Writing a keygenerator of ACiD_BuRN Newbie Crackme ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Note : My english is worse ....... and I have not much time to write more detailed, but I think you can follow me. You need: SoftIce and how to use; your favourite programmer-language; a little brain; and cracker asm-knowledge; Start cwcrackme.exe and we push the Serial / Name-Button. Type your name (I type "rubor") and a dummy serialnumber. Set breakpoint at "hmemcpy". And go and check :) Inside SoftIce delete the breakpoint (bc *) after pressing 12 times F12, you land at the right Code to begin. Trace with F8 till you see this: :0042F9EB 0FB600 movzx eax, byte ptr [eax] <------ take first digit and convert it to ASCII value :0042F9EE 8BF0 mov esi, eax <------ move this result (with my name = "r" = 114) :0042F9F0 C1E603 shl esi, 03 <------ esi = shift logical left = result *8 :0042F9F3 2BF0 sub esi, eax <------ esi = esi - ASCII value :0042F9F5 8D55EC lea edx, dword ptr [ebp-14] :0042F9F8 8B83DC010000 mov eax, dword ptr [ebx+000001DC] :0042F9FE E855B0FEFF call 0041AA58 :0042FA03 8B45EC mov eax, dword ptr [ebp-14] :0042FA06 0FB64001 movzx eax, byte ptr [eax+01] <----- the same thing as above but with your second digit :0042FA0A C1E004 shl eax, 04 <----- eax = ascii value * 16 :0042FA0D 03F0 add esi, eax <-----esi = result of first calculation + eax :0042FA0F 893554174300 mov dword ptr [00431754], esi <---- save esi to this index of adress :0042FA15 8D55F0 lea edx, dword ptr [ebp-10] :0042FA18 8B83DC010000 mov eax, dword ptr [ebx+000001DC] :0042FA1E E835B0FEFF call 0041AA58 :0042FA23 8B45F0 mov eax, dword ptr [ebp-10] :0042FA26 0FB64003 movzx eax, byte ptr [eax+03] <----- take digit 4 of your written name :0042FA2A 6BF00B imul esi, eax, 0000000B <----- eax= esi * 11 :0042FA2D 8D55EC lea edx, dword ptr [ebp-14] :0042FA30 8B83DC010000 mov eax, dword ptr [ebx+000001DC] :0042FA36 E81DB0FEFF call 0041AA58 :0042FA3B 8B45EC mov eax, dword ptr [ebp-14] :0042FA3E 0FB64002 movzx eax, byte ptr [eax+02] <---- take digit 3 :0042FA42 6BC00E imul eax, 0000000E <---- eax = ascii value * 14 :0042FA45 03F0 add esi, eax <---- just adding :0042FA47 893558174300 mov dword ptr [00431758], esi <--- save esi to this index of adress :0042FA4D A16C174300 mov eax, dword ptr [0043176C] :0042FA52 E8D96EFDFF call 00406930 <--- get length of our name :0042FA57 83F804 cmp eax, 00000004 <--- compare length of your name with 4 :0042FA5A 7D1D jge 0042FA79 <--- jump if length > = 4 else <-------------------------------------------------------------------------------------------------------------------------------------> :0042FA5C 6A00 push 00000000 * Possible StringData Ref from Code Obj ->"Try Again!" | :0042FA5E B974FB4200 mov ecx, 0042FB74 * Possible StringData Ref from Code Obj ->"Sorry , The serial is incorect " ->"!" | :0042FA63 BA80FB4200 mov edx, 0042FB80 :0042FA68 A1480A4300 mov eax, dword ptr [00430A48] :0042FA6D 8B00 mov eax, dword ptr [eax] :0042FA6F E8FCA6FFFF call 0042A170 :0042FA74 E9BE000000 jmp 0042FB37 <--------------------------------------------------------------------------------------------------------------------------------------> Now, use your brain. ACiD_BuRN calculates something and after all he make a length-compare of our name. Hmmm, this is a logical fault ... First i compare something and then i calculate, this is the right way. You thing what I thing ? :) Let's go to the "second part". My name is = > 4, so i see this line's. <--------------------------------------------------------------------------------------------------------------------------------------> :0042FA79 8D55F0 lea edx, dword ptr [ebp-10] :0042FA7C 8B83DC010000 mov eax, dword ptr [ebx+000001DC] :0042FA82 E8D1AFFEFF call 0041AA58 :0042FA87 8B45F0 mov eax, dword ptr [ebp-10] :0042FA8A 0FB600 movzx eax, byte ptr [eax] <--------- take our first digit and convert it to ascii value :0042FA8D F72D50174300 imul dword ptr [00431750] <--------- eax= eax * the constant value '41' :0042FA93 A350174300 mov dword ptr [00431750], eax <--------- save this result :0042FA98 A150174300 mov eax, dword ptr [00431750] <--------- for :0042FA9D 010550174300 add dword ptr [00431750], eax <--------- adding and to save :0042FAA3 8D45FC lea eax, dword ptr [ebp-04] :0042FAA6 BAACFB4200 mov edx, 0042FBAC <--------- a constant string 'CW' :0042FAAB E8583CFDFF call 00403708 :0042FAB0 8D45F8 lea eax, dword ptr [ebp-08] ...... < snip > ............. | :0042FAB3 BAB8FB4200 mov edx, 0042FBB8 <--------- the constant string "CRACKED" :0042FAC8 A150174300 mov eax, dword ptr [00431750] <---- our calculated serial of above :0042FACD E8466CFDFF call 00406718 :0042FAD2 FF75E8 push [ebp-18] :0042FAD5 68C8FB4200 push 0042FBC8 <---- constant string '-' :0042FADA FF75F8 push [ebp-08] :0042FADD 8D45F4 lea eax, dword ptr [ebp-0C] :0042FAE0 BA05000000 mov edx, 00000005 :0042FAE5 E8C23EFDFF call 004039AC <----- 'calculate' our valid serial :0042FAEA 8D55F0 lea edx, dword ptr [ebp-10] :0042FAED 8B83E0010000 mov eax, dword ptr [ebx+000001E0] :0042FAF3 E860AFFEFF call 0041AA58 :0042FAF8 8B55F0 mov edx, dword ptr [ebp-10] <----- our dummy serial :0042FAFB 8B45F4 mov eax, dword ptr [ebp-0C] <----- our valid serial :0042FAFE E8F93EFDFF call 004039FC <----- compare :0042FB03 751A jne 0042FB1F <----- good / bad boy <--------------------------------------------------------------------------------------------------------------------------------------> You know now what i mean ! ACiD_BuRN do at the "first part" a fake calculation....... Very tricky :) Our valid serial look like: CW-serial_xyz-CRACKED (for my name / CW-9348-CRACKED) Now you know too, how to write a keygenerator. Here the calculation of our serial: 1. Compare if the length of the name is smaller as 4 2. Take first digit and convert it to ascii value 3. Multiply the ascii value with 41and multiply this result with 2. <--------------------------------------------------------------------------------------------------------------------------------------> Code in Pascal, maybe look like this: program ACiD; uses crt; var name:String; eax:longint; begin ....................... readln(name); if length(name) < 4 then begin writeln('Plz type at least 4 digits !!!'); exit; end; eax:=(ord(name[1])*41)*2; ........................ write(' CW-',eax,'-CRACKED'); end. <--------------------------------------------------------------------------------------------------------------------------------------> If you select the only Serial-Button and you can't find the serial, just type "Hello Dude!". For any comments go to EFNET and join GWA and talk to me, rubor. greets fly out to (very short): all GWA / CUG/ Crackerworld members, prof x and all I forgot :) <--------------------------------------------------------------------------------------------------------------------------------------> 09.06.1999 rubor