| Author | seifer666 |
| Target | DarkWolf Crackme 2 |
| Public Release | 08/08/2000 |
| Author Contact | seifer666@caramail.com |
| Dedication | DarkWolf, Hellforge member ;-) |
| Difficulty Level (1..7) | 1 (EASY) |
| Tools Required | Soft Ice 3x, Visual Basic 4 or more for the keygen |
Disclaimer:
Please note, the information herein is copyright to Hellforge. No portion of
this text may be duplicated. Furthermore, damage or problems arising after
reading this text is left to the users disposal. Neither Hellforge, nor its
members can be held responsible for any direct or indirect result of following
this text. The full liability of following this text is on the reader (YOU). The
information is provided for educational purposes, misuse of this information is
strictly prohibited. If you do not agree with this agreement, then please hit
the "back" button on your browser, and go to hell. - Mercution.
An algo which seems to be difficult, but which is really easy...
First enter a registration ID (only numbers, no chars or it will crash !!). The infos i
entered are : 12345/67890. Under Soft Ice, put a bpx on __vbastrcomp, the function used by VB to
compare to strings. Ok, now let's click on the validate button, Soft Ice comes back... Good !
We won't begin to trace with F12/F10, but we'll look at the stack and the dwords values pushed on
it. So type dd esp. We see 4 dwords values which are for me :
Lemme repeat you the general algo :
0F01F905 00000000 004117D0 00411860
The first adress doesn't contain anything interesting. By looking at the third one (d 4117D0), we
see in wide format :
6.7.8.9.0 <---- the fake Keycode we entered
And by looking at the last adress we see in wide format too :
2.5.2.7.3.6.0 <---- looks like a keycode, nope ?
Disable the breakpoint (bc 0), and let's try the keycode 2527360. This number is the code
we were looking for, great =) !
Ok, now we'll try to keygen this... I didn't manage to see anything with Smart Check, the
keygen routine is well protected. But there is an ENORMOUS fault in the protection sheme used
here. In fact, we cannot enter a number which has less than 5 figures, in order to make it more
difficult for us to find the keygen routine, but the numbers 00000, 00001, 00002,... will work.
So I repeated several times the serial sniffing and i obtained the results :
ID entered : 00000 <=> Keycode obtained : 354640
ID entered : 00001 <=> Keycode obtained : 354816
ID entered : 00002 <=> Keycode obtained : 354992
And we notice that :
354640 = 354640 + 0 * 176
354816 = 354640 + 1 * 176
354992 = 354640 + 2 * 176
...
And we have the keygen routine !!
The keygen
*ID number has to be at least 5 chars long
*Keycode = 354640 + ID number * 176
Now we can write this into VB :
'************************************************************************************************
Private Sub text1_change()
Dim ID
If Len(Text1.Text) < 5 Then
Text2.Text = "Please enter more numbers !!"
Exit Sub
End If
ID = Text1.Text
Text2.Text = 354640 + ID * 176
End Sub
'************************************************************************************************
This time, we saw that an algo can seem to be difficult and contain faults which enable the cracker to defeat the protection. Once more, if u missed something, don't hesitate to contact me !