IamSickOfInventingNewNames CrackMe
by LaZaRuS
Tutorial by Lucifer48 [Immortal Descendants]
(October 24th, 1999)
Still an enormous crackme written in C++ builder. The code is not difficult to understand, i'll just explain
here, how to solve the algo in few seconds. Then i'll show, that there are many more serials than 2400. Let's
go !
Small bpx hmemcpy as usual.
XXXX:004015D9 LEA EAX, [EBP-04] ;d *eax : my serial
XXXX:004015DC CALL 00454090 ;length of serial, result in eax
XXXX:004015E1 CMP EAX, 14 ;20 characters for the serial
XXXX:004015E4 JNZ 004016DA ;jmp = bad size
This is the first of the three loops:
XXXX:004015EC MOV [EBP-38], EDX ;edx=0
XXXX:004015EF MOV DWORD PTR [EBP-3C], 1 ;index of the loop
XXXX:004015F6 LEA EAX, [EBP-04] ;d *eax : my serial
XXXX:004015F9 MOV EDX, [EBP-3C]
XXXX:004015FC CALL 0040172C ;equivalent to: MOV EAX,[EAX+EDX]
XXXX:00401601 MOVSX ECX, BYTE PTR [EAX] ;read one by one the chars of the serial
XXXX:00401604 ADD [EBP-38], ECX ;add each char
XXXX:00401607 INC DWORD PTR [EBP-3C]
XXXX:0040160A CMP DWORD PTR [EBP-3C], 15
XXXX:0040160E JL 004015F6
This (above) loop adds all the characters of the serial (result in dword ptr [EBP-38]). Let's
continue with the second loop.
XXXX:00401620 MOV EDX, [EBP-44] ;index of the loop
XXXX:00401623 ADD EDX, EDX
XXXX:00401625 INC EDX
XXXX:00401626 LEA EAX, [EBP-04] ;d *eax : my serial
XXXX:00401629 CALL 0040172C ;edx-th character of the serial
XXXX:0040162E MOV BL, [EAX] ;read one character
...
XXXX:0040163B CALL 0040172C
XXXX:00401640 XOR BL, [EAX] ;xor with the following character
XXXX:00401642 MOVSX ECX, BL
...
XXXX:00401648 MOV [EAX*4+EBP-70], ECX ;the dword are kept in memory
...
XXXX:00401653 ADD [EBP-40], ECX ;add these 10 dword
XXXX:00401656 INC DWORD PTR [EBP-44]
XXXX:00401659 CMP DWORD PTR [EBP-44], 0A
XXXX:0040165D JL 00401620
The previous loop made 10 XOR with each time two (different) characters of the serial. All these 10
dword will be used in the last loop. These 10 dword are added and the result is in dword ptr [EBP-40].
Third loop:
XXXX:0040167C MOV ECX, [EDX*4+EBP-70] ;read one of the 10 dword
XXXX:00401680 MOV EAX, [EBP-48] ;index of the loop
XXXX:00401683 ADD EAX, EAX
XXXX:00401685 ADD ECX, [EAX*4+EBP-6C] ;add with the following dword
...
XXXX:0040169D IMUL EAX, [EBP-74] ;multiplication of the 5 new dword
XXXX:004016A1 MOV [EBP-74], EAX
XXXX:004016A4 INC DWORD PTR [EBP-48],
XXXX:004016A7 CMP DWORD PTR [EBP-48], 05
XXXX:004016AB JL 00401677
The 10 dword gotten at the end of the second loop are added (two by two) to obtain 5 new dword. They are
multiplacated together; which gives: dword ptr [EBP-74]. Now the check routine:
XXXX:004016AD MOV EDX, [EBP-38]
XXXX:004016B0 OR EDX, [EBP-40]
XXXX:004016B3 OR EDX, [EBP-74]
XXXX:004016B6 MOV [EBP-34], EDX
XXXX:004016B9 CMP DWORD PTR [EBP-34], 024AFFCF
XXXX:004016C0 JNZ 004016DA
Let's summarize:
20 bytes of the serial: x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19 x20
: ----- ----- ----- ----- ------ ------- ------- ------- ------- -------
Xor 2 by 2 : y1 y2 y3 y4 y5 y6 y7 y8 y9 y10
dword ptr [EBP-38]= x1+x2+x3+...+x20
dword ptr [EBP-40]= y1+y2+y3+...+y10
dword ptr [EBP-74]= (y1+y2)*(y3+y4)*(y5+y6)*(y7+y8)*(y9+y10)
We must obtain: [EBP-38] OR [EBP-40] OR [EBP-74] = 024AFFCF
We guess that:
[EBP-38] OR [EBP-40] < 1000h
We will in a first time, try to find: z1*z2*z3*z4*z5 = 024AF??? (notice: that z1=y1+y2; z2=... ).
With the zip file, you can have a look at my source to see how i have found my 5
numbers. Just wait few seconds to find a first combination:
y1+y2 = 3Fh
y3+y4 = 3Ah
y5+y6 = 2Fh
y7+y8 = 20h
y9+y10 = 7h
y1+y2+y3+y4+y5+y6+y7+y8+y9+y10 = 000000CFh
(y1+y2)*(y3+y4)*(y5+y6)*(y7+y8)*(y9+y10) = 024AFEC0h
000000CFh OR 024AFEC0h = 024AFECFh
Wow, just 1 bit is missing, it's nearly perfect ! Stay now to find x1, ..., x20 in order to get
024AFECFh OR [EBP-38] = 024AFFCF. This is my result:
x1= 7Ah ('z') x8= 6Bh ('k') x15=43h ('C')
x2= 65h ('e') x9= 4Fh ('O') x16=53h ('S')
x3= 79h ('y') x10=58h ('X') x17=4Ah ('J')
x4= 59h ('Y') x11=49h ('I') x18=4Eh ('N')
x5= 77h ('w') x12=51h ('Q') x19=44h ('D')
x6= 6Ah ('j') x13=42h ('B') x20=47h ('G')
x7= 76h ('v') x14=52h ('R') dword ptr [EBP-38] = 701h
Serial: zeyYwjvkOXIQBRCSJNDG
Just few words about the number of combinations: we can swap the 5 packs (= four characters), which
already makes 5!=120 possibilities. A single pack can be arranged in 8 different ways (indeed we can
swap x1x2 and x3x4, and each of these sub-packs (= two characters) can be arranged in too ways (ex:
x1x2 and x2x1) ). So we have: 8*120 = 920; and don't forget that there are 5 packs, which makes a
total of 5*8*120 = 4800 possibilities (just for my own serial). And i am pretty sure that, it is possible to
find another serial (with numbers and symbols) without the characters already present in the above serial.
Greetings: All ID members (Volatility, Torn@do, alpine, ...), SiFLyiNG, Eternal Bliss, ACiD BuRN,
LaZaRuS, ... and wonderful people in #cracking4newbies & #win32asm (LLama, WazerPup, X-Calibre, MisterE, ...).
(c) Lucifer48. All rights reserved & reversed