You guys asked for it Lesson 2 is ready, this one is a bit harder then the last, freel free to work togeather and/or form teams or somthing... if your not real familiar with windows api you better download the help file http://www.win32asm.com/files/win32api.zip .Three things to do this crackme so if you need a hint or having lots of trouble post or e-mail me, ok? Rock on and remember to have fun!

http://www16.brinkster.com/realcool23/download/rage2.zip

-Brad
realcool23@yahoo.com

Hi Rage9,

Hmm... Keygen ?? ;D (Hint)

Let the Reversing begin
I'll be back...

Cya...

CoDe_InSiDe

Hi Rage9,

Ok, done
Let's wait for the other people first since i'm the only one posting yet ;D

Cya...

CoDe_InSiDe

ooo, ill give it a shot, i could use the practice.

ok i'm bored so i'm in. mebbe c ya later

-cdk

I, too, have finished this one. Lets hope there are harder challenges to come =) A question: was the keygen part a mistake in coding or a trick? (hint Keep 'em coming.

Yo all! rage9, nice crackme =] Ive destroyed the nag and added the messagebox when entering a wrong serial. But it looks to me the crackme has a bug, or 'feature'. I always get the same serial, no matter what is the name or the machine. Is it right? Its very late here, I might be wrong...

AirW0lf
---

hey people! im glad you confirmed that there was only one serial, as i thought there might have been some little trick, seeing as the name went through a little process before hand.
i did the messagebox part as well, BUT i am ashamed to say that the nag screen has got me! ive been trying but keep failing
please someone give me some clue...

yea ok. i've worked all the parts and as muad said was a bit too easy but am not complaining: was the first time over a month+ that got me to touch softice again ;-) and yeah it seems like it's hard-coded serial, maybe a bit "lame" but probably because it was easier (?) to have the msgbox to show it

and as a hint to thehermit, i've no idea what way did muad and airwolf go but i messed around with dialogboxparam call(s) hopefully hinting to bp on settimer/killtimer doesn't ruin anyone's attempts too much, but is a way i used anyway.

any questions? my email is included..

-cdk

First of all, thanks Muad for all your help, that live tutorial rox =] Im adding some code to the crackme to fix the bug... Ill show to you guys as soon as I finish it.

Second, C_DKnight, its not a hard-coded serial... check it out This is how Ive cracked the splash,

00401000 public start
00401000 start proc near
00401000 push 0
00401002 call j_GetModuleHandleA
00401007 mov dword_403074, eax
0040100C push 0
**40100E push offset sub_401165 Thats the DlgProc (Kayaker explains it in this same forum, another thread
00401013 push 0
00401015 push offset aSplash ; "SPLASH"

then

00401165 push ebp
00401166 mov ebp, esp
00401168 cmp [ebp+arg_4], 110h
0040116F jnz short loc_401197 ; We dont want to go here, we want to jump this code to 40119D
00401171 push 0
00401173 push 3E8h
00401178 push 3F3h
0040117D push [ebp+arg_0]
00401180 call j_SetTimer

---
00401197 cmp [ebp+arg_4], 10h
0040119B jnz short loc_4011C2
0040119D push 0

Why 40119D and not 401197? Because 401197 is handleing the WM_CLOSE event, and as [ebp+arg_4] is NOT 10h, its 110h, it would jump out of the code we want. So I changed two bytes at 00401171 push 00 (6A00) to jmp 40119D (EB2A)
and it works =]
btw, check the EB2A, Im almost sure thats the opcode

AirW0lf
---

Now that a few people have solved this crackme, I'll explain WHY it is always the same serial. Rather than spoiling it for everyone who wants to solve it themselves, you can see the attached file (it also explains an effective way to patch the nag).

Good job guys! Yeah it was actually intended to see how many people i could fool with a fake serial routine! It just kinda happened and then i decided to pass it to you guys and not fix it.... but Muad'Dib didn't really explain why it was like that... he just said.."Aha! Rather than returning the serial that was generated, it rather returns the POINTER to the serial that was generated." actually..... NO! after sifting through the code i found that it was all in the call to the api SetDlgItemInt! with the one you guys have the original asembly line looked like:

invoke SetDlgItemInt,hWnd,IDC_PASS, addr checker,FALSE

but apon changing it to

invoke SetDlgItemInt,hWnd,IDC_PASS, checker,FALSE

the proc indeed returns a value that can be used! see i was passing the address of the address of the variable checker! thats why otherwise she seems to work darn good!

but i do agree with Muad'Dib's way to solving the nag screen, it is the easiest way i see! im still going to write the essay cuz i have been e-mailed requesting it... peace out!

-Brad

Exactly what I was saying, it returns the pointer to (the address) of the variable rather than the contents of the variable.

sorry my bad, you put it right after the serial generation code, so i assumed that you where saying the generation code returned the pointer, sorry!

-brad

For those who want to read an essay......


-Brad

Woah! looks like i totally missed this message, as there had been no replies in the last 30 days and i've been gone...well im workin' on it now ; )

you got you're self a new student iám going to give it a try

Lesson 3? ; )

well i found the routine easy but when i was tracing it i saw a number that could be the serial i wrote it down and tried it guess what it is the serial. I think oke now try another serial to see how the routine works, thoughed i missed a peice where the serial was made the first time but i found the same serial over and over
oke lets try other name with that serial that worked. Oke just on right serial , but what do i have to keygen then just read name and return the serial i didn`t do that i`m looking @ those other things know little more difficult for me.

well i did it well more or less just read the text file and look @ the patched exe pls do and let me know what you think it's the first time i wrote something down for others to read