******************************************************************************************************************************************* DaNiEl-RJ CrackMe #1 ******************************************************************************************************************************************* Author: DaNiEl-RJ Protection: Name / Serial URL: http://www.mesa-sys.com/~eternal/a-d/daniel-rj.zip Tools: W32Dasm v8.93 Hex-Editor ---> Intro... Welcome to my next Tutorial !!! This time we're going to crack a Name/Serial Protection "without" SoftICE :P ---> Let's Begin... *** Getting a Serial *** Open the CrackMe and you'll see just a window and an MenuItem called "File" with 2 Sub Items: Damn! Where's the whole thing??? About But the first one is grayed (disabled) hmm.. well anyway click on "About" ;) And you'll see a Message Box saying "Greetz 2 all brazilian crackers!!! :)". Ok, that's nice :) click "Ok" to return to the Main Window and then click on the MenuItem "File" again, hey the first Sub Item is ungrayed (Enabled) Ah nice... ;P Click on it, and you'll see that a button and 2 Edit Boxes come up, ah finally something to Register with ;) Ok, enter anything you want in the Edit Boxes, i've used: Name: CoDe_InSiDe Serial: 1234567890 Now click on the button "Check it!" and a Message Box pops up saying: "No no no! :( Try again!" Remember this line :) Now close the CrackMe and disassemble it in W32Dasm. Ok, click on the button "Strn Ref" (String Data References) and search for the line: "No no no! :( Try again!" Double click on it and you should see this: ------------------------------------------------------------------------------------------------------------------------------------------- * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0042D522(C) | :0042D556 8D55F8 lea edx, dword ptr [ebp-08] :0042D559 8B86E0010000 mov eax, dword ptr [esi+000001E0] :0042D55F E8FCC8FEFF call 00419E60 :0042D564 8B45F8 mov eax, dword ptr [ebp-08] <--- Maybe our Serial or the Good Serial ? :0042D567 8B55FC mov edx, dword ptr [ebp-04] <--- Maybe our Serial or the Good Serial ? :0042D56A E86163FDFF call 004038D0 <--- Here it Compares those 2 :0042D56F 750C jne 0042D57D <--- If not equal jump to the Bad String, else continue * Possible StringData Ref from Code Obj ->"Congratz cracker! hehehe" | :0042D571 B8ECD54200 mov eax, 0042D5EC <--- Here's the Good String :0042D576 E87DFBFFFF call 0042D0F8 :0042D57B EB0A jmp 0042D587 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0042D56F(C) | * Possible StringData Ref from Code Obj ->"No no no! :( Try again!" | :0042D57D B810D64200 mov eax, 0042D610 <--- Here's the Bad String :0042D582 E871FBFFFF call 0042D0F8 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0042D4F6(U), :0042D57B(U) | :0042D587 33C0 xor eax, eax :0042D589 5A pop edx :0042D58A 59 pop ecx :0042D58B 59 pop ecx ------------------------------------------------------------------------------------------------------------------------------------------- Ok, well remember that "jne 0042D57D" for Patching ;) Now just scroll a bit up because we need to find the Algo :) So scroll up till you see something like this: ------------------------------------------------------------------------------------------------------------------------------------------- * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0042D4EA(C) | :0042D4FB BB01000000 mov ebx, 00000001 <--- Move 00000001 in EBX * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0042D491(C) | :0042D500 8D55F8 lea edx, dword ptr [ebp-08] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0042D4A0(C) | :0042D503 8B86DC010000 mov eax, dword ptr [esi+000001DC] :0042D509 E852C9FEFF call 00419E60 :0042D50E 8B45F8 mov eax, dword ptr [ebp-08] <--- Point EAX to your Name (Probably) :0042D511 E8AA62FDFF call 004037C0 <--- If you check here, it takes the length of your Name (Probably) :0042D516 8BF8 mov edi, eax <--- Move EAX in EDI :0042D518 8D45FC lea eax, dword ptr [ebp-04] :0042D51B E82460FDFF call 00403544 :0042D520 3BFB cmp edi, ebx <--- Compare EBX (00000001) with EDI (Length of Name (Probably)) :0042D522 7C32 jl 0042D556 <--- If lower jump and fail, else continue * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0042D554(C) | :0042D524 8D55F8 lea edx, dword ptr [ebp-08] :0042D527 8B86DC010000 mov eax, dword ptr [esi+000001DC] :0042D52D E82EC9FEFF call 00419E60 :0042D532 8B45F8 mov eax, dword ptr [ebp-08] <--- Move the Offset to our Name in EAX (Probably) :0042D535 33D2 xor edx, edx <--- XOR EDX which is now 00 :0042D537 8A5418FF mov dl, byte ptr [eax+ebx-01] <--- Move first Char in DL :0042D53B 83C205 add edx, 00000005 <--- ADD 00000005 to DL :0042D53E 8D45F0 lea eax, dword ptr [ebp-10] :0042D541 E8A261FDFF call 004036E8 <--- In here it places DL to some place :0042D546 8B55F0 mov edx, dword ptr [ebp-10] :0042D549 8D45FC lea eax, dword ptr [ebp-04] :0042D54C E87762FDFF call 004037C8 :0042D551 43 inc ebx <--- EBX +1 :0042D552 3BFB cmp edi, ebx <--- Compare EBX with EDI :0042D554 7DCE jge 0042D524 <--- If equal or greater repeat loop, else continue ------------------------------------------------------------------------------------------------------------------------------------------- Well first of all you may think "Hey that guy knows exactly what all the stuff does???" ;) About all these instruction, yes that's not so hard, "But what about the calls???"... I know that because i allready cracked a lot of Delphi programs and they all work the same :P If you don't believe me then check it with SoftICE (Believe me i haven't looked in it with SoftICE) :) Well anyway as you can see the Algo is very small :) It takes a Char of your Name and ADD's 00000005 to it, then places it somewhere and then takes the next Char and so on... So for my Name it does this: Ascii C o D e _ I n S i D e Hex 43 6F 44 65 5F 49 6E 53 69 44 65 -------------------------------- ADD 00000005 Result 48 74 49 6A 64 4E 73 58 6E 49 6A Ascii H t I j d N s X n I j That's it, try it with your Name, my final result: Name: CoDe_InSiDe Serial: HtIjdNsXnIj And if you try it, it works :P CrackMe cracked, now to the Patching ;) ---> Let's Begin... *** Patching *** Ok, remember the place where i said "Ok, well remember that "jne 0042D57D" for Patching ;)". Go there and click on the line "jne 0042D57D" then write down the Offset you see below in W32Dasm, it's "0002C96F". Now if you look a bit up you'll see the instruction "mov edx, dword ptr [ebp-04]" remember those Opcodes (or write it down) it's "8B55FC". Why ??? Because if you've looked closely to the Algo and surrounding Code (and because of the Compare call and jne) you'll see that it probably leads to the Good Serial, (the instruction in front of it leads probably to our "Fake" Serial). I want to use that instruction to show the Good Serial everytime in the Message Box :P BUT !!! As you maybe notice for the Good String (Congratz cracker! hehehe) it's located in EAX and our code leads to EDX :( To fix this look at the Opcodes from the instruction "mov eax, dword ptr [ebp-08], the Opcodes are "8B45F8". But we need it from "[ebp-04]", just change the Opcodes to "8B45FC" :) Ok, now we got the Offsets now we can close W32Dasm and open the file in a Hex-Editor, do it. Go to the Offset "0002C96F" for the "jne 0042D57D". Just NOP it away :) Then take a look at the bytes after it change it into this (remember those Opcodes from above?): B8ECD54200 into 8B45FC9090 (9090 to make it run smooth ;) Save the file and run it. It work's :P now it shows for any Name the real Serial ! ;) That's all... ---> Greetings... To be honest i'm getting a bit sick of these greetings everytime ;P So i'll just say: Greetings to everyone i know, and to everyone who knows me, and You... ;P Don't trust the Outside, trust the InSiDe !!! Cya... CoDe_InSiDe Email: code.inside@home.nl