 5th number in ECX. 00401078 add eax, edx <- Add EDX to EAX. 0040107A lea edx, [ecx+eax-00C0] <- EDX = ECX+EAX-00C0 00401081 cmp edx, 1E <- Compare 1E with EDX. 00401084 jnz 004010B0 <- If not equal we fail, else to stage 3. Well, same story as above but now we use the numbers 5, 8, 11, 14 :) We have 16 as result. Add 00C0 to 1E which is: 000000DE DE / 4 = 37 (7) 37 + 37 + 37 + 37 = DC so 2 numbers +1 ;) let's take 7887 So now we've got for our Serial: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F (16 Decimal) 5 6 6 5 7 8 8 7 On to stage 3: 00401086 movsx eax, [ebp+0F] <- Move 16th number in EAX. 0040108A movsx ecx, [ebp+0C] <- Move 13th number in ECX. 0040108E movsx edx, [ebp+09] <- Move 10th number in EDX. 00401092 add eax, ecx <- Add ECX to EAX. 00401094 movsx ecx, [ebp+06] <- Move 7th number in ECX. 00401098 add eax, edx <- Add EDX to EAX. 0040109A lea edx, [ecx+eax-00C0] <- EDX = ECX+EAX-00C0 004010A1 cmp edx, 09 <- Compare 09 with EDX. 004010A4 jnz 004010B0 <- If not equal we fail, else we win ;) Now the numbers 7, 10, 13, 16. 09 as result. Add 00C0 to 09 which is: 000000C9 C9 / 4 = 32 (2) 32 + 32 + 32 + 32 = C8 so 1 number +1, let's take 2232 And now we got our whole Serial: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F (16 Decimal) 5 6 6 5 7 2 8 2 8 3 7 2 After this final stage it'll move 01 in EAX if we were successfull, else it moves 00 in EAX. As you can see there are 4 numbers unknown, but the CrackMe doesn't care what they are so just fill something in, but remember that there may only be a maximum of 5 numbers of each (0-9). So my final Serial will be: Serial = 5665712812843762 ;) Enter this Serial and we get a Message Box saying: GOOD JOB! - CRACKED! Well that says enough i think ;) Ok, this Tutorial has ended ;) - The End - Funny small CrackMe :) I hope that i've explained it very well and that you liked to read this Tutorial. Well, on to the next CrackMe... - GreEetS - I like to thank [v0!d] for this CrackMe and everyone else i know :) Don't trust the Outside, Trust the InSiDe !!! Cya... CoDe_InSiDe Email: code.inside@home.nl