TARGET 		: Crackme1 by brainbusy
TOOLS USED	: W32Dasm
TIME		: 5 minutes

Fire up W32Dasm, search the goodguy string, scroll a bit up, we land here :

:00458800 55                      push ebp
:00458801 8BEC                    mov ebp, esp
:00458803 6A00                    push 00000000
:00458805 53                      push ebx
:00458806 8BD8                    mov ebx, eax
:00458808 33C0                    xor eax, eax
:0045880A 55                      push ebp
:0045880B 6874884500              push 00458874
:00458810 64FF30                  push dword ptr fs:[eax]
:00458813 648920                  mov dword ptr fs:[eax], esp
:00458816 E845FFFFFF              call 00458760			**	; Serial Calculation()
:0045881B 8D55FC                  lea edx, dword ptr [ebp-04]
:0045881E 8B83D0020000            mov eax, dword ptr [ebx+000002D0]	; editbox Serial
:00458824 E897CDFCFF              call 004255C0				; GetText()
:00458829 8B45FC                  mov eax, dword ptr [ebp-04]
:0045882C E843EFFAFF              call 00407774				; StrToInt ()
:00458831 3B0544B84500            cmp eax, dword ptr [0045B844]		; pasw = real psw?
:00458837 751B                    jne 00458854				; jump if not

* Possible StringData Ref from Code Obj ->"You cracked the UBC CrackMe#1 "
                                        ->"! Please send your solution to "
                                        ->"ubcrackers@hotmail.com !"
                                  |
:00458839 B888884500              mov eax, 00458888
:0045883E E829C1FEFF              call 0044496C

* Possible StringData Ref from Code Obj ->"CRACKED"
                                  |
:00458843 BAE8884500              mov edx, 004588E8
:00458848 A13CB84500              mov eax, dword ptr [0045B83C]
:0045884D E89ECDFCFF              call 004255F0
:00458852 EB0A                    jmp 0045885E



Let's have a look in the Serial Calculation routine :


**Serial Calculation()
----------------------
:00458760 55                      push ebp
:00458761 8BEC                    mov ebp, esp
:00458763 6A00                    push 00000000
:00458765 53                      push ebx
:00458766 56                      push esi
:00458767 57                      push edi
:00458768 BB44B84500              mov ebx, 0045B844

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004586FC(C)
|
:0045876D BE48B84500              mov esi, 0045B848
:00458772 BF40B84500              mov edi, 0045B840
:00458777 33C0                    xor eax, eax
:00458779 55                      push ebp
:0045877A 68F3874500              push 004587F3
:0045877F 64FF30                  push dword ptr fs:[eax]
:00458782 648920                  mov dword ptr fs:[eax], esp
:00458785 8D55FC                  lea edx, dword ptr [ebp-04]
:00458788 A13CB84500              mov eax, dword ptr [0045B83C]
:0045878D 8B80CC020000            mov eax, dword ptr [eax+000002CC]	; Editbox name

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00458722(C)
|
:00458793 E828CEFCFF              call 004255C0				; GetText()
:00458798 8B55FC                  mov edx, dword ptr [ebp-04]
:0045879B 8BC7                    mov eax, edi
:0045879D E89AB0FAFF              call 0040383C
:004587A2 33C0                    xor eax, eax
:004587A4 8903                    mov dword ptr [ebx], eax
:004587A6 8B07                    mov eax, dword ptr [edi]
:004587A8 E8B7B2FAFF              call 00403A64				; StrLen()
:004587AD 85C0                    test eax, eax				; Length = 0 ?
:004587AF 7E19                    jle 004587CA				; if so, jump
:004587B1 C70601000000            mov dword ptr [esi], 00000001		; init counter

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004587C8(C)
|
:004587B7 8B17                    mov edx, dword ptr [edi]
:004587B9 8B0E                    mov ecx, dword ptr [esi]
:004587BB 0FB6540AFF              movzx edx, byte ptr [edx+ecx-01]	; move ascii of name in dl
:004587C0 C1E203                  shl edx, 03				; ascii * 8
:004587C3 0113                    add dword ptr [ebx], edx		; hash+=dl
:004587C5 FF06                    inc dword ptr [esi]			; counter++
:004587C7 48                      dec eax				; end of string ?
:004587C8 75ED                    jne 004587B7				; if not, repeat

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004587AF(C)
|
:004587CA 8B07                    mov eax, dword ptr [edi]		
:004587CC E893B2FAFF              call 00403A64				; StrLen ()
:004587D1 C1E003                  shl eax, 03				; strlen * 8
:004587D4 0103                    add dword ptr [ebx], eax		; add to hash
:004587D6 8B03                    mov eax, dword ptr [ebx]
:004587D8 C1E002                  shl eax, 02				; hash * 4
:004587DB 8903                    mov dword ptr [ebx], eax		; save hash
:004587DD 33C0                    xor eax, eax
:004587DF 5A                      pop edx
:004587E0 59                      pop ecx
:004587E1 59                      pop ecx
:004587E2 648910                  mov dword ptr fs:[eax], edx

* Possible StringData Ref from Code Obj ->"_^[Y]"
                                  |
:004587E5 68FA874500              push 004587FA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004587F8(U)
|
:004587EA 8D45FC                  lea eax, dword ptr [ebp-04]
:004587ED E8F6AFFAFF              call 004037E8
:004587F2 C3                      ret

If we look at the code above, the algoritm is very easy to deduct :

	serial = [(SUM(asciiname*8))+(namelength*8)]*4

	keygen+source included in zip

Name 	: Detten
Serial	: 19776

This crackme was very easy (1/10), cuz the algoritme was very easy!


Detten
Detn@hotmail.com


