Acid_Cool_178
presents he's

#24  Tutorial

 

For Hellforge

This Text Are Only Ment To Edcucational Purpose And Not To Be Used Illegaly, I Take No Response For Illegal Use Of This Text. Move On On Your Risc.

Athour Information
E-mail acid_cool_178@hotmail.com
Age 17
Web Page http://acidcool.cjb.net/
Date March 2K
Member in Hellforge Flying Horse Cracking Force
Groups Web Page Hellforge Login FHCF Login

 

Program Infromation
Name The Cracking Answer Crackme 1
crackme.exe
Size 263KB
Athour dERz
Where to Downlaod http://tca2k.da.ru/
Tools used W32Dasm
Soft Ice		 Downlaod At
1. Player Tools
2. Programmer Tools
What kind of a program Crackme Shareware
   
Skill Easy Not so easy Hard X-pert
         

 

Information about the Protection I

This crackme got one name and one serial field. The crackme takes a part og the name and generates a serial and comparing it with the entered serial.

Before We Start

A new TCA Crackme, i like this crackme. It was easy to find the serial. :)

The Process

Open the crackme in W32Dasm and on "String Data References" can you find this string "dERz' Crackme : Wrong Serial!"

* Possible StringData Ref from Data Obj ->"dERz' Crackme : Wrong Serial!"    <-- The title og the msgbox
|
:004016A9 B9FA524300 mov ecx, 004352FA                                                  <-- Here are the title created

* Possible StringData Ref from Data Obj ->" Nope! Wrong Serial! Try Again!" <-- The message
|
:004016AE BAD9524300 mov edx, 004352D9                                                 <-- The messagebox are created
:004016B3 8B00 mov eax, dword ptr [eax]                                                       <-- The messagebox are created
:004016B5 E84A270300 call 00433E04                                                            <-- The messagebox are created

Now, scroll some lines up and you can see this.

:00401698 E85B280300 call 00433EF8                                                             <-- Here are the real serial created
:0040169D 59 pop ecx                                                                                           
:0040169E 84C9 test cl, cl                                                                                  <-- Comparing the real serial with the entred serial
:004016A0 7418 je 004016BA                                                                         <-- If the serial are correct then jump to good code else move on to bad code 

Now as we now where the serial are compares so can we see what are in the call. Trace into the call in W32Dasm and you can see this code.

:00433EF8 55 push ebp
:00433EF9 8BEC mov ebp, esp
:00433EFB 51 push ecx
:00433EFC 53 push ebx
:00433EFD 56 push esi
:00433EFE 8BF2 mov esi, edx
:00433F00 8945FC mov dword ptr [ebp-04], eax
:00433F03 837DFC00 cmp dword ptr [ebp-04], 00000000
:00433F07 7419 je 00433F22
:00433F09 8B45FC mov eax, dword ptr [ebp-04]
:00433F0C E8CB44FFFF call 004283DC
:00433F11 F7C601000000 test esi, 00000001
:00433F17 7409 je 00433F22

I don't now exactly what this code are doing but my best guess are that here are the serial generated. But marg the call at 00433F0C. Trace into that call and you can see this
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00428DCE(U)
|
:004283DC 8B10 mov edx, dword ptr [eax]
:004283DE 85D2 test edx, edx

We want to now what's inside of EDX and we will find that out.

run the crackme and fill in the information.
Open SI
BPX HMEMXPY
X and OK Button on the crackme
And now you will be back in SI
F10x7 Times
BC *
BPX 004283DE
X OR CTRL+D x 6 Times
D EDX
And you can see you serial in the data window :)

Ending

Now i have cracked the first TCA crackme, lets move on. :)

Greetings

LaZaRuS, Wajid, Borna Janes, ManKind, Eddie Van Camper, ACiD BuRN, KoRnFLeX, Eternal_Bliss, Potsmoke, DiABLO. Torn@do, ^AlX^  and all the other i have forgotten