********************************************************************************************************************* Win32Asm CrackMe 5 ********************************************************************************************************************* Author: Acid_Cool_178 Protection: Serial URL: http://members.nbci.com/_XMCM/norskehf/crackmes/asm/ac_crackme_05.zip Tools: SoftICE v4.05 W32Dasm v8.93 Hex-Editor ---> Intro... Welcome to my next Tutorial !!! This time a simple Serial :) ---> Let's Begin... Open the CrackMe and you'll see a big Window with just one EditBox and one Button (Check) and one FileItem (Acid Crackme). Well, this looks obvious, we just need to enter a Serial in the EditBox and press "Check" to see if it's valid ;) So, enter something in the EditBox i entered: Serial: 1234567890 Now go into SoftICE (CTRL+D) and type "bpx GetWindowTextA" followed by "enter" and leave SoftICE (CTRL+D) then press the Button "Check" and SoftICE should popup. Press 1 time F12 and you'll see this: --------------------------------------------------------------------------------------------------------------------- :00401293 68E8304000 push 004030E8 <--- Our Fake Serial * Possible StringData Ref from Data Obj ->"Hellforge" | :00401298 68C0304000 push 004030C0 <--- Hmmm... :) * Reference To: KERNEL32.lstrcmpA, Ord:02D6h | :0040129D E86A010000 Call 0040140C <--- Compare those 2 Strings :004012A2 0BC0 or eax, eax <--- Check if EAX is 0 :004012A4 7512 jne 004012B8 <--- If not equal then jump to Bad Guy, else continue * Possible StringData Ref from Data Obj ->"You have cracked me" | :004012A6 6897304000 push 00403097 :004012AB FF35E4304000 push dword ptr [004030E4] * Reference To: USER32.SetWindowTextA, Ord:0259h | :004012B1 E82C010000 Call 004013E2 --------------------------------------------------------------------------------------------------------------------- Ok, this looks simple :) When your on Offset 00401293 type "d 004030E8" and you'll see your Fake Serial. When your on Offset 00401298 type "d 004030C0" and you'll see the String "Hellforge". Then those 2 Strings get Compared, if EAX is 0 we continue and get the Good Guy message else it jumps to the Bad Guy Message. Ok, simple so our Serial should be "Hellforge" :) Try it and you'll see it worked. Now we're going to Patch the Check :) So disassemble the CrackMe in W32Dasm and go to Offset "00401293". Now we can Patch a some things: 1. Patch the Offset at Offset 00401293 to point to the String Hellforge (so it checks itself and that's always correct ;) 2. Patch the "or eax, eax" into "cmp eax, eax" (That's also always correct :) 3. Patch the "jne 004012B8" and NOP it or something or let it jump to the next Instruction. We're going to do them all ;) ---> Method 1 Double click on Offset 00401293 and look at the bottom of W32Dasm, it says: @Offset 00000693h So open the CrackMe in your Hex-Editor and go to Offset "00000693". Then change this: 68E8304000 (Our Fake Serial location) into: 68C0304000 (Points to the String "Hellforge") Save the File (Don't forget to close W32Dasm) and run it and check the button, it works :) ---> Method 2 Disassemble the CrackMe again and double click on Offset "004012A2" then you'll see this at the bottom: @Offset 000006A2h Open the CrackMe in your Hex-Editor and go to Offset "000006A2". Then change this: 0BC0 (Or) into: 3BC0 (Compare) Save the File (Don't forget to close W32Dasm) and run it and check the button, it works :) ---> Method 3 Disassemble the CrackMe again and double click on Offset "004012A4" then you'll see this at the bottom: @Offset 000006A4h Open the CrackMe in your Hex-Editor and go to Offset "000006A4". Then change this: 7512 (jne) into: 9090 (NOP, NOP) or: 7500 (Jump to next Instruction, because it jumps to nowhere :) Save the File (Don't forget to close W32Dasm) and run it and check the button, it works :) That's All. ---> Greetings... To be honest i'm getting a bit sick of these greetings everytime ;P So i'll just say: Greetings to everyone i know, and to everyone who knows me, and You... ;P Don't trust the Outside, trust the InSiDe !!! Cya... CoDe_InSiDe Email: code.inside@home.nl Homepage: http://codeinside.cjb.net