Hello...
I am a newbie and I am trying to crack the "Crackme" in the attachments but because I'm using WinXP I can't put a breakpoint 4 "hmemcpy" and I can't also use any vb calls (such as __vbastrcomp" cuz it's not a vb program...
actually this crackme contains many parts 2 crack (nag-serial-name and serial) so tell what calls should I put a breakpoint 4 4 each part...
thanx alot...

hi happyboy,

This CrackMe isn't that hard. It's written in Delphi. You can reverse it by using OllyDbg only...

Hint: set a "bpx MessageBoxA", this will help you alot in finding the correct codeparts for each protection (look at the stack, there's the caller stored)

The "serial only" is a hardcoded string...
The "serial-name" is funny. The layout for serial cintains hardcoded parts. It looks like "??-????-???????"...

work well,
Pegasus

actually I don't know how 2 use ollydbg and I couldn't find good tuts about it...so if u don't mind please tell me how 2 set the breakpoint u mentioned...

setting breakpoints in OllyDbg is familiar to SI. You need an PlugIn called CommandBar. Then you're able to handle OllyDbg such as SI.

The most important breakpoint is @ 42A1A9 (call MessageBoxA)
The application will break during startup (to show the entry MessageBox you have to delete).
If you went to Name/serial, press "check it baby!", you'll break again @ 42A1A9. Take a look at the stack: there is an entry who called this messagebox (42FB37). Trace back to the beginning of this routine (42F998) and reverse the algo. The procedure for hardcoded serial is the same....

thank u very much...actually I think that OllyDbg is more useful than SICE...so i'm goin' 2 use it from now on thoough there's no enough tuts about it...

you aren't right... softice is more effective because it's an system debugger and olly only an app debugger... but it's much easier to handle olly!

The Serial/Name part:

This is very easy just break on messageboxa and when back in crackme's code then search for your fake serial, on the 2nd found instance you'll see the real serial right above.

The Serial part:

Break on messageboxa and when back in crackme's code then search for your fake serial, put a breakpoint on the 2nd found instance(bpm xxxxxx r). Leave SI & Click on "Check it Baby!" and when SI breaks press F11 twice, EDI now contains the right Serial.

Hi all,
the crackme is written in Delphi and I was wondering why no one speaks about Dede... It's very easy to solve delphi crackme using this great tool, don't you think?

Regards,
foreigner

maybe... But i don't use it. Analyzing this File in DeDe takes longer than cracking it with SI/Olly .... and the disassembled text is the same...

hello everyone...
I cracked it but I am trying 2 make a keygen for the name-serial part of the crackme...wish me luck.

Hi,
the three tools mentioned (Olly, SI and Dede) are valid for solving this challenge, it depends on your personal attitude.
Personally, I prefer to use all the available tools (combining them, why not).

Happyboy: good luck

It could be great to see two final tutorials for this challenge, one using Olly/SI approach and one using Dede...

ZaiRoN

Tutor with OllyDbg...

great tut cuPegagus! but i think you used many bytes to kill that nag/messageboxa you see this delphi form begin at 0042F784 and the rest of those bytes are not needed... so is better to kill it clean with just a C3

6A/C3

Best Regards!

This technique works, too.
But by NOPPING the 6 relevated bytes the code keeps readable. Also i'm not a friend of "1byte patching". The patched areas are fast to find with the used technique...
It's a "clean" way, just my two cents...

Hi All,
first of all I would like to thank cuPegasus for his tutorial.
I did write this simple txt file to describe how to approach the crackme using Dede. The minimini tutorial is based upon cuPegasus's tutorial because for solving the crackme with only Dede it is not so easy. Why? Well, mainly because you works only with the dead list. Dede will help you to locate all the informations you will need in order to solve the crackme but the use of a debugger is needed and this is the reason why I will use some parts from the other tutorial. I hope these notes will help you to take familiarity with this tool.
I also hope cuPegasus does not mind me for stealing some parts from his tutorial

Ciao,
ZaiRoN

cuPegasus your comment make me thing you did reply in some arrogant way. i never said your way was wrong and it will do the same job.. but i'm always open minded to share knowledge + new ideas

ZaiRoN this is how Dede get the info about the Forms.. and where begins, where Ends..

on 0042F784 (6A00) begin the form of the messageboxa....

look in reverse order with your hex editor, in this case i used HexWorkshop in hex value, look for 84F74200

and you'll find --->

636B110084F742000A466F726D437265
ck....B..FormCreate

means that's the RVA for the begin of that form.....

to kill the form we can change or point the rva of the form/begin to other RVA where indicated other function like exit.. or C3 or something else

with your hex editor you should see something like this also

636B10007CF742000965786974436C69
ck..|.B..exitClick

7CF74200 = 42F77C00 and gives the exit command when you have pressed the Exit button

just change 84F74200 for 9CF74200 and see what happends!

9CF74200 = 42F79C00 (C3) = End/Return of Form

Best Regards!

Hi cRk,
hmmm, maybe I misunderstood you but what do you mean by 'form'? The initial nag it's not a form, it's only a simple message box.42F784 is the initial address of the routine that is called when the FormCreate event happens...

ciao,
ZaiRoN

Sure! but usually delphi app. call/make Form in this way and not just the main Form, in this case it is a messageboxa