************************************************************************************************* abex' 3rd CrackMe ************************************************************************************************* Author: abex Protection: KeyFile URL: http://www.l2c-board.de/crackmes/l2cabxc3.zip Tools used: SoftICE ---> Intro Hi and welcome to my next tutorial =) In this CrackMe we need to create a KeyFile in order to Crack it. Im trying to tell it as detailed as i can =) ---> Let's Begin... Open up the CrackMe and you'll get a Message Box saying: "Click OK to check for the KeyFile." Hmmm so it hasn't checked for the KeyFile at the beginning... This makes it a little bit easier for us =) So anyway Click on OK and you will get this Message Box saying: "Hmmmmm, I can't find the file!" Ok, that's reasonable =) Now press OK and fire up the CrackMe again don't press OK yet. Get into SoftICE (CTRL + D) and type "bpx CreateFileA" press enter and leave SoftICE (F5) and press now OK and we're back in SoftICE. Your now in the beginning of the CreateFileA Code. Now i'm gonna give you a little trick for finding the right KeyFile name, Press (F10) a few times till you reach this Code: MOV EDI, DWORD PTR [ESP+14] Step over this Code and do a "d edi" and you'll see the right KeyFile name =) That's very logical because the function CreateFileA needs to know the filename so it must be somewhere in it =) Ok, now we know the name now we can create the file so i suggest to get out of SoftICE (F5). (we can trace further till the CrackMe Code but we will be kicked out of it because we don't have the correct KeyFile =) Now we're getting the same Message Box again saying that he didn't find the file press OK. Now create the file (abex.l2c) with whatever you want and put some text in it like "Hello" =) Save it in the same directory as the CrackMe and run the CrackMe again. Now press OK and we're getting a Message Box saying: "The found file is not a valid keyfile!" Hmmm... we have the right file but there's missing something so... press OK and run the CrackMe again don't press OK but get into SoftICE (CTRL + D) and type "bpx CreateFileA" press enter and leave SoftICE (F5) then press OK and we're back in SoftICE. We're back in the CreateFileA Code but we can skip this now so press (F12) 1 time and we're in the CrackMe Code now you'll see this: MOV DWORD PTR [004020CA], EAX <--- saves the handle of the KeyFile. CMP EAX, -01 <--- compare EAX with -01 (FFFFFFFF). JE 00401075 <--- jump if no KeyFile found. Now for us it won't jump because we created the correct KeyFile =) Ok now you'll see this Code below the jump: PUSH 00000000 <--- push 00000000 into Stack. PUSH DWORD PTR [004020CA] <--- push our KeyFile handle. CALL [GetFileSize] <--- calls the function GetFileSize. CMP EAX, 12 <--- compare EAX with 12. JNE 00401060 <--- jump if not equal. Hmmm... GetFileSize, so as you see it checks for the correct value of bytes (19) because of the compare behind the function. So what do we know now the KeyFile must have the name "abex.l2c" and needs to be 19 bytes, not so difficult but before you leave SoftICE first take a look in the datawindow because he allready put a line of 19 bytes into it =) But it doesn't matter what you put in the KeyFile as long as it has 19 bytes. type "d 004020A6" to see the string of 19 bytes its: abexforlearn2crack <--- 18 bytes but don't forget to count the NULL character (00). So now we know everything to crack the CrackMe: Make a file called "abex.l2c" (put in the same dir as the CrackMe). Make the file exactly 19 bytes (doesn't matter what you put into it). If you have questions mail me at: code.inside@home.nl ---> Outro... Well i hope that you had some fun reading this or maybe you fell asleep but i just want to tell it very detailed so you better understand the program =) You can also patch the CrackMe but that's no fun so i'll leave it up to you. Thx for reading this tutorial and i'll hope to see you in the next tutorial. ---> Greetings... Everybody at TrickSoft, Everybody at FCC, Everybody in #Cracking4Newbies and YOU =) Don't trust the Outside, trust the InSiDe !!!!! Cya... CoDe_InSiDe Email: code.inside@home.nl