***************************************************************************************************************************************************** TazManian CrackMe #1 ***************************************************************************************************************************************************** Author: TazManian Protection: Name / Serial URL: http://snacker.rizzah.com/crackmes/azCrackme1.zip Tools: SoftICE V4.05 ---> Intro... Welcome to my next Tutorial !!! This is a simple CrackMe with one little kind of bug in the Algo ;) First i'm going to Sniff the Serial then i'll patch it. ---> Let's Begin... Open the CrackMe and you'll be asked to enter a Name and Serial i've used: Name: CoDe_InSiDe Serial: 1234567890 Now press (CTRL+D) to get into SoftICE and type "bpx hmemcpy" followed by "Enter". Then press (CTRL+D) again to get out of SoftICE, and then press the button "Registrar" And SoftICE should popup, now first type "BC *" to clear the breakpoint and then press (F12) 12 times and you'll see this: ----------------------------------------------------------------------------------------------------------------------------------------------------- :00441560 8B45F8 mov eax, dword ptr [ebp-08] <--- EAX now points to our Name :00441563 E8E025FCFF call 00403B48 <--- In here it gets the length of our Name :00441568 83F805 cmp eax, 00000005 <--- Compare 00000005 with our length :0044156B 0F8C93000000 jl 00441604 <--- If lower we jump and fail, else continue :00441571 8B45F8 mov eax, dword ptr [ebp-08] <--- EAX now points to our Name :00441574 E8CF25FCFF call 00403B48 <--- In here it gets the length of our Name :00441579 8BF0 mov esi, eax <--- Move EAX in ESI :0044157B 85F6 test esi, esi <--- Test if ESI is 00 :0044157D 7E2B jle 004415AA <--- If equal or lower we jump and fail, else continue :0044157F BF01000000 mov edi, 00000001 <--- Move 00000001 in EDI ----------------------------------------------------------------------------------------------------------------------------------------------------- Ok, in here it simple checks if our Name was less then 5 Chars, if it is we jump and fail ,else we continue and we're going to the Algo and you'll see this: ----------------------------------------------------------------------------------------------------------------------------------------------------- :00441584 8B45F8 mov eax, dword ptr [ebp-08] <--- EAX now points to our Name :00441587 E8BC25FCFF call 00403B48 <--- In here it gets the length of our Name :0044158C 8B55F8 mov edx, dword ptr [ebp-08] <--- EDX now points to our Name :0044158F 0FB6543AFF movzx edx, byte ptr [edx+edi-01] <--- Move our 1st Char in EDX :00441594 8D1452 lea edx, dword ptr [edx+2*edx] <--- Move [EDX+2*EDX] in EDX :00441597 F7EA imul edx <--- Multiply EDX with EAX (length) :00441599 03C0 add eax, eax <--- ADD EAX with EAX :0044159B 8D0480 lea eax, dword ptr [eax+4*eax] <--- Move [EAX+4*EAX] in EAX :0044159E 69D814860000 imul ebx, eax, 00008614 <--- Multiply 00008614 with EAX and put the result in EBX :004415A4 03DB add ebx, ebx <--- ADD EBX with EBX :004415A6 47 inc edi <--- EDI +1 :004415A7 4E dec esi <--- ESI -1 :004415A8 75DA jne 00441584 <--- If ESI is not 00 we jump and repeat the loop, else continue ----------------------------------------------------------------------------------------------------------------------------------------------------- Ok, so here's the Algo let me show you what it does: First it moves the length of our name in EAX (in my case its 0000000B) Then it moves the first Char in EDX (in my case its C = 43 hex) Then it moves [43+2*43] in EDX (result in EDX = 000000C9) And then it Multiplies EDX (000000C9) with EAX (0000000B) result = 000008A3 in EAX Then it ADDs 000008A3 with 000008A3 result in EAX = 00001146 Then it moves [00001146+4*00001146] in EAX result = 0000565E And then it Multiplies 00008614 with 0000565E and put the result in EBX = 2D3BF358 Then it finally ADDs EBX with EBX result in EBX is now = 5A77E6B0 Increase EDI Decrease ESI Repeat loop if ESI isn't 00000000 Ok, like i mentioned above in this text there's a little bug in this Algo (or he did it on purpose :) But if you pay close attention to the Algo you'll see that it only calculates the last Char of our Name. And the final result is stored in EBX. Let's see what's next: ----------------------------------------------------------------------------------------------------------------------------------------------------- :004415AA 8D55F8 lea edx, dword ptr [ebp-08] <--- Point EDX to some space for our "Real" Serial :004415AD 8BC3 mov eax, ebx <--- Move EBX in EAX :004415AF E85464FCFF call 00407A08 <--- And here it makes our "Real" Serial with wsprintfA :004415B4 8B45F8 mov eax, dword ptr [ebp-08] <--- EAX now points to our "Real" Serial :004415B7 80382D cmp byte ptr [eax], 2D <--- Compare the first Number with "2D" (-) (is it a negative value?) :004415BA 7506 jne 004415C2 <--- If not equal we jump and skip the next three instructions, else continue :004415BC 8BC3 mov eax, ebx <--- Move EBX in EAX :004415BE F7D8 neg eax <--- Kind of like Reverse all the value's in EAX :004415C0 8BD8 mov ebx, eax <--- Move EAX in EBX ----------------------------------------------------------------------------------------------------------------------------------------------------- Ok, so in here it makes our "Real" Serial with wsprintfA. Then it checks if the first number is "2D" (-) to see if it's a negative value. If so it Reverses the value in EAX and puts it back in EBX. Let's see what's next: ----------------------------------------------------------------------------------------------------------------------------------------------------- :004415C2 8D55F4 lea edx, dword ptr [ebp-0C] :004415C5 8B45FC mov eax, dword ptr [ebp-04] :004415C8 8B80DC020000 mov eax, dword ptr [eax+000002DC] :004415CE E8610CFEFF call 00422234 :004415D3 8B45F4 mov eax, dword ptr [ebp-0C] <--- Point EAX to our "Fake" Serial :004415D6 50 push eax <--- Save EAX :004415D7 8D55F0 lea edx, dword ptr [ebp-10] :004415DA 8BC3 mov eax, ebx <--- Move EBX in EAX :004415DC E82764FCFF call 00407A08 <--- And here it makes our "Real" Serial again but this time positive :004415E1 8B55F0 mov edx, dword ptr [ebp-10] <--- EDX now points to our "Real" Serial :004415E4 58 pop eax <--- Pop EAX (EAX points to our "Fake" Serial :004415E5 E86E26FCFF call 00403C58 <--- And here it compares EAX with EDX :004415EA 7518 jne 00441604 <--- If not equal we jump and skip the Message Box and we fail, else continue ----------------------------------------------------------------------------------------------------------------------------------------------------- Ok, no need for a big explaination ;) Here it just simply compares our "Fake" Serial with the "Real" Serial (this time positive if it were negative). Well, to patch this CrackMe you need to change the "jne 00441604" into nothing (NOP it "9090") I think you know how to do that... That's all :) ---> Greetings... Everybody from TrickSoft (www.TrickSoft.net) Everybody from Cracking4Newbies (www.Cracking4Newbies.com) Everybody from Keygenning4Newbies (Keygenning4Newbies.cjb.net) And You... Don't trust the Outside, trust the InSiDe !!! Cya... CoDe_InSiDe Email: code.inside@home.nl