CrackMe #1 By tC Surrealizm
---------------------------
Tools Used:
SoftIce

---
Protection:
Keyfile Prot

---
Ok, start the crackme, choose Try it and set a breakpoint on ReadFile, choose a file
and press Open, then step until you come here:

:00429DA3  E840A7FDFF          CALL    004044E8        ; reads the file
:00429DA8  E86B88FDFF          CALL    00402618
:00429DAD  33C0                XOR     EAX,EAX         ; eax = 0
:00429DAF  8A45FF              MOV     AL,[EBP-01]     ; al = char from file
:00429DB2  03D8                ADD     EBX,EAX         ; ebx = ebx + al
:00429DB4  8D85B0FEFFFF        LEA     EAX,[EBP-0150]
:00429DBA  E8D5A6FDFF          CALL    00404494
:00429DBF  E85488FDFF          CALL    00402618
:00429DC4  84C0                TEST    AL,AL
:00429DC6  74D2                JZ      00429E9A        ; check if EOF, if not jump
:00429DC8  8D85B0FEFFFF        LEA     EAX,[EBP-0150]
:00429DCE  E885A6FDFF          CALL    00404458
:00429DD3  E84088FDFF          CALL    00402618
:00429DD8  81FBA9200000        CMP     EBX,000020A9    ; check if sum = 20A9h
:00429DDE  750E                JNZ     00429DEE        ; jump if not
:00429DE0  BA4C9E4200          MOV     EDX,00429E4C    ; edx = Status: Registered - Well Done
:00429DE5  8BC6                MOV     EAX,ESI
:00429DE7  E85CEEFEFF          CALL    00418C48
:00429DEC  EB0C                JMP     00429DFA
:00429DEE  BA2C9E4200          MOV     EDX,00429E2C    ; edx = Status: Unregistered

so all the file should contain is chars of a value of 20A9h , and with some small
calculations that means 68 * z and 1 * A

so the file can look like this:

zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzA

and to get the titlebar to say 'Status: Registered - Well Done' when starting, you need
to patch one byte.. disassemble the file in W32DASM, search for 'Status: Unregistered'
and you will come here:

* Possible StringData Ref from Code Obj ->"Status: Unregistered"
                                  |
:00429D44 BA2C9E4200              mov edx, 00429E2C  <-- note that push adress
:00429D49 8BC6                    mov eax, esi

now search for 'Status: Registered - Well Done' and you will land here:

* Possible StringData Ref from Code Obj ->"Status: Registered - Well done"
                                  |
:00429DE0 BA4C9E4200              mov edx, 00429E4C  <-- note that push adress
:00429DE5 8BC6                    mov eax, esi
:00429DE7 E85CEEFEFF              call 00418C48
:00429DEC EB0C                    jmp 00429DFA

so all we have to do is to search for
              BA2C9E4200
and change to BA4C9E4200

Now it will be fully cracked..
---
/Klefz - http://klefz.cjb.net