************************************************************************************************* Win32Asm CrackMe 6 ************************************************************************************************* Author: Acid_Cool_178 Protection: Serial URL: http://members.nbci.com/_XMCM/norskehf/crackmes/asm/ac_crackme_06.zip Tools: W32Dasm ---> Intro... Welcome to my next Tutorial !!! And just one Serial again (Including a bug ;) ---> Let's Begin... Open the CrackMe and you'll see an EditBox and a Button. Fill in something in the EditBox and press the Button "Check" and you'll see the text: "Keep on trying lamer" hehe :) Keep that line in mind, now close the CrackMe and disassemble it in W32Dasm. Then click on "Strn Ref" (String Data References) and you'll see the line: "Keep on trying lamer" Double click on it and you'll see this: ------------------------------------------------------------------------------------------------- * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004012AE(C) | * Possible StringData Ref from Data Obj ->"Keep on trying lamer" | :004012C2 68A2304000 push 004030A2 :004012C7 FF35DC304000 push dword ptr [004030DC] * Reference To: USER32.SetWindowTextA, Ord:0259h | :004012CD E820010000 Call 004013F2 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00401274(C), :0040127C(C), :004012C0(U) | :004012D2 E9AE000000 jmp 00401385 ------------------------------------------------------------------------------------------------- Ok, this text (Keep on trying lamer) will be displayed with the API SetWindowTextA. Notice the (C)onditional jump from Offset 004012AE, hmm... what's there? ;) Scroll a bit up till that Address and you'll see this: ------------------------------------------------------------------------------------------------- :0040129D 68E0304000 push 004030E0 <--- Fake Serial * Possible StringData Ref from Data Obj ->"Hellforge" | :004012A2 68B7304000 push 004030B7 <--- Real Serial * Reference To: KERNEL32.lstrcmpA, Ord:02D6h | :004012A7 E870010000 Call 0040141C <--- Compare those 2 :004012AC 0BC0 or eax, eax <--- Check if EAX is 0 :004012AE 7512 jne 004012C2 <--- If so continue and we get the Good Guy Message, else continue to the Bad Guy Message * Possible StringData Ref from Data Obj ->"You have cracked me" | :004012B0 688E304000 push 0040308E :004012B5 FF35DC304000 push dword ptr [004030DC] * Reference To: USER32.SetWindowTextA, Ord:0259h | :004012BB E832010000 Call 004013F2 :004012C0 EB10 jmp 004012D2 ------------------------------------------------------------------------------------------------- See it Compares the Fake Serial with the Real Serial (Hellforge), now you probably immediately open the CrackMe and trying to enter "Hellforge" :) But it doesn't work, let's take a look what's more a bit up of this Code you'll see this: ------------------------------------------------------------------------------------------------- :0040127E 6800020000 push 00000200 :00401283 68E0304000 push 004030E0 <--- This is the place where our Fake Serial will be stored :00401288 FF35DC304000 push dword ptr [004030DC] * Reference To: USER32.GetWindowTextA, Ord:015Bh | :0040128E E829010000 Call 004013BC <--- Call GetWindowTextA :00401293 68E0304000 push 004030E0 <--- Push the Address to our Fake Serial * Reference To: USER32.CharLowerA, Ord:0020h | :00401298 E8F5000000 Call 00401392 <--- Call CharLowerA ------------------------------------------------------------------------------------------------- Hmm... you see that? It takes the Text from the EditBox with the API "GetWindowTextA" and then it makes all the Chars Lowercase, so if i entered: CoDe_InSiDe then the result after this would be: code_inside And then it Compares the Lowercased Serial with the Real Serial (Hellforge) ;) Now comes the bug to it's place you've probably allready seen it? ;) When we arrive at the API "lstrcmpA" our Fake serial has only Lowercase Chars. But the Real Serial has 1 Uppercase Char the "H" from Hellforge :) So this CrackMe can't be cracked ;) Well, now you can Patch it in the way you want, i'm not going to explain what to Patch read my other Tutorials for that ;) It's very easy, you can Patch for instance the "jne 004012C2" or the "or eax, eax" :) That's All. ---> Greetings... To be honest i'm getting a bit sick of these greetings everytime ;P So i'll just say: Greetings to everyone i know, and to everyone who knows me, and You... ;P Don't trust the Outside, trust the InSiDe !!! Cya... CoDe_InSiDe Email: code.inside@home.nl Homepage: http://codeinside.cjb.net