***************************************************************************************************************************** Keyfile ***************************************************************************************************************************** Author: n0p3x Protection: Keyfile URL: http://www.phrozencrew.co.uk/crackmek.zip Tools: SoftICE 4.05 Hex-Editor ---> Intro... Welcome to my next Tutorial !!! This time a Keyfile protection, very easy :) ---> Let's Begin... Open the CrackMe and you'll see a Message Box saying: "This program is unregistered. Please register this software" Now press "Ok" and we're at the main window. Now the first thing we need to know is the Keyfile name. The best way to do this is (i think) to get into SoftICE (CTRL+D) and type "bpx CreateFileA", followed by "enter" and then out of SoftICE (CTRL+D) and now press the button "Re-Check" and SoftICE should popup. Type "BC *" to disable the breakpoint and now don't press (F11) or (F12) but trace a bit till you're on this instruction: "mov edi, [esp+14]" Then type "d edi" and you'll see a Keyfile name, it's: n0p3x.key (this can be done everytime your dealing with a Keyfile protection, which uses CreateFileA). So press (CTRL+D) to get out of SoftICE and make the Keyfile with your Hex-Editor or something. Then put some text in it like "Hello" :) Save the file and open the CrackMe again (Be sure to put the Keyfile in the same directory). Now when your at the main window again get into SoftICE (CTRL+D) and type "bpx CreateFileA", followed by "enter" and out of SoftICE (CTRL+D) and press "Re-Check" and SoftICE should popup. Now press (F12) 1 time and you'll see this: ----------------------------------------------------------------------------------------------------------------------------- :004010B4 A300204000 mov dword ptr [00402000], eax <--- HERE WE LAND AFTER THE BREAK !!! :004010B9 833D00204000FF cmp dword ptr [00402000], FFFFFFFF <--- Compare the value with FFFFFFFF (no file found?) :004010C0 0F8492000000 je 00401158 <--- If equal Jump to bad Message Box, else continue :004010C6 6A00 push 00000000 :004010C8 6807214000 push 00402107 :004010CD 6A0A push 0000000A :004010CF 68F3204000 push 004020F3 <--- Here it puts the first 10 Chars from the Keyfile :004010D4 FF3500204000 push dword ptr [00402000] * Reference To: KERNEL32.ReadFile, Ord:0000h | :004010DA E8C5000000 Call 004011A4 <--- Read the Keyfile :004010DF 85C0 test eax, eax <--- Test if EAX is 00 (Couldn't read File?) :004010E1 7475 je 00401158 <--- If equal Jump to bad Message Box, else continue :004010E3 6A00 push 00000000 :004010E5 6807214000 push 00402107 :004010EA 6A0A push 0000000A :004010EC 68FD204000 push 004020FD <--- Here it puts the next 10 Chars from the Keyfile :004010F1 FF3500204000 push dword ptr [00402000] * Reference To: KERNEL32.ReadFile, Ord:0000h | :004010F7 E8A8000000 Call 004011A4 <--- Read the Keyfile :004010FC 85C0 test eax, eax <--- Test if EAX is 00 (Couldn't read File?) :004010FE 7458 je 00401158 <--- If equal Jump to bad Message Box, else continue :00401100 FF3500204000 push dword ptr [00402000] * Reference To: KERNEL32.CloseHandle, Ord:0000h | :00401106 E893000000 Call 0040119E :0040110B 33C0 xor eax, eax <--- XOR EAX which is now 00 :0040110D EB04 jmp 00401113 <--- Jump and skip the next 2 instructions :0040110F C9 leave :00401110 C21000 ret 0010 ----------------------------------------------------------------------------------------------------------------------------- Ok, this is easy to understand i think let's see what's next: ----------------------------------------------------------------------------------------------------------------------------- :00401113 80B0F320400043 xor byte ptr [eax+004020F3], 43 <--- XOR the first Char with 43 (of the first 10 Chars) :0040111A 40 inc eax <--- EAX +1 :0040111B 80B8F320400000 cmp byte ptr [eax+004020F3], 00 <--- Compare the next Char with 00 :00401122 75EF jne 00401113 <--- If not equal we jump and repeat the loop, else continue :00401124 68F3204000 push 004020F3 <--- Push the Offset to the first 10 Chars :00401129 68FD204000 push 004020FD <--- Push the Offset to the next 10 Chars * Reference To: KERNEL32.lstrcmpA, Ord:0000h | :0040112E E877000000 Call 004011AA <--- Compare those 2 :00401133 83F800 cmp eax, 00000000 <--- Compare EAX with 00000000 :00401136 7406 je 0040113E <--- If equal we Jump to the Good Message Box, else continue :00401138 EB1E jmp 00401158 <--- Jump to the Bad Message Box ----------------------------------------------------------------------------------------------------------------------------- Ok, this is very simple to solve ;) As you'll see it takes two times 10 Chars and puts it in 2 different places. Then it "only" takes the first 10 Chars and XOR's them with 43. After this it Compares the first 10 Chars (XOR'ed with 43) with the next 10 Chars. Ok, well if you'll put into your Keyfile just one "43" you'll be victorious ;P Why? Because it XOR's the Char with "43" (which becomes 00 then) and the next 10 Chars is nothing (00). So their equal and the program will Jump to the Good Message Box at "cmp eax, 00000000" :) That's all. ---> Greetings... Everyone from TrickSoft (www.TrickSoft.net) Everyone from Cracking4Newbies (www.Cracking4Newbies.com) Everyone from Keygenning4Newbies (Keygenning4Newbies.cjb.net) And You... Don't trust the Outside, trust the InSiDe !!! Cya... CoDe_InSiDe Email: code.inside@home.nl