***************************************************************************************************************************************** Win32Asm CrackMe 7 ***************************************************************************************************************************************** Author: Acid_Cool_178 Protection: Name / Serial URL: http://members.nbci.com/_XMCM/norskehf/crackmes/asm/ac_crackme_07.zip Tools: W32Dasm ---> Intro... Welcome to my next Tutorial !!! This time we have to face a Name / Serial protection, very simple :) ---> Let's Begin... Ok, open the CrackMe and you'll see 3 EditBoxes, one for your Name, one for your Serial and one for the result (Good or Bad message) :) And offcourse a Button "Check". Just fill something as your Name and Serial, i've used: Name: CoDe_InSiDe Serial: 1234567890 Then press the Button "Check" and you'll see in the result EditBox "Keep on trying lamer" :) Remember that line and close the CrackMe. Then disassemble the CrackMe in W32Dasm and click on "Strn Ref" (String Data References). Now double click on "Keep on trying lamer" and you'll see this: ----------------------------------------------------------------------------------------------------------------------------------------- * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401354(C) | * Possible StringData Ref from Data Obj ->"Keep on trying lamer" | :00401368 689F304000 push 0040309F :0040136D FF351C314000 push dword ptr [0040311C] * Reference To: USER32.SetWindowTextA, Ord:0259h | :00401373 E820010000 Call 00401498 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00401301(C), :00401309(C), :00401366(U) | :00401378 E9AE000000 jmp 0040142B ----------------------------------------------------------------------------------------------------------------------------------------- Ok, notice the (C)onditional jump from address 00401354, let's take a look there. And you'll see this: ----------------------------------------------------------------------------------------------------------------------------------------- :00401343 6820314000 push 00403120 <--- Probably Fake Serial :00401348 6820334000 push 00403320 <--- Probably Real Serial * Reference To: KERNEL32.lstrcmpA, Ord:02D6h | :0040134D E870010000 Call 004014C2 <--- Compare those 2 :00401352 0BC0 or eax, eax <--- Check if EAX is 0 :00401354 7512 jne 00401368 <--- If it is then go on and display Good Guy message, else continue * Possible StringData Ref from Data Obj ->"You have cracked me" | :00401356 688B304000 push 0040308B :0040135B FF351C314000 push dword ptr [0040311C] * Reference To: USER32.SetWindowTextA, Ord:0259h | :00401361 E832010000 Call 00401498 :00401366 EB10 jmp 00401378 ----------------------------------------------------------------------------------------------------------------------------------------- Ok, well not much to figure out in this stuff ;) except that these are the places where it Compares 2 Strings. Let's take a look a little bit more up of this stuff and you'll see this: ----------------------------------------------------------------------------------------------------------------------------------------- :0040130B 33C0 xor eax, eax <--- XOR EAX which is now 00 :0040130D 33D2 xor edx, edx <--- XOR EDX which is now 00 :0040130F 6800020000 push 00000200 :00401314 6820314000 push 00403120 <--- This is the place where it puts our Name :00401319 FF3514314000 push dword ptr [00403114] * Reference To: USER32.GetWindowTextA, Ord:015Bh | :0040131F E83E010000 Call 00401462 <--- Get our Name :00401324 6820314000 push 00403120 <--- Push the place to our Name * Reference To: USER32.CharLowerA, Ord:0020h | :00401329 E80A010000 Call 00401438 <--- Make all the Chars Lowercase :0040132E 6800020000 push 00000200 :00401333 6820334000 push 00403320 <--- This is the place where it puts our Fake Serial :00401338 FF3518314000 push dword ptr [00403118] * Reference To: USER32.GetWindowTextA, Ord:015Bh | :0040133E E81F010000 Call 00401462 <--- Get our Fake Serial ----------------------------------------------------------------------------------------------------------------------------------------- Hmmm, Lowercase... now you may wonder "How does that guy knows that the first GetWindowTextA gets our Name and not our Fake Serial???" ;) Well it always goes in that way, first it takes Name and then Fake Serial ;) But you can also see it in another way... Let me explain this stuff first :) Ok, first it takes our Name and puts it at Offset 00403120. and then it makes all the Chars of our Name lowercase. Then it gets our Fake Serial and puts it at Offset 00403320. After that you get the "lstrcmpA" (Compare) function to Compare the 2 "Strings" at Offset 00403120 and Offset 00403320. So the first thing that has been taken with GetWindowTextA is probably your Name :) Ok, i hope you get this, it's difficult to explain but one can just see that :) (That is if you have cracked allready some progs). And so the final result for me was: Name: CoDe_InSiDe Serial: code_inside See, very simple :) You can offcourse also check this with SoftICE (Break on GetWindowTextA as you've seen) but i'll leave that up to you ;) And I also leave the Patching up to you, because this CrackMe looks familiar Compared with the other CrackMe's :) That's All. ---> Greetings... To be honest i'm getting a bit sick of these greetings everytime ;P So i'll just say: Greetings to everyone i know, and to everyone who knows me, and You... ;P Don't trust the Outside, trust the InSiDe !!! Cya... CoDe_InSiDe Email: code.inside@home.nl Homepage: http://codeinside.cjb.net