IamSickOfInventingNewNames CrackMe
by LaZaRuS


Tutorial by Lucifer48 [Immortal Descendants]
(October 24th, 1999)



Still an enormous crackme written in C++ builder. The code is not difficult to understand, i'll just explain here, how to solve the algo in few seconds. Then i'll show, that there are many more serials than 2400. Let's go !

Small bpx hmemcpy as usual.
XXXX:004015D9  LEA  EAX, [EBP-04]		;d *eax : my serial
XXXX:004015DC  CALL 00454090			;length of serial, result in eax
XXXX:004015E1  CMP  EAX, 14			;20 characters for the serial
XXXX:004015E4  JNZ  004016DA			;jmp = bad size
This is the first of the three loops:
XXXX:004015EC  MOV  [EBP-38], EDX		;edx=0
XXXX:004015EF  MOV  DWORD PTR [EBP-3C], 1	;index of the loop
XXXX:004015F6  LEA  EAX, [EBP-04]		;d *eax : my serial
XXXX:004015F9  MOV  EDX, [EBP-3C]
XXXX:004015FC  CALL 0040172C			;equivalent to: MOV EAX,[EAX+EDX]
XXXX:00401601  MOVSX ECX, BYTE PTR [EAX]	;read one by one the chars of the serial
XXXX:00401604  ADD  [EBP-38], ECX		;add each char
XXXX:00401607  INC  DWORD PTR [EBP-3C]
XXXX:0040160A  CMP  DWORD PTR [EBP-3C], 15
XXXX:0040160E  JL   004015F6
This (above) loop adds all the characters of the serial (result in dword ptr [EBP-38]). Let's continue with the second loop.
XXXX:00401620  MOV  EDX, [EBP-44]		;index of the loop
XXXX:00401623  ADD  EDX, EDX
XXXX:00401625  INC  EDX
XXXX:00401626  LEA  EAX, [EBP-04]		;d *eax : my serial
XXXX:00401629  CALL 0040172C			;edx-th character of the serial
XXXX:0040162E  MOV  BL, [EAX]			;read one character
...
XXXX:0040163B  CALL 0040172C
XXXX:00401640  XOR  BL, [EAX]			;xor with the following character
XXXX:00401642  MOVSX ECX, BL
...
XXXX:00401648  MOV  [EAX*4+EBP-70], ECX		;the dword are kept in memory
...
XXXX:00401653  ADD  [EBP-40], ECX		;add these 10 dword
XXXX:00401656  INC  DWORD PTR [EBP-44]
XXXX:00401659  CMP  DWORD PTR [EBP-44], 0A
XXXX:0040165D  JL   00401620
The previous loop made 10 XOR with each time two (different) characters of the serial. All these 10 dword will be used in the last loop. These 10 dword are added and the result is in dword ptr [EBP-40]. Third loop:
XXXX:0040167C  MOV  ECX, [EDX*4+EBP-70]		;read one of the 10 dword
XXXX:00401680  MOV  EAX, [EBP-48]		;index of the loop
XXXX:00401683  ADD  EAX, EAX
XXXX:00401685  ADD  ECX, [EAX*4+EBP-6C]		;add with the following dword
...
XXXX:0040169D  IMUL EAX, [EBP-74]		;multiplication of the 5 new dword
XXXX:004016A1  MOV  [EBP-74], EAX
XXXX:004016A4  INC  DWORD PTR [EBP-48], 
XXXX:004016A7  CMP  DWORD PTR [EBP-48], 05
XXXX:004016AB  JL   00401677
The 10 dword gotten at the end of the second loop are added (two by two) to obtain 5 new dword. They are multiplacated together; which gives: dword ptr [EBP-74]. Now the check routine:
XXXX:004016AD  MOV  EDX, [EBP-38]
XXXX:004016B0  OR   EDX, [EBP-40]
XXXX:004016B3  OR   EDX, [EBP-74]
XXXX:004016B6  MOV  [EBP-34], EDX
XXXX:004016B9  CMP  DWORD PTR [EBP-34], 024AFFCF
XXXX:004016C0  JNZ  004016DA
Let's summarize:
20 bytes of the serial: x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19 x20
                      : ----- ----- ----- ----- ------ ------- ------- ------- ------- -------
Xor 2 by 2            :  y1    y2    y3    y4     y5     y6      y7      y8      y9      y10

dword ptr [EBP-38]= x1+x2+x3+...+x20
dword ptr [EBP-40]= y1+y2+y3+...+y10
dword ptr [EBP-74]= (y1+y2)*(y3+y4)*(y5+y6)*(y7+y8)*(y9+y10)

We must obtain: [EBP-38] OR [EBP-40] OR [EBP-74] = 024AFFCF

We guess that:
[EBP-38] OR [EBP-40] < 1000h

We will in a first time, try to find: z1*z2*z3*z4*z5 = 024AF??? (notice: that z1=y1+y2; z2=... ).
With the zip file, you can have a look at my source to see how i have found my 5 numbers. Just wait few seconds to find a first combination:
y1+y2 = 3Fh
y3+y4 = 3Ah
y5+y6 = 2Fh
y7+y8 = 20h
y9+y10 = 7h

y1+y2+y3+y4+y5+y6+y7+y8+y9+y10 = 000000CFh

(y1+y2)*(y3+y4)*(y5+y6)*(y7+y8)*(y9+y10) = 024AFEC0h

000000CFh OR 024AFEC0h = 024AFECFh
Wow, just 1 bit is missing, it's nearly perfect ! Stay now to find x1, ..., x20 in order to get 024AFECFh OR [EBP-38] = 024AFFCF. This is my result:
x1= 7Ah ('z')     x8= 6Bh ('k')     x15=43h ('C')
x2= 65h ('e')     x9= 4Fh ('O')     x16=53h ('S')
x3= 79h ('y')     x10=58h ('X')     x17=4Ah ('J')
x4= 59h ('Y')     x11=49h ('I')     x18=4Eh ('N')
x5= 77h ('w')     x12=51h ('Q')     x19=44h ('D')
x6= 6Ah ('j')     x13=42h ('B')     x20=47h ('G')
x7= 76h ('v')     x14=52h ('R')                       dword ptr [EBP-38] = 701h
Serial: zeyYwjvkOXIQBRCSJNDG

Just few words about the number of combinations: we can swap the 5 packs (= four characters), which already makes 5!=120 possibilities. A single pack can be arranged in 8 different ways (indeed we can swap x1x2 and x3x4, and each of these sub-packs (= two characters) can be arranged in too ways (ex: x1x2 and x2x1) ). So we have: 8*120 = 920; and don't forget that there are 5 packs, which makes a total of 5*8*120 = 4800 possibilities (just for my own serial). And i am pretty sure that, it is possible to find another serial (with numbers and symbols) without the characters already present in the above serial.


Greetings: All ID members (Volatility, Torn@do, alpine, ...), SiFLyiNG, Eternal Bliss, ACiD BuRN, LaZaRuS, ... and wonderful people in #cracking4newbies & #win32asm (LLama, WazerPup, X-Calibre, MisterE, ...).



(c) Lucifer48. All rights reserved & reversed