********************************************************************************************************** Win32Asm CrackMe 4 ********************************************************************************************************** Author: Acid_Cool_178 Protection: Understanding ;) URL: http://members.nbci.com/_XMCM/norskehf/crackmes/asm/ac_crackme_04.zip Tools: W32Dasm v8.93 Hex-Editor ---> Intro... Welcome to my next Tutorial !!! This time we need to "Understand" the CrackMe :) Ok, not so hard. ---> Let's Begin... As always first just open the CrackMe and we'll get a Message Box saying: "Information" "Acid_Cool_178's Win32Assembely Crackme Version 4.78" Press "Ok" and we'll get another Message Box saying: "GOAL" "Try to UNDERSTAND the crackme and just don't patch the stuff When U understand it. Re-Code the "crackme in any language as you want And write a Tutorial. Send the solution to "Acid_Cool_178@hotmail.com" Ok, so like i said before we need to "Understand" the CrackMe :) And about the "Re-Code the crackme in any language as you want" i'll leave that up to you ;) Now press "Ok" and the CrackMe quits. Disassemble the CrackMe in W32Dasm and click on "Strn Ref" (String Data References). You'll see 3 texts there namely: "Acid_Cool_178's" "GOAL" "Yess" Yess? We've seen the other 2 (Those 2 Message Boxes) but not this text :) So it's probably for another Message Box. Now double click on "GOAL" and you'll see this: ---------------------------------------------------------------------------------------------------------- :00401013 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"GOAL" | :00401015 6841304000 push 00403041 * Possible StringData Ref from Data Obj ->"GOAL" | :0040101A 6846304000 push 00403046 :0040101F 6A00 push 00000000 * Reference To: USER32.MessageBoxA, Ord:01BBh | :00401021 E850000000 Call 00401076 ---------------------------------------------------------------------------------------------------------- Ok, so that was our last Message Box, and when we pressed "Ok" the CrackMe, let's see what's next after this Message Box: ---------------------------------------------------------------------------------------------------------- :00401026 33C0 xor eax, eax <--- XOR EAX which is now 00 :00401028 6A00 push 00000000 :0040102A 6828230000 push 00002328 <--- Push 00002328 (Decimal 9000) :0040102F 6A00 push 00000000 :00401031 6A00 push 00000000 * Reference To: USER32.SetTimer, Ord:024Dh | :00401033 E844000000 Call 0040107C <--- Set the Timer :00401038 52 push edx :00401039 BA00000000 mov edx, 00000000 <--- Move 00000000 in EDX :0040103E B813010000 mov eax, 00000113 <--- Move 00000113 in EAX :00401043 3BD0 cmp edx, eax <--- Compare EAX with EDX (useless) * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401048(C) | :00401045 48 dec eax <--- EAX -1 :00401046 3BD0 cmp edx, eax <--- Compare EAX with EDX :00401048 75FB jne 00401045 <--- If not equal jump 2 Instructions back :0040104A 741D je 00401069 <--- If equal jump to ExitProcess :0040104C 6A00 push 00000000 :0040104E 6A00 push 00000000 * Reference To: USER32.KillTimer, Ord:0192h | :00401050 E81B000000 Call 00401070 <--- Kill the Timer ---------------------------------------------------------------------------------------------------------- As you can see the SetTimer is pretty useless ;) But then it puts 00000113 in EAX, and clears EDX. then EAX -1 and then EAX is Compared to EDX. If not equal we repeat this else we jump to the ExitProcess and the CrackMe quits :) If you scroll a bit down after the "KillTimer" then you'll see another Message Box with the text "Yess" :) So if you want to reach that place simply NOP the "je 00401069" at Offset 0040104A. I think you know how to do that, otherwise read my previous Tutorials :) That's All... ---> Greetings... To be honest i'm getting a bit sick of these greetings everytime ;P So i'll just say: Greetings to everyone i know, and to everyone who knows me, and You... ;P Don't trust the Outside, trust the InSiDe !!! Cya... CoDe_InSiDe Email: code.inside@home.nl Homepage: http://codeinside.cjb.net