| Author | seifer666 |
| Target | Ice Cream Crackme 1 |
| Public Release | 08/08/2000 |
| Author Contact | seifer666@caramail.com |
| Dedication | My mother (look, I play again with the computer :) ) |
| Difficulty Level (1..7) | 1 (EASY) |
| Tools Required | SoftIce 3.xx, Delphi 5 for the keygen |
Disclaimer: Please
note, the information herein is copyright to Hellforge. No portion of this text
may be duplicated. Furthermore, damage or problems arising after reading this
text is left to the users disposal. Neither Hellforge, nor its members can be
held responsible for any direct or indirect result of following this text. The
full liability of following this text is on the reader (YOU). The information is
provided for educational purposes, misuse of this information is strictly
prohibited. If you do not agree with this agreement, then please hit the "back"
button on your browser, and go to hell. - Mercution.
Yo ! There was a
long time, no ;-) ? Today, we will see how to keygen this pretty crackme by
using another language. We will code the keygen in Delphi, by using variables
having the same names than the asm registers.
Enter a name and a fake
serial (seifer666/12345). Under Soft Ice, put a bpx on hmemcpy. Exit these
#@~!!"'??;! (<--- = boring ;p) dlls with F11/F12, and once u are in the
crackme code, begin to trace with F10 as usual, until u arrive at : :
:004015B0 8D7C2414 lea edi, dword ptr [esp+14] ;moves name into edi
:004015B4 83C9FF or ecx, FFFFFFFF ;
:004015B7 F2 repnz ;counts the chars
:004015B8 AE scasb ;
:004015B9 F7D1 not ecx ;
:004015BB 49 dec ecx ;ecx = length of the name
:004015BC 7426 je 004015E4 ;length = 0 ? goto last part of keygen routine
We will translate the algo found before in delphi first. Just create a new form, with
two editboxes, and implement the following code source :
And the keygen works 100% :-p. We could also have coded it in Delphi/C + inline asm, it would have
maybe been easier, but i wanted to show u another way to code keygens, by using variables with the
same name than the asm registers like eax, ebx, ecx, edx...
I greet my knowledge sharing group : HellForge
and my friends (no specific order) : ACiD BuRN, BoomBox,
BlndAngl, Lucifer48, Volatility, Tscube, Visionz, amante4, alpine, FatBoyJoe,
Warez Pup, Eternal_bliss, r!sc, [mega], Sushi, MagicRaphoun, TaMaMbolo, Kahel,
V-Rom, Ep-180, morrinth, Tres`ni, Dawai, DXF, CiniMod, xor, Air2k, grAnix,
LordOfLa, karlitoXZ, [ManKind], Falcon^, Dazzler, Lazarus, AbsoluteB, JB007,
C_DKnight, Miscreant, Crudd, kanabis, Cell-, BMonkey, Armour, Vylent, Skamer,
Fenorez, sinn0r, Dark Wolf, Bishop, Mercution, AC_178.... and all I've forgotten
;-)
Ok, in the first part of the keygen, we see that the proggie doesn't care about the length
of the name, as it will jump to the last part of the keygen if we didn't enter any char. We'll see
that later, let's first continue with the second part of the keygen:
* Referenced by a (U)nconditional or (C)onditional Jump at Address: ;if length >= 1
|:004015E2(C)
|
:004015BE 0FBE441414 movsx eax, byte ptr [esp+edx+14] ;moves ascii code of the char of the name at position edx into eax
:004015C3 8D7C2414 lea edi, dword ptr [esp+14] ;
:004015C7 8D48FC lea ecx, dword ptr [eax-04] ;ecx = ascii code - 4
:004015CA 8D6C453A lea ebp, dword ptr [ebp+2*eax+3A] ;ebp += 2 * eax + 3Ah
:004015CE 8BF1 mov esi, ecx ;esi = ecx
:004015D0 33C0 xor eax, eax ;eax = 0
:004015D2 03F3 add esi, ebx ;esi += ebx;
:004015D4 42 inc edx ;next char
:004015D5 8D1C4E lea ebx, dword ptr [esi+2*ecx] ;ebx = esi + 2 * ecx
:004015D8 83C9FF or ecx, FFFFFFFF ;
:004015DB F2 repnz ;counts the chars of the name again
:004015DC AE scasb ;
:004015DD F7D1 not ecx ;
:004015DF 49 dec ecx ;ecx = length of name
:004015E0 3BD1 cmp edx, ecx ;are all chars done ?
:004015E2 72DA jb 004015BE ;no, starts loop again with next char
This second part is the more interesting as the program does some
math's
here, easy to
understand. Now let's study the final part of the keygen, very short :
* Referenced by a (U)nconditional or (C)onditional Jump at Address: ;here the serial will be
|:004015BC(C) ;calculated, even if we
| ;didn't enter any name
:004015E4 8B742410 mov esi, dword ptr [esp+10]
:004015E8 8D8C1D3C7D0000 lea ecx, dword ptr [ebp+ebx+00007D3C] ;serial = ecx = ebp+ebx+7D3Ch
:004015EF 6AFF push FFFFFFFF
:004015F1 394E64 cmp dword ptr [esi+64], ecx ;compares our fake serial to the calculated one
:004015F4 7521 jne 00401617 ;not equal ? jump bad cracker
* Reference To: USER32.MessageBeep, Ord:0194h
|
:004015F6 FF1530444000 Call dword ptr [00404430] ;else, we arrive at the
:004015FC 6A00 push 00000000 ;good message :
* Possible StringData Ref from Data Obj ->"Well done"
I hope u understood why there is a serial even if we don't enter any name : if it is the
case, we will have ebp = ebx = 0 at line 4015E8, and ecx = 7D3Ch = 32060d = the serial !!
If u wanna find the serial for your name, just type ?ecx at line 4015F1...
To finish the tutorial, we will keygen the crackme, as i said before :
The keygen
*************************************************************************************************
unit knasig;
interface
uses
Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,
StdCtrls;
type
TForm1 = class(TForm)
GroupBox1: TGroupBox;
GroupBox2: TGroupBox;
Edit1: TEdit;
GroupBox3: TGroupBox;
Edit2: TEdit;
Edit3: TEdit;
procedure Edit1Change(Sender: TObject);
procedure FormCreate(Sender: TObject);
private
{ Déclarations privées }
public
{ Déclarations publiques }
end;
var
Form1: TForm1;
implementation
{$R *.DFM}
procedure TForm1.Edit1Change(Sender: TObject);
var i: integer; eax, ecx, ebp, esi, ebx: longint;
begin
ebp:=0;ebx:=0;
for i:= 1 to length(edit1.text) do
begin
eax:=ord(edit1.text[i]);
ecx:=(eax-$04);
ebp:=eax*2+ebp+$3A;
esi:=ecx;
esi:=esi+ebx;
ebx:=(ecx*2+esi);
end;
ecx:=ebx+ebp+$7D3C;
edit2.Text:=inttostr(ecx);
end;
procedure TForm1.FormCreate(Sender: TObject);
begin
edit2.Text := '32060';
end;
end.
*************************************************************************************************
I hope u enjoyed my new tutorial. If u have any questions about the keygen or Delphi,
please contact me, i'll try to answer them.
Any mistakes,
corrections, or comments may be mailed to the members individually, or to the
group : hellforge@hellforge.org.