PhoX' CrackMe
by Phox
Tutorial by Lucifer48 [Immortal Descendants]
(October 9th, 1999)
It will be short... This one is dedicated for newbies ! It's written in C++ (uses MSVCRT.DLL) and not packed.
1) Name/Serial:
A little bpx hmemcpy as usual...
XXXX:00401181 CALL ESI ;esi = [USER32!GetWindowTextA], read the name
XXXX:00401183 LEA EAX, [EBP-0088] ;your name
XXXX:00401189 PUSH EAX
XXXX:0040118A CALL 00401419 ;should look here
XXXX:0040118F POP ECX ;add esp, 4 if you prefer...
XXXX:00401190 MOV [EBP+0C], EAX ;save the result of the call
...
XXXX:004011A0 PUSH EAX ;length of the serial +1 (uses [USER32!GetWindowTextLengthA])
XXXX:004011A1 LEA EAX,[EBP-00B0] ;buffer for the serial
XXXX:004011A7 PUSH EAX
XXXX:004011A8 PUSH DWORD PTR [00403208] ;handle of the edit box
XXXX:004011AE CALL ESI ;esi = [USER32!GetWindowTextA], read the serial
XXXX:004011B0 PUSH 00
XXXX:004011B2 LEA EAX,[EBP-00B0] ;serial
XXXX:004011B8 PUSH 00
XXXX:004011BA PUSH EAX
XXXX:004011BB CALL [00402028] ;result in eax, convert to hexa (numbers only)
...
XXXX:004011C7 MOV ESI, EAX ;serial in hexa
XXXX:004011C9 ADD ESI, 14 ;14h =20d, don't forget that for the serial calculation
XXXX:004011CC ADD ESP, 0C
XXXX:004011CF CMP [EBP+0C], ESI ;final check
XXXX:004011D2 JZ 004011DF ;no jump = bad guy
Let's watch in 00401419 to find our own number; it's very simple:
...
XXXX:0040141E PUSH ESI ;my name
XXXX:0040141F CALL [00402058] ;convert to upper cases (xyz -> XYZ)
XXXX:00401425 POP ECX ;add esp, 4
XXXX:00401426 PUSH ESI ;my name again
XXXX:00401427 CALL 0040143E ;length, result in eax
XXXX:0040142C POP ECX ;add esp, 4
XXXX:0040142D MOVSX ECX, BYTE PTR [ESI] ;peek the first character of my name
XXXX:00401430 IMUL EAX, ECX
XXXX:00401433 SHL EAX, 0C
XXXX:00401436 ADD EAX, 0003930E
...
Everything is here; to conclude, this is my javascript keygen:
2) Simple little NAG:
It's a basic MessageBoxA, so put a bpx...
XXXX:004012AA PUSH 40 ;MB_ICONASTERISK (opcode: 6A40)
XXXX:004012AC PUSH 00403010 ;"CrackMe"
XXXX:004012B1 PUSH 00403048 ;"Ok...ur first task is to remove this nag. ..."
XXXX:004012B6 PUSH EBX ;handle of parent
XXXX:004012B7 CALL [USER32!MessageBoxA]
The exe is not packed, put in XXXX:004012AA (offset 6AAh): EB11 (JMP 004012BD)
and it's ok.
3) Enable the menuitem:
Just browse the code (.text section), and you will se the interesting part:
XXXX:0040136D CALL [USER32!GetMenu] ;retrieves the handle of the menu
...
XXXX:0040137D PUSH 00403028 ;"crackme.rrr" (opened with flag: OF_EXIST)
XXXX:00401382 MOV ESI, EAX
XXXX:00401384 CALL [KERNEL32!OpenFile] ;= CreateFileA for 16-bit versions of Windows
XXXX:0040138A CMP EAX, -01
XXXX:0040138D JZ 0040139A ;jump = the file doesn't exist
...
XXXX:00401394 CALL [USER32!EnableMenuItem]
Just create the file...
Don't need to waste our time anymore... cya in a next essay.
Greetings: All ID members (Volatility, Torn@do, alpine, ...), SiFLyiNG, Eternal Bliss, ACiD BuRN,
Duelist, LaZaRuS, Phox, ... and wonderful people in #cracking4newbies & #win32asm (WazerPup, X-Calibre, MisterE, ...).
(c) Lucifer48. All rights reserved & reversed