****************************************************************************************************************************************** CrackMe #2 ****************************************************************************************************************************************** Author: n0p3x Protection: Name / Serial URL: http://www.phrozencrew.co.uk/crackme2.zip Tools: SoftICE V4.05 W32Dasm V8.93 Hex-Editor ---> Intro... Welcome to my next Tutorial !!! This time a little CrackMe from n0p3x, a very easy one ;) We've got two objectives: 1. Remove the NAG 2. Find a valid Serial for your Name ---> Let's Begin... (Part 1 - Remove the NAG) Open the CrackMe and you'll get a Message Box (The NAG) saying: "This is a shareware version, blah, blah, please pay me, blah, blah" Hehe ;) Now click "Ok" and you'll get in the main window, but we need to remove the NAG first so press the button "Exit" and open the CrackMe in W32Dasm. Then click on "Strn Ref" (String Data References) and double click on the line: "This is a shareware version, blah," And you'll see this: ------------------------------------------------------------------------------------------------------------------------------------------ :004011B1 55 push ebp :004011B2 8BEC mov ebp, esp :004011B4 6A10 push 00000010 <--- Here we'll patch it into a "jmp" * Possible StringData Ref from Data Obj ->"Nag Nag Nag!" | :004011B6 688C214000 push 0040218C * Possible StringData Ref from Data Obj ->"This is a shareware version, blah, " ->"blah, please pay me, blah, blah" | :004011BB 6849214000 push 00402149 :004011C0 6A00 push 00000000 * Reference To: USER32.MessageBoxA, Ord:0000h | :004011C2 E8DF030000 Call 004015A6 :004011C7 6A00 push 00000000 :004011C9 68EC104000 push 004010EC :004011CE 6A00 push 00000000 * Possible Reference to Dialog: DialogID_0001 | :004011D0 6A01 push 00000001 :004011D2 FF7508 push [ebp+08] * Reference To: USER32.DialogBoxParamA, Ord:0000h | :004011D5 E8C0030000 Call 0040159A :004011DA 33C0 xor eax, eax :004011DC 5D pop ebp :004011DD C21000 ret 0010 ------------------------------------------------------------------------------------------------------------------------------------------ Ok, as you'll probably notice this process isn't been called from anywhere :) W32Dasm is just too stupid to show that, offcourse it has been called from somewhere, it's not the OEP ;) Anyway we're going to jump over the Message Box. You can NOP out the whole Message Box process but that's too lame ;) The Message Box process starts at "6A10" offset 004011B4. So we're going to replace "6A10" with "EB11" (jmp). Why "11" ??? Just count the opcodes after "6A10" (which will be EB11 same size) till your after the "Call MessageBoxA" :) I assume you know how to change this in your Hex-Editor, otherwise read my previous Tutorials ;) On to the next Part. ---> Let's Begin... (Part 2 - Find a valid Serial for your Name) Open the CrackMe (if you've done everything right no NAG this time ;) and fill in something, i've used: Name: CoDeInSiDe ---> you can only use 10 chars, so i couldn't use CoDe_InSiDe :( Serial: 1234567890 Then get into SoftICE (CTRL+D) and type "bpx hmemcpy" followed by "enter" then out of SoftICE (CTRL+D) and press the button "Ok" and SoftICE should popup. Now type "BC *" to clear the breakpoint and press (F12) 9 times and you'll see this: ------------------------------------------------------------------------------------------------------------------------------------------ :00401182 6A0B push 0000000B :00401184 8D4DF4 lea ecx, dword ptr [ebp-0C] :00401187 51 push ecx * Possible Reference to Dialog: DialogID_0001, CONTROL_ID:0067, "" | :00401188 6A67 push 00000067 :0040118A FF7508 push [ebp+08] * Reference To: USER32.GetDlgItemTextA, Ord:0000h | :0040118D E8FC030000 Call 0040158E :00401192 8D45F4 lea eax, dword ptr [ebp-0C] <--- EAX now points to our "Fake" Serial :00401195 50 push eax <--- Save EAX :00401196 8D55E8 lea edx, dword ptr [ebp-18] <--- EDX now points to our Name :00401199 52 push edx <--- Save EDX :0040119A E8DDFEFFFF call 0040107C <--- Check this CALL ------------------------------------------------------------------------------------------------------------------------------------------ Ok, Now get into the "CALL 0040107C" and you'll see this: ------------------------------------------------------------------------------------------------------------------------------------------ :0040107C 55 push ebp :0040107D 8BEC mov ebp, esp :0040107F 83C4F4 add esp, FFFFFFF4 :00401082 6A0A push 0000000A :00401084 8D45F4 lea eax, dword ptr [ebp-0C] :00401087 50 push eax :00401088 FF7508 push [ebp+08] <--- Points to our Name * Reference To: KERNEL32.lstrlenA, Ord:0000h | :0040108B E8F2040000 Call 00401582 <--- Get the Length :00401090 50 push eax <--- Save the Length * Reference To: cw3220._itoa, Ord:0000h | :00401091 E8C8040000 Call 0040155E <--- Here's the Algo :00401096 83C40C add esp, 0000000C * Possible StringData Ref from Data Obj ->"999081" | :00401099 6874204000 push 00402074 <--- Save this new string "999081" :0040109E 8D55F4 lea edx, dword ptr [ebp-0C] <--- New Serial (not completely) :004010A1 52 push edx <--- Save it * Reference To: cw3220._strcat, Ord:0000h | :004010A2 E8A5040000 Call 0040154C <--- Add them together :004010A7 83C408 add esp, 00000008 :004010AA 8D4DF4 lea ecx, dword ptr [ebp-0C] <--- ECX now points to our New Serial :004010AD 51 push ecx <--- Save it :004010AE FF750C push [ebp+0C] <--- Save our "Fake" Serial * Reference To: KERNEL32.lstrcmpA, Ord:0000h | :004010B1 E8C0040000 Call 00401576 <--- Compare them :004010B6 85C0 test eax, eax <--- Test if EAX is 00 :004010B8 7518 jne 004010D2 <--- If not we jump and get the Bad Guy message, else continue ------------------------------------------------------------------------------------------------------------------------------------------ Ok, first it gets the Length of our Name, then it goes to the Algo (explained below). Then it gets another string "999081" (the Serial for the previous CrackMe ;) and adds it to our New Serial. And then it just Compares the New Serial with our "Fake" Serial with the API "lstrcmpA". The API returns 00000000 if their equal, otherwise it returns 00000001. 00000000 - Good Guy message 00000001 - Bad Guy message If you want to patch this just NOP the "jne 004010D2" :) Now i'll explain the Algo (only the Algo) it's located in "Cw3220.dll" so get in the "Call 0040155E" and trace a bit till you see this: ------------------------------------------------------------------------------------------------------------------------------------------ ESI holds the length of our Name :0041573B 8BC6 mov eax, esi <--- Move ESI in EAX :0041573D 33D2 xor edx, edx <--- XOR EDX which is now 00 :0041573F F7F7 div edi <--- Divide with EDI :00415741 8811 mov byte ptr [ecx], dl <--- Move DL in [ECX] :00415743 41 inc ecx <--- ECX +1 :00415744 8BC6 mov eax, esi <--- Move ESI in EAX :00415746 33D2 xor edx, edx <--- XOR EDX which is now 00 :00415748 F7F7 div edi <--- Divide with EDI :0041574A 8BF0 mov esi, eax <--- Move EAX in ESI :0041574C 85C0 test eax, eax <--- Test if EAX is 00 :0041574E 75EB jne 0041573B <--- If not repeat this loop, else continue :00415750 EB17 jmp 00415769 <--- Jump to Compare * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041576E(C) | :00415752 49 dec ecx <--- ECX -1 :00415753 8A01 mov al, byte ptr [ecx] <--- Move a byte from [ECX] in AL :00415755 3C0A cmp al, 0A <--- Compare AL with 0000000A :00415757 7D08 jge 00415761 <--- Jump if equal or greater :00415759 83C030 add eax, 00000030 <--- ADD 30 to AL :0041575C 8803 mov byte ptr [ebx], al <--- Move AL in [EBX] :0041575E 43 inc ebx <--- EBX +1 :0041575F EB08 jmp 00415769 <--- Jump to Compare * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00415757(C) | :00415761 024518 add al, byte ptr [ebp+18] <--- ADD a byte from [EBP+18] in AL :00415764 04F6 add al, F6 <--- ADD F6 in AL :00415766 8803 mov byte ptr [ebx], al <--- Move AL in [EBX] :00415768 43 inc ebx <--- EBX +1 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00415750(U), :0041575F(U) | :00415769 8D55DC lea edx, dword ptr [ebp-24] <--- Point EDX to the end of our New Serial :0041576C 3BCA cmp ecx, edx <--- Compare EDX with ECX :0041576E 75E2 jne 00415752 <--- If not equal repeat loop, else continue * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00415721(C), :00415726(C) | :00415770 C60300 mov byte ptr [ebx], 00 <--- Move 00 at the end of our New Serial :00415773 8B450C mov eax, dword ptr [ebp+0C] :00415776 5F pop edi :00415777 5E pop esi :00415778 5B pop ebx :00415779 8BE5 mov esp, ebp :0041577B 5D pop ebp :0041577C C3 ret ------------------------------------------------------------------------------------------------------------------------------------------ As you can see at this place the Algo isn't doing anything with the Chars of your Name only the length :) So it takes the Length of your Name and DIV's it with 0000000A, then it places the remainder in some place. Then it DIV's again with 0000000A and places the result (in EAX) in ESI. Then it repeats again. When it is done it takes the last value (of the New values) and ADD's 30 and puts it in some place till all done. Then it repeats again. After all this it goes back to the CrackMe's Code and puts "999081" behind the New Serial. That's all my final New Serial was: Name: CoDeInSiDe Serial: 10999081 It's very easy ;) ---> Greetings... Everyone from TrickSoft (www.TrickSoft.net) Everyone from Cracking4Newbies (www.Cracking4Newbies.com) Everyone from Keygenning4Newbies (Keygenning4Newbies.cjb.net) And You... Don't trust the Outside, trust the InSiDe !!! Cya... CoDe_InSiDe Email: code.inside@home.nl