Acid_Cool_178
presents he's

#28  Tutorial

 

For Hellforge

This Text Are Only Ment To Edcucational Purpose And Not To Be Used Illegaly, I Take No Response For Illegal Use Of This Text. Move On On Your Risc.

Athour Information
E-mail acid_cool_178@hotmail.com
Age 17
Web Page http://acidcool.cjb.net/
Date March 2K
Member in Hellforge Flying Horse Cracking Force
Groups Web Page Hellforge Login FHCF Login

 

Program Infromation
Name n0p3x's Crackme 1 crackme.exe
n0p3x's Crackme 1.A crackme1a.exe
Athour n0p3x
Where to Downlaod http://cod3r.cjb.net
Tools used W32Dasm Downlaod At
1. Player Tools
2. Programmer Tools
What kind of a program Crackme Shareware
   
Skill Easy Not so easy Hard X-pert
         

 

Information about the Protection I

These crackmes got only one code to find. Bad Crypto.. Good for us :)

Before We Start

Task1 <-- Crackme 1
Task2 <-- Crackme 1.A

The Process

Task1
Open Crackme.exe in W32Dasm and in "string data references" can you see this "Congrats" and dubbleclick on that sting. Scroll up some lines and you can see this cmp eax, F3EA9.
And bingo, there are the code in hex format. If i convert F3EA9 to Decimal to will it be 999081. And the crackme are registered :)

Task 2
Open crackme1a.exe in W32Dasm and you in "String Data References" can you find this string "Well Done", dubbleclick on that string and you will end up here.

* Possible StringData Ref from Data Obj ->"Well Done"                                     <-- The title of the good messagebox
|
:004010B7 68AB204000 push 004020AB                                                        <-- You land here

* Possible StringData Ref from Data Obj ->"Congratulations. You successfully "    <-- The Lavel of the good messagebox
->"cracked this program"
|
:004010BC 6874204000 push 00402074
:004010C1 6A00 push 00000000

* Reference To: USER32.MessageBoxA, Ord:0000h
|
:004010C3 E872040000 Call 0040153A                                                                 <-- The cool messagebox call
:004010C8 EB16 jmp 004010E0

Well, and now as wh have seen that so try to scroll up and you can now see this.


:00401085 E880040000 Call 0040150A
:0040108A 59 pop ecx
:0040108B 8BD0 mov edx, eax
:0040108D B9E7030000 mov ecx, 000003E7
:00401092 81C2495F0E00 add edx, 000E5F49
:00401098 81C1A93E0F00 add ecx, 000F3EA9
:0040109E 90 nop
:0040109F 90 nop
:004010A0 40 inc eax
:004010A1 47 inc edi
:004010A2 43 inc ebx
:004010A3 48 dec eax
:004010A4 4F dec edi
:004010A5 4B dec ebx
:004010A6 90 nop
:004010A7 90 nop
:004010A8 83C258 add edx, 00000058
:004010AB 83C1A9 add ecx, FFFFFFA9
:004010AE 3BD1 cmp edx, ecx                                                                            <-- Compare routine
:004010B0 7518 jne 004010CA                                                                             <-- Jump to the bas routing if wrong. NOP the jump if you want to patch it.
:004010B2 6800100000 push 00001000

Well, at 00401AE are the good code compared with the serial that you entered. And that's all what we need to no.
- Start he crackme
- Write a dumme code i entered 2951
- Open Soft Ice by pressing CTRL+D 
- Type BPX GetDglItemTextA [ENTER]
- Exit Soft Ice by pressing CTRL+D
- Press on the "OK" button
- And you will land here.

* Reference To: USER32.GetDlgItemTextA, Ord:0000h
|
:0040115D E8E4030000 Call 00401546
:00401162 8D4DF4 lea ecx, dword ptr [ebp-0C]        <-- Here are you
:00401165 51 push ecx
:00401166 E811FFFFFF call 0040107C                     <-- Call the code
:0040116B 59 pop ecx

Ttrace down to tche call by pressing F10 and to trace into the call then just press F8 when you are ON the call.

And now you will land here

* Referenced by a CALL at Address:
|:00401166
|
:0040107C 55 push ebp                                             <-- You are here after tracing the call
:0040107D 8BEC mov ebp, esp
:0040107F 53 push ebx
:00401080 57 push edi
:00401081 8B5D08 mov ebx, dword ptr [ebp+08]
:00401084 53 push ebx

* Reference To: cw3220._atol, Ord:0000h
|
:00401085 E880040000 Call 0040150A
:0040108A 59 pop ecx
:0040108B 8BD0 mov edx, eax
:0040108D B9E7030000 mov ecx, 000003E7                <-- 3E7 HEX  are 999 in DEC
:00401092 81C2495F0E00 add edx, 000E5F49            <-- E5F49 HEX are 941897 in DEC

EDX = Our code
EDX = 2951 + 941897 = 944848

:00401098 81C1A93E0F00 add ecx, 000F3EA9           <-- F3EA9 HEX are 999081 in DEC

ECX = Real Code
ECX = 999081 + 999  = 100080

:0040109E 90 nop
:0040109F 90 nop
:004010A0 40 inc eax
:004010A1 47 inc edi
:004010A2 43 inc ebx
:004010A3 48 dec eax
:004010A4 4F dec edi
:004010A5 4B dec ebx
:004010A6 90 nop
:004010A7 90 nop
:004010A8 83C258 add edx, 00000058              <-- 59 HEX are 88 in DEC          

EDX = Our code
Here are EDX = 944848  + 88 =  944936

:004010AB 83C1A9 add ecx, FFFFFFA9

ECX = Real Code
Here are ECX = 1000080 - 87 = 999993

:004010AE 3BD1 cmp edx, ecx                                 <-- Compare routine

The code are ECX = 999993 - 58 - 941927 = 58008 DEC

Greetings

LaZaRuS, Wajid, Borna Janes, ManKind, Eddie Van Camper, ACiD BuRN, KoRnFLeX, Eternal_Bliss, Potsmoke, DiABLO. Torn@do, ^AlX^  and all the other i have forgotten