This CrackMe has an fairly easy to crack missing KEY FILE protection. I highly recommend all the Newbies out there to try this one. They will at least find out that reconstruction a missing key file can sometimes be really easy - like in this case.
First of all I'd like to tell you that should create an bogous KEY FILE. My KEY FILE (TC1.KEY) looks like the following:
00000000: 43 52 41 43-4B 45 44 00-42 59 00 54-4F 52 4E 40
00000010: 44 4F 00 5B-54 49 44 5D-00 00 00 00-00 00 00 00
After you've executed the CrackMe, you'll see a nice Try it button. Press on it. A dialog box get's opend and you have to choose a file. Now choose TC1.KEY, enter SoftICE and set a BPX to the KEY FILE APIs, CreateFileA and _lopen. Then leave SoftICE and press the Open button. Now SoftICE will pop up. However as you can see at the bottom of the SoftICE screen, this code is located in COMDLG32.DLL, the standard dialog function, where also the FILE DIALOG is located in. So just leave SoftICE. It will pop up again and the following code snippet will be displayed after you've pressed F11:
:0040461F CALL KERNEL32!CreateFileA
:00404624 CMP EAX,-01 ; Does file not exist?
:00404627 JZ 00404652 ; if so => JMP
:00404629 MOV [EBX],EAX
:0040462B POP EDI
:0040462C POP ESI
:0040462D POP EBX
:0040462E RET |
Well nothing really important here, since we've already created our KEY FILE, we should pass that condition. Press F10 until you pass the RET instruction. Now SoftICE will display the following code snippet: :00429D93 CALL 00402618
:00429D98 JMP 00429DB4
:00429D9A LEA EDX,[EBP-01]
:00429D9D LEA EAX,[EBP-0150]
:00429DA3 CALL 004044E8
:00429DA8 CALL 00402618
:00429DAD XOR EAX,EAX ; clear EAX
:00429DAF MOV AL,[EBP-01] ; read char from KEY FILE
:00429DB2 ADD EBX,EAX ; add it to EBX
:00429DB4 LEA EAX,[EBP-0150]
:00429DBA CALL 00404494
:00429DBF CALL 00402618
:00429DC4 TEST AL,AL ; did all chars
:00429DC6 JZ 00429D9A ; if not => JMP
:00429DC8 LEA EAX,[EBP-0150]
:00429DCE CALL 00404458
:00429DD3 CALL 00402618
:00429DD8 CMP EBX,000020A9 ; sum of chars = 20A9h
:00429DDE JNZ 00429DEE ; if not => invalid KEY FILE |
Well, as you can see from my comments in the code snippet above, all what this validation routine does is just checking if the sum of all chars contained in the KEY FILE is equal to 20A9h. The current sum of my KEY FILE is 637h.
20A9h - 637h = 1A72h. So I will need to add chars with the sum of 1A72h to make it registered. I decided to add as less as chars possible. 1A72h is (FF * 1A) + 8C. So I have to add 26 FF's and one 8C to make it registered. So my KEY FILE looks like the following:
00000000: 43 52 41 43-4B 45 44 00-42 59 00 54-4F 52 4E 40
00000010: 44 4F 00 5B-54 49 44 5D-FF FF FF FF-FF FF FF FF
00000020: FF FF FF FF-FF FF FF FF-FF FF FF FF-FF FF FF FF
00000030: FF FF 8C
The smallest possible KEY FILE which does not include your handle, group, ... looks like the following:
00000000: FF FF FF FF-FF FF FF FF-FF FF FF FF-FF FF FF FF
00000010: FF FF FF FF-FF FF FF FF-FF FF FF FF-FF FF FF FF
00000020: C9
Now there's only one thing to do:
Send your solutions (Patch or KeyFile) to: bombasticx@gmx.net
If you are one of the ten persons who patched it at first, your name will be added to the: 'Hall of Fame of sUrRealIzM CrackMez'
BTW, what I still didn't understand is why just the people who patched it will be added to the HALL OF FAME. Patching a program to make it registered is nearly always an easy exercise. Often you can patch a program without even understanding what's going on with your registration details - and in this case a look at the STRING REFERENCE in W32DASM, some backtracing should work (haven't checked it). If you still want to patch it, just change the JNZ instruction at 429DDE in NOPs.
Another target has been Reverse Engineerd. Any questions (no crack requests)?
|