PhoX' CrackMe
by Phox


Tutorial by Lucifer48 [Immortal Descendants]
(October 9th, 1999)



It will be short... This one is dedicated for newbies ! It's written in C++ (uses MSVCRT.DLL) and not packed.

1) Name/Serial:

A little bpx hmemcpy as usual...
XXXX:00401181  CALL ESI			 ;esi = [USER32!GetWindowTextA], read the name
XXXX:00401183  LEA  EAX, [EBP-0088]	 ;your name
XXXX:00401189  PUSH EAX
XXXX:0040118A  CALL 00401419		 ;should look here
XXXX:0040118F  POP  ECX			 ;add esp, 4 if you prefer...
XXXX:00401190  MOV  [EBP+0C], EAX	 ;save the result of the call
...
XXXX:004011A0  PUSH EAX			 ;length of the serial +1 (uses [USER32!GetWindowTextLengthA])
XXXX:004011A1  LEA  EAX,[EBP-00B0]	 ;buffer for the serial
XXXX:004011A7  PUSH EAX
XXXX:004011A8  PUSH DWORD PTR [00403208] ;handle of the edit box
XXXX:004011AE  CALL ESI			 ;esi = [USER32!GetWindowTextA], read the serial
XXXX:004011B0  PUSH 00
XXXX:004011B2  LEA  EAX,[EBP-00B0]	 ;serial
XXXX:004011B8  PUSH 00
XXXX:004011BA  PUSH EAX
XXXX:004011BB  CALL [00402028]		 ;result in eax, convert to hexa (numbers only)
...
XXXX:004011C7  MOV  ESI, EAX		 ;serial in hexa
XXXX:004011C9  ADD  ESI, 14		 ;14h =20d, don't forget that for the serial calculation
XXXX:004011CC  ADD  ESP, 0C
XXXX:004011CF  CMP  [EBP+0C], ESI	 ;final check
XXXX:004011D2  JZ   004011DF		 ;no jump = bad guy
Let's watch in 00401419 to find our own number; it's very simple:
...
XXXX:0040141E  PUSH  ESI		 ;my name
XXXX:0040141F  CALL  [00402058]		 ;convert to upper cases (xyz -> XYZ)
XXXX:00401425  POP   ECX		 ;add esp, 4
XXXX:00401426  PUSH  ESI		 ;my name again
XXXX:00401427  CALL  0040143E		 ;length, result in eax
XXXX:0040142C  POP   ECX		 ;add esp, 4
XXXX:0040142D  MOVSX ECX, BYTE PTR [ESI] ;peek the first character of my name
XXXX:00401430  IMUL  EAX, ECX
XXXX:00401433  SHL   EAX, 0C
XXXX:00401436  ADD   EAX, 0003930E
...
Everything is here; to conclude, this is my javascript keygen:
Name:
Serial:

2) Simple little NAG:

It's a basic MessageBoxA, so put a bpx...
XXXX:004012AA  PUSH  40			 ;MB_ICONASTERISK (opcode: 6A40)
XXXX:004012AC  PUSH  00403010		 ;"CrackMe"
XXXX:004012B1  PUSH  00403048		 ;"Ok...ur first task is to remove this nag.  ..."
XXXX:004012B6  PUSH  EBX		 ;handle of parent
XXXX:004012B7  CALL  [USER32!MessageBoxA]
The exe is not packed, put in XXXX:004012AA (offset 6AAh): EB11 (JMP 004012BD) and it's ok.

3) Enable the menuitem:

Just browse the code (.text section), and you will se the interesting part:
XXXX:0040136D  CALL  [USER32!GetMenu]	 ;retrieves the handle of the menu
...
XXXX:0040137D  PUSH  00403028		 ;"crackme.rrr" (opened with flag: OF_EXIST)
XXXX:00401382  MOV   ESI, EAX
XXXX:00401384  CALL  [KERNEL32!OpenFile] ;= CreateFileA for 16-bit versions of Windows
XXXX:0040138A  CMP   EAX, -01
XXXX:0040138D  JZ    0040139A		 ;jump = the file doesn't exist
...
XXXX:00401394  CALL  [USER32!EnableMenuItem]
Just create the file...

Don't need to waste our time anymore... cya in a next essay.

Greetings: All ID members (Volatility, Torn@do, alpine, ...), SiFLyiNG, Eternal Bliss, ACiD BuRN, Duelist, LaZaRuS, Phox, ... and wonderful people in #cracking4newbies & #win32asm (WazerPup, X-Calibre, MisterE, ...).



(c) Lucifer48. All rights reserved & reversed