This tutorial are coming from
Acid Cool
178
written for
Hellforge / The Cracking Answer
r0m4n's Crackme
1
Cracking in a diffrent way
Target
| Program | Crackme 1 by r0m4n |
| Protection | Name And Serial |
| Where to Download | http://crackmes.cjb.net |
| Date | 5 December 2000 |
| Skill | Damet, still cracking.... |
Toolz
W32Dasm
OllyDbg
Download the tools from http://www.protools.cjb.net
Essay
Hehe, intressed now huh ??
Well, as the title says, a driffrent way, and I guess that you never have used
OllyDbg before.... well Here is you chance to get to now with the program.. I
did use 1 week to get to now with the progam and I have the standard
settings.. well here is the tasks...
| Task 1 | First Look |
| Task 2 | Patching |
| Task 3 | Serial sniffing |
| Task 3 | Trying to keygen |
| Task 1 | First Look |
Well, the first look at the crackme was nothing to say, I played with the crackme and got to now the compare routine... If you have entred one fake serial then you will get one MessageBox that says something bad... Else you will get another MessageBox that says you did it :) And that's the MessageBox that WE WANT...
| Task 2 | Patching |
Well, disassemble the crackme in W32Dasm and you will find this string under "String Data References" Good Work Cracker !! " Just dubbleclick on it and you will end up here...
:0042CE69
8B55FC
mov edx, dword ptr [ebp-04]
:0042CE6C
A110F74200
mov eax, dword ptr [0042F710]
:0042CE71
E85A6AFDFF
call 004038D0
:0042CE76
7516
jne 0042CE8E <--
If serial == NOT CORRECT then jump to the bad message, else ignore this jump.
* Possible StringData Ref from Code Obj
->"Good work, cracker!!!"
|
:0042CE78
B8E0CE4200
mov eax, 0042CEE0
:0042CE7D
E83AFCFFFF
call 0042CABC
<-- Show the good message
* Possible StringData Ref from Code Obj
->"Send the tut/patcher/keygen to "
->"r0m4n@flyhost.com"
|
:0042CE82
B800CF4200
mov eax, 0042CF00
:0042CE87
E830FCFFFF
call 0042CABC <--
Not important atm :)
:0042CE8C
EB0A
jmp 0042CE98
* Referenced by a (U)nconditional or
(C)onditional Jump at Address:
|:0042CE76(C)
<-- IMPORTANT
|
* Possible StringData Ref from Code Obj
->"Incorrect!!!"
|
:0042CE8E
B83CCF4200
mov eax, 0042CF3C
:0042CE93
E824FCFFFF
call 0042CABC <--
Show the bad message
Now, to patch thisone then just nop out the jump and it will accept all serials and names :D
| Task 3 | Serial Sniffing |
well, now... Hold the crackme open in W32Dasm and open the crackme in OllyDbg.. I won't tell you how to use OllyDbg, cos it is easy.. You got some basic ideas on cracking and the debug in W32Dasm.. (BTW: LaZaRuS did write one good tut in the debug at W32Dasm goto http://www.Hellforge.org for reading it) Now, we now the the serial will be compared in the call at 0042CE71 so just press "CTRL + G" and you will get up one small box, fill in "0042CE71" in the box then you will end up at the call... Hehe, coll huh ?? Now, If you will press F2 now for one breakpoint, and if you want to remove the breakpoint then press F2 another time and it will br removed. cool huh ?? well, make sure that you got one breakpoint at "0042CE71" where the call is...
For a little selfh study, take a look in the screen, can you see some strings there ??? I bet that you can... I can :) You can also see what the registers contains and if the flags are set or not... Cool huh ??
Now back to the call.. Trace into the call by
Right clicking and choose "Follow" at the
menu. Now you have entred the Call,, finally but what the hell now ? Now
you will se this ( I have copied this from teh W32Dasm file, sorry but it was
the best thing to do)
:004038D0
53
push ebx
:004038D1
56
push esi
:004038D2
57
push edi
:004038D3
89C6
mov esi, eax <--
moving the fake serial into EAX
:004038D5
89D7
mov edi, edx <--
Moving the real serial into EDX
:004038D7
39D0
cmp eax, edx <--
Comparing the serials
Now, what we want is to see what is in EDX and that is
easy... The therory is this...
We will start the crackme in OllyDbg
We will enter on our anme and one fakle serial.
We will accept it by pressing at the check button
When OllyDbg breaks at the call then we will trace intot eh call and see what
EDX contains...
Well, goto Debug and choose
Restart int he meny at OllyDbg. Now here is some hotkeys...
| F9 | Runt he program and break on breakpoints | F5 |
| F8 | Step over the instruction | F12 |
| F7 | Step Into | F8 or T |
| CTRL + F2 | Restart Program | No Idea |
Now, please remember this..
If you ahve restarted the program then run it and fill in you name and
serial.
REMEMBER: IT IS IMPORTANT THAT YOU DID SET ONE BREAKPOINT AT THE CALL WHERE THE
SERIAL IS GETTING CHECKED !!!!
Now, as name then did I use AcidCool and 2951 as the serial..
Not's it's time to press the "check" button and you will be back
in OllyDbg,,, just as good old Soft Ice...
Right click and follow the call.. Now when you have done it so will you be
:004038D0
53
push ebx
<-- You will be here
:004038D1
56
push esi
:004038D2
57
push edi
:004038D3
89C6
mov esi, eax <--
moving the fake serial into EAX
:004038D5
89D7
mov edi, edx <--
Moving the real serial into EDX
:004038D7
39D0
cmp eax, edx <--
Comparing the serials
Press F8 to step over the instructions and when you are at the compare routine the you will see something as you can see in the cracking.jpg file that i have included..
there can you see that my serial was "Rc1-420AcidCoolC00L"
well, I tested my serial and it worked so fine as hell :) Another crackme solved with new skiils in my fucking brawin :))
| Task4 | Trying to keygen |
0042CDF0 .
55 PUSH
EBP <-- I did set one breakpoint in
here....
0042CDF1 .
8BEC MOV EBP,ESP
0042CDF3 . 6A
00 PUSH 0
0042CDF5 .
53 PUSH
EBX
0042CDF6 .
8BD8 MOV EBX,EAX
0042CDF8 .
33C0 XOR EAX,EAX
0042CDFA .
55 PUSH
EBP
0042CDFB . 68 AECE4200 PUSH crackme1.0042CEAE
0042CE00 . 64:FF30 PUSH
DWORD PTR FS:[EAX]
0042CE03 . 64:8920 MOV
DWORD PTR FS:[EAX],ESP
0042CE06 . 8D55 FC LEA
EDX,DWORD PTR SS:[EBP-4]
0042CE09 . 8B83 E4010000 MOV EAX,DWORD PTR DS:[EBX+1E4]
0042CE0F . E8 CCCFFEFF CALL crackme1.00419DE0
0042CE14 . 8B55 FC MOV
EDX,DWORD PTR SS:[EBP-4]
0042CE17 . B8 10F74200 MOV
EAX,crackme1.0042F710
<-- EAX = Serial
0042CE1C . E8 7767FDFF CALL
crackme1.00403598
0042CE21 . 8D55 FC LEA
EDX,DWORD PTR SS:[EBP-4]
0042CE24 . 8B83 E0010000 MOV EAX,DWORD PTR DS:[EBX+1E0]
0042CE2A . E8 B1CFFEFF CALL crackme1.00419DE0
0042CE2F . 8B55 FC MOV
EDX,DWORD PTR SS:[EBP-4]
0042CE32 .
8BC3 MOV
EAX,EBX
<-- EAX = Name
0042CE34 .
8B08 MOV ECX,DWORD
PTR DS:[EAX]
0042CE36 . FF51 18 CALL
DWORD PTR DS:[ECX+18]
0042CE39 . 68 C4CE4200 PUSH
crackme1.0042CEC4
; ASCII "420"
0042CE3E . FF73 08 PUSH
DWORD PTR DS:[EBX+8]
0042CE41 . 68 D0CE4200 PUSH
crackme1.0042CED0
; ASCII "C00L"
0042CE46 . B8 18F74200 MOV EAX,crackme1.0042F718
0042CE4B . BA 03000000 MOV EDX,3
0042CE50 . E8 2B6AFDFF CALL
crackme1.00403880
<-- Here is something happening, IT takes the Name and
sets 420 infront of Acid and sets C00L at the end of acit so it will be
420AcidC00L
0042CE55 . 8D45 FC LEA
EAX,DWORD PTR SS:[EBP-4]
0042CE58 . 8B0D 18F74200 MOV ECX,DWORD PTR DS:[42F718]
0042CE5E . 8B15 C8E84200 MOV EDX,DWORD PTR
DS:[42E8C8]
; crackme1.0042CDE8
0042CE64 . E8 A369FDFF CALL
crackme1.0040380C
<-- And to teh final, here is teh crackme taking Rc1- and addint that infront
of 420AcidC00L so it will be Rc1-420AcidC00L and that's the serial aclculation
:)
0042CE69 . 8B55 FC MOV
EDX,DWORD PTR SS:[EBP-4]
0042CE6C . A1 10F74200 MOV EAX,DWORD PTR
DS:[42F710]
0042CE71 . E8 5A6AFDFF CALL
crackme1.004038D0
; Important Call
0042CE76 . 75
16 JNZ SHORT
crackme1.0042CE8E
0042CE78 . B8 E0CE4200 MOV
EAX,crackme1.0042CEE0
; ASCII "Good work, cracker!!!"
0042CE7D . E8 3AFCFFFF CALL crackme1.0042CABC
0042CE82 . B8 00CF4200 MOV
EAX,crackme1.0042CF00
; ASCII "Send the tut/patcher/keygen to r0m4n@flyhost.com"
0042CE87 . E8 30FCFFFF CALL crackme1.0042CABC
0042CE8C . EB
0A JMP SHORT
crackme1.0042CE98
0042CE8E > B8 3CCF4200 MOV
EAX,crackme1.0042CF3C
; ASCII "Incorrect!!!"
0042CE93 . E8 24FCFFFF CALL crackme1.0042CABC
Serial ==
Rc1-420+NAME+C00L
If Name == FuckYou then serial ==Rc1-420FuckYouC00L
Ending
Hint for everyone,
tru to see this yourselfh... That is the best experiense for you, I did it and I
could see is ad maybe you also can see.. This Crackme are getting ranking 11 of
10 possible coz it is the firstone that i ever have keygennes so fucking good
and i didn't use SoftICe but I used something what can replace SoftIce :)
Greetings
LaZaRuS, Mercution, Borna Janes, ManKind, Eddie Van Camper, Analyst, KoRnFLeX, Eternal_Bliss, Potsmoke, DiABLO. Torn@do, ^AlX^ , AC|D, Dark Wolf, Marton, NaRRoW, Subzonic, SEV, all in Hellforge, TCA and all the other i have forgotten
2000/01 Resistant..
Made by Acid_Cool_178 / [TCA]
acid_cool_178@hotmail.com