Hello. I've recentley been working on a crackme, its only rules were do whatever you can to find the correct serial for your name. I have opened it in ollydbg had a look and have so far managed to patch it so that it accepts any name with any serial! this does work 100%, however the aim is to find the 1 serial that works with the name you enter. please can somebody help me

http://www.sendspace.com/file/z68eoe

(the above is the download link for; the crackme in normal state, the crackme after patching and my notes on my work so far)

thanks in advance
DENiSON

Opened in ollydbg there are 2 strings entitled "GetDlgitemTextA"
1 is located at 00401070 and the other at 004010B2
I've tried putting a bp on both of these (because many previous crackmes ive completed these have been name and serial grabbers. i now pressed F9 to run the crackme and entered:

Username: DENiSON
serial: 12345

once back in ollydbg i scroll down and come to the following code:
0040112B |. FF35 96424000 PUSH DWORD PTR DS:[404296]
00401131 |. FF35 92424000 PUSH DWORD PTR DS:[404292]
00401137 |. FF35 8E424000 PUSH DWORD PTR DS:[40428E]
0040113D |. FF35 8A424000 PUSH DWORD PTR DS:[40428A]
00401143 |. E8 4C100000 CALL simple1.00402194
00401148 |. 68 0A414000 PUSH simple1.0040410A
0040114D |. FF35 96424000 PUSH DWORD PTR DS:[404296]
00401153 |. E8 0A040000 CALL simple1.00401562
00401158 |. 68 8A414000 PUSH simple1.0040418A ; /String2 = ""
0040115D |. 68 0A414000 PUSH simple1.0040410A ; |String1 = ""
00401162 |. E8 CB110000 CALL <JMP.&KERNEL32.lstrcmpA> ; \lstrcmpA
00401167 |. 85C0 TEST EAX,EAX
00401169 |. 74 16 JE SHORT simple1.00401181
0040116B |> 68 4E404000 PUSH simple1.0040404E ; /Text = "wrong serial"
00401170 |. 68 EA030000 PUSH 3EA ; |ControlID = 3EA (1002.)
00401175 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401178 |. E8 DF110000 CALL <JMP.&USER32.SetDlgItemTextA> ; \SetDlgItemTextA
0040117D |. C9 LEAVE
0040117E |. C2 1000 RETN 10
00401181 |> 68 44404000 PUSH simple1.00404044 ; /Text = "well done"
00401186 |. 68 EA030000 PUSH 3EA ; |ControlID = 3EA (1002.)
0040118B |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
0040118E |. E8 C9110000 CALL <JMP.&USER32.SetDlgItemTextA> ; \SetDlgItemTextA
00401193 |> 817D 10 EC0300>CMP DWORD PTR SS:[EBP+10],3EC

String 1 and string 2 appear to be waiting input so i tried pressing f9 and f9 again and got the following text:
00401158 |. 68 8A414000 PUSH simple1.0040418A ; /String2 = "Øä#á"
0040115D |. 68 0A414000 PUSH simple1.0040410A ; |String1 = " p„´Á<VxFwîÝ{f !u°˜"
00401162 |. E8 CB110000 CALL <JMP.&KERNEL32.lstrcmpA> ; \lstrcmpA

I believe this to be comparing the serial we entered with the real serial however when trying these in the crackme it still says wrong serial. so do i need to convert to hex or decimal or something like that to reveal the serial in its true form?

If it's using strcmp (string compare) you shouldn't have to do any conversion, as what your typing in is a string. However, 'p„´Á<VxFwîÝ{f !u°˜' sounds more like garbage data to me than a string, which says something is wrong.

Squidge: thanks for your reply. i at first myself thought it to be garbage data but the only reason i suspect it not to be as that the line p„´Á<VxFwîÝ{f !u°˜ changes with each different name and serial i enter. which is why i assumed that the debugger must be comparing the serial we enter with this (which could be "the correct serial"

I've just had a quick look at the crackme and you seem to be correct. It generates a 32-bit hex value for the username (you can see the generation shorly after the GetDlgItem call) and then calls a slightly more complex routine to generate a binary hash of the serial. If both end up being the same value, then it congratulates you.

Obviously since both are hashes, neither is the correct serial - you have to work the serial routine backwards to find out the string to put in to generate the same hash as the username does.