
       . . t h e ъ w h i z ъ k i d ъ p r o u d l y ъ p r e s e n t s . .

ЬЬЬЬЬЬ               ЬЬЬЫЯЯЯЯЫЬ     ЬЬЬЬЬ         ЬЬЬЬЬЬЬЬЬЬЬЬЬЬЬЬЬ
Я ЬЬ ЫЬ  ЬЫЯЯЯЯЫ  ЬЫЯЯ ЬЬ ЫЫЬ Ы   ЬЫЯ Ь ЯЫ     ЬЫЯЯ ЬІ ЯЯ ЬЬ ЯЯ Ь ЯЫЯЯЯЫЬ
ЯЫЫІЬ ЯЫ Ы ЬЫІ ЯЫ Ы ЬЫІЯ  ЫЫЫ Ы   Ы ЬІІЯ ЫЬЬЬЬЬЫ ЬЫЫЫЫ  ЯЯЫІЯ ЬІІЯ  ЬЫЬ ЯЫЬЬ
Ь ЯЫЫЫ ЯЫЫ ЫЫЫІ ЯЫЫ ЫЫЯ Ы ЫЫІ ЫЯЯЯЯЬ ЯЬ юЬЬЬЬЬЬЬ   ЫІЫ Я ЬІ  Ь ЯЬ  ЯЫЫЫЫЬЬ ЯЯЫЬ
ЯЫ ЯЫЫІ Я ЬЫЫЫЫІ Я ЬІЯ ЫЫ ЫЫІ  ЬЫЫЬ ЬЫЫЬ ЯЯЫЫЫЫ ЬЫ ЫЫЫЬЫЫЯ ЬЫ ЬЫЫЬ ЬЬ ЯЯЯЫЫІЬ Я
 ЯЫ ЯЫЫІ ЬІЯ ЫЫЫІ ЬІЯ ЫЯЫ ЫЫЫЬЫЯЫЫЫ  ЫЫЫ Ы  ЬІ ЬЫЫ ЫЫІЯЫЫЫ ЯЫЬ ЫЫІ Я ЬЫ Ь ЯЫЫІЯ
  ЯЫ ЯЫЫЬЫЯ Ь ЫЫЫЫЫІ ЫЯ Ы ЫЫІЯ Ь ЫІЬ ЫЫІ  ЬІЯ  ЯЯЫ ЫЫЫ  ЫЫІЬ Я ЫЫІ  ЫЫІ ЯЯ ЫІ Ь
   ЯЫ ЫЫЫЫ ЫЫЬ ЫЫЫІ ЬЫ  Ы ЫІ ЬЫЫ ІЫЯ ЫІЯ ЫЫЫЫЬЬЯ Ы ЫЫЯ Ь ЯЫЫІЬ ЫЫЯ  ЯЫЫЫЬЬЫЯ ЬЫ
    ЫЬ ЯЯ ЬЫ ЫЬ ЫЯ ЬЫ   Ы Ы ЬЫ Ы Я Ь Я Ь ЯЯЯЯЯ ЬЫЫ Я ЬЫЯЫ ЯЫЯ  Я ЬЫЫЬ ЯЯЯ ЬЬЫЯ
     ЯЯЯЯЯЯ   ЫЬЬЬЫЯ    ЫЬЬЬЫ  ЯЯЯЯЯЯЯЯЯЯЯЯЯЯЯЯЯ ЯЯЯЯЯ  ЯЫЬЬЬЫЯЯЯЯ  ЯЯЯЯЯЯЯ


Cracking in 2 methods
---------------------

Target: c4n's 3rd crackme made by Kwai_Lo and ytc. 


1. dead listing - patching the program to accept ant serial entered
2. Live cracking - Finding the correct serial generated to the name

Method 1
--------

Tools used:

W32dasm
HIEW (Hacker's View)

Lets rock.

Open up the crackme, enter any name you want (my case WhizKiD), and any serial (12341234).
Click OK, and you get the message "Wrong Number!!". Open up W32dasm and dissassemble the 
crackme. Click on the strn ref button (better known as string data refrence), and find the
string "Congratualtions!!". Click on it, and you should be here now:

* Possible StringData Ref from Data Obj ->"Good!"
                                  |
:00401119 685C504000              push 0040505C

* Possible StringData Ref from Data Obj ->"Congratulations!!"
                                  |
:0040111E 6848504000              push 00405048
:00401123 53                      push ebx

This is where the user get prompted if he entered the correct serial. scroll up a bit,
until you see this :

:00401117 751B                    jne 00401134

Jne in asm means "Jump is Not Equal", so we have to change it to JE (=Jump if Equal),
so it would 'jump' to the registration box, even if the entered serial is wrong.
Look at the offset of the line: 1117h, but we dont need the h so the offset is 1117.

Open up Hiew and select the crackme. press F4 and choose decode mode. now you are back
in the asm of the app. click F5 (=goto), and type the offset. you should be back at the 
line of jne.

00401117: 751B         jne 000401134

Press F3 (=edit) and change the 75 to 74. Press F9 to update and F10 to quit.


Method 2
--------

Tools used:
Softice 3.xx or higher

Lets rock again.

Open the crackme and type Ctrl+D. Softice set a breakpoint on "getdlgitemtexta".
now enter any name/serial. I entered WhizKiD and serial 12341234.
Click OK, and you are back in Si. Press Ctrl+D once more, because there were 2
text boxes. Now you are in the function of the second text box.
Click F10 and trace until you see:

Cmp Ecx, Eax.

Type "? eax" and you see "12341234"
Type "? ecx" and you see the correct serial.

Hope you understood something :)


-WhizKiD