********************************************************************************************************************************************************************
				    cyT0m!c's CrackMe #1
********************************************************************************************************************************************************************

Author:		cyT0m!c
Protection:	Name / Serial
URL:		http://www.blubb.at/sweety/cracking/crackmez/Cytomic.zip
Tools:		SoftICE 4.05
		W32Dasm V8.93
		Hex-Editor


--->	Intro...

Hi welcome to my next CrackMe Tutorial !!!
This CrackMe has a very simple Algo and is meant for Newbies :)
First i'm going to "Sniff the Serial" then i'll patch it.


--->	Let's Begin...		*** Serial Sniffing ***

Open the CrackMe and you'll see two edit boxes, one for your Name and one for your Serial.
Just fill in some Name and Serial, i've used:

Name:		CoDe_InSiDe
Serial:		1234567890

Ok, now were going to set a breakpoint.
Get into SoftICE (CTRL+D) and type "bpx hmemcpy" then press enter, and out of SoftICE (CTRL+D). then press "Try It..." and SoftICE will popup.
Ok, now type "BC *" to disable the breakpoint and press (F12) 12 times and we're in the CrackMe code.
Now you'll see this:

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

:0042506A 8D55F4                  lea edx, dword ptr [ebp-0C]		<--- HERE WE LAND AFTER THE BREAK !!!
:0042506D 8B83BC010000            mov eax, dword ptr [ebx+000001BC]
:00425073 E888C9FEFF              call 00411A00
:00425078 8B45F4                  mov eax, dword ptr [ebp-0C]
:0042507B 8D55F8                  lea edx, dword ptr [ebp-08]
:0042507E E871D7FDFF              call 004027F4				<--- Here it puts the "Fake" Serial in a Register in Decimal format
:00425083 8BF0                    mov esi, eax				<--- Move EAX in ESI
:00425085 8B45FC                  mov eax, dword ptr [ebp-04]
:00425088 E813010000              call 004251A0				<--- Here's the Algo !!!
:0042508D 8BF8                    mov edi, eax				<--- Move EAX in EDI
:0042508F 3BFE                    cmp edi, esi				<--- Compare ESI with EDI
:00425091 7418                    je 004250AB				<--- If equal jump to Good Guy, else continue to Bad Guy (Remember this spot for Patching :)

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Ok, once you land here you can skip the first CALL so trace to the CALL 004027F4.
It's not necessary to look in this CALL, but maybe its interesting :)
I won't explain it too much, but your "Fake" Serial will be put in Decimal format in Register EAX.
When your out of the CALL you can do a "? EAX" to see your "Fake" Serial in Decimal format :)
Ok, now step into the CALL 004251A0 <--- This is the Algo :)
And you'll see this:

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

:004251A0 53                      push ebx
:004251A1 89C3                    mov ebx, eax				<--- Move EAX in EBX	(EBX now holds the offset to our Name)
:004251A3 83FB00                  cmp ebx, 00000000			<--- Compare EBX with 00000000
:004251A6 7413                    je 004251BB				<--- If equal jump to the end, else continue
:004251A8 B801000000              mov eax, 00000001			<--- Move 00000001 in EAX
:004251AD 31C9                    xor ecx, ecx				<--- XOR ECX which is now 00

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004251B9(U)
|
:004251AF 8A0B                    mov cl, byte ptr [ebx]		<--- Move first Char in CL
:004251B1 80F900                  cmp cl, 00				<--- Compare CL with 00 (Are we at the end of our Name ?)
:004251B4 7405                    je 004251BB				<--- If equal we jump to the end, else continue to make the Serial
:004251B6 F7E1                    mul ecx				<--- You can see this as "Multiply ECX with EAX"
:004251B8 43                      inc ebx				<--- EBX +1
:004251B9 EBF4                    jmp 004251AF				<--- Repeat loop

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004251A6(C), :004251B4(C)
|
:004251BB 25FFFFFF0F              and eax, 0FFFFFFF			<--- Logical AND between 0FFFFFFF and EAX
:004251C0 5B                      pop ebx
:004251C1 C3                      ret

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Ok, so here we got the Algo very small :)
Well it goes like this:

"CoDe_InSiDe"
Move 00000001 in EAX
Move first char in CL			Which is "C" (Hex = 43)
Compare CL with 00			Are we at the end of our Name ?
Multiply ECX (43) with EAX (01)		EAX now holds 00000043	(43*1=43)
Increase EBX				Points to the next Char

Move Second Char in CL			Which is "o" (Hex = 6F)
Compare CL with 00			Are we at the end of our Name ?
Multiply ECX (6F) with EAX (43)		EAX now holds 00001D0D	(6F*43=1D0D)
Increase EBX				Points to the next Char
And so on...

At the end it also does "and eax, 0FFFFFFF" this is to make the last Character a "0" so that the Serial won't be negative :)

Ok, now the final result is within EAX , now when you get out of this CALL you'll see that it moves EAX to EDI.
And then it compares ESI ("Fake" Serial) with EDI ("Real" Serial) very easy huh? :)
Now to know our "Real" Serial (In Readable Characters) we just do a "? EDI" and you'll notice a decimal value in SoftICE, my Serial was:

Name:		CoDe_InSiDe
Serial:		156742880

Ok, that's it for the "Serial Sniffing" now on to the Patching :)


--->	Let's Begin		*** Patching ***

Ok, fire up W32Dasm and disassemble the file "CrackMe.exe", now we can get to the Patching place in 2 ways.

1. In W32Dasm go to "String Data References" and search for "That isn't it, keep on trying..." or the Good Guy message and double click on it, then trace a few
   lines up till you see "je 004250AB".

2. Did you remembered where i said (in this file) "Remember this spot for Patching :)", well in W32Dasm you can go to the same offset by pressing (SHIFT+F12)
   and then typing "00425091" and click OK.

When your there notice the line at the bottom of W32Dasm, it says:

Line:86494 Pg 1730 and 1731 of 1738 Code Data @:00425091 @Offset 00024491h in File:CrackMe.exe

The only important part for us is "@Offset 00024491h". Now open up an Hex-Editor and go to that offset "00024491".
We know that it needs to jump to make us succeed :) so we're going to put an "EB" into it, change it into this (Don't forget to close W32Dasm):

7418	--->	EB18

That's it save the file (or make a backup) and run it, now every Serial will work :)
You can also change this, notice the two bytes in front of the JE it's:

3BFE	--->	(cmp edi, esi)

You can change this into:

3BFF	--->	(cmp edi, edi)

Now it checks the "Real" Serial with the "Real" Serial so it's always correct :)
Or you can change it into:

3BF6	--->	(cmp esi, esi)

Now it checks the "Fake" Serial with the "Fake" Serial so that's also always correct :), have fun with it...


--->	Greetings...

Everybody at TrickSoft		(www.TrickSoft.net)
Everybody at Cracking4Newbies	(www.Cracking4Newbies.com)
And You...


			   Don't trust the Outside, trust the InSiDe !!!

					    Cya...

					 CoDe_InSiDe

Email:	code.inside@home.nl