************************************************************************************************* abex' 5th CrackMe ************************************************************************************************* Author: abex Protection: Serial URL: http://www.l2c-board.de/crackmes/l2cabxc5.zip Tools used: SoftICE ---> Intro... Hi and welcome to my next tutorial =) This time we need to find the right Serial and make a KeyGen if you can but i'll leave that up to you now we're going to sniff out the serial. ---> Let's Begin... Open up the CrackMe and it asks us for a Serial type in a fake Serial I've used: 0000000000 Then get into SoftICE (CTRL + D) and type "bpx GetDlgItemTextA" press enter and leave SoftICE (F5) then press "Check" and we're back in SoftICE and press (F11) 1 time and you'll see this Code: PUSH 00000000 PUSH 00000000 PUSH 004020C8 PUSH 00402190 PUSH 00402194 PUSH 00000032 PUSH 0040225C <--- address for HardDisk name. PUSH 00000000 CALL [GetVolumeInformationA] Aha... HardDisk information =) go through this till your over the GetVolumeInformationA call. Then you'll see this piece of Code: PUSH 004023F3 <--- 4562-ABEX "string1" PUSH 0040225C <--- HardDisk name. CALL [lstrcatA] As you'll see here it takes the string "4562-ABEX" and copy's it behind your HardDisk name. Let's step over the lstrcatA call and you'll see this Code: MOV DL, 02 <--- mov 02 into DL ADD DWORD PTR [0040225C], 00000001 <--- add 01 at offset 0040225C ADD DWORD PTR [0040225D], 00000001 <--- add 01 at offset 0040225D ADD DWORD PTR [0040225E], 00000001 <--- add 01 at offset 0040225E ADD DWORD PTR [0040225F], 00000001 <--- add 01 at offset 0040225F DEC DL <--- sub 01 from DL JNE 004010AF <--- repeat loop if DL not zero Ok, so he puts 02 into DL then adds 01 at offset 0040225C (which is the first char of our HardDisk name) then adds 01 at offset 0040225D (which is the second char of our HardDisk name) then adds 01 at offset 0040225E (which is the third char of our HardDisk name) and then adds 01 at offset 0040225F (which is the fourth char of our HardDisk name). Then it subs 01 from DL (which holds now 01) and repeats this loop till DL is 00. Ok, this wasn't so hard so what it actually does is it adds 02 to the thirst four chars of our HardDisk name. I'll hope i explained it very well and that you get this all =) So let's see what's behind the JNE: PUSH 004023FD <--- L2C-5781 "string2" PUSH 00402000 <--- empty address CALL [lstrcatA] Here it copy's the string "L2C-5781" into an empty address. Ok, let's see what's behind the lstrcatA call: PUSH 0040225C <--- HardDisk name + string1 PUSH 00402000 <--- string2 CALL [lstrcatA] Here it copy's the string "HardDisk name + string1" behind string2. Ok, that's easy to follow i believe, so now we got the real Serial =) let's see what's next: PUSH 00402324 <--- address of fake Serial PUSH 00402000 <--- address of real Serial CALL [lstrcmpiA] And here it just simply compares the fake Serial with the real Serial. That's wasn't so hard now was it =) Then finally you'll see this behind the lstrcmpiA call: CMP EAX, 00000000 <--- compares EAX with 00000000 JE 00401017 <--- jump to good boy if equal Ok, you can patch the JE to JNE or EB (better EB because it'll jump always even if you enter the right Serial) BUT abex said in the .nfo file that patching is NOT allowed so don't do it =) So finally i got this info (works only on my computer). Serial: L2C-5781YKPFOWS98SE4562-ABEX yes as you'll notice my HardDisk is called WINDOWS98SE =) If you have questions mail me at: code.inside@home.nl ---> Outro... Thanks again for reading my tutorial i really enjoy writing tutorials. this is my 3rd tutorial now and i'm planning to do some more =) Now i'm doing only tutorials on CrackMe's why ???? Dunno i just like CrackMe's but i'll write about progs soon =) ---> Greetings... Everybody at TrickSoft, Everybody at FCC, Everybody in #Cracking4Newbies and YOU =) Don't trust the Outside, trust the InSiDe !!!!! Cya... CoDe_InSiDe