Welcome to Cracking Tutorial #81!
Hiya guys,
Sorry for delays, I was busy with coding and all shit, and
still no phone at home..
Ah now, I'm proudly to present you tKC's Cracking Tutorial 2000!
It's a fast, better Viewer, it can read old *.tKC files too. Also
you can view *.NFO or *.TXT with this viewer! It has many features
eg. change colors, load skins, print etc, you can find it at
http://www.crackersinaction.org... enjoy it!
Here's a tut81.tKC...
OK, let's rave! ...or crack babes? :)
You'll need the following tools:
(I use these tools, I assume you'll use 'em, but it doesn't
mean that you'll need to use all those tools, so be sure to
get them handy for the examples in this tutorial!)
SoftICE v4.05
W32Dasm v8.93
Hacker's View v6.40
SmartCheck v6.03
ProcDump32 v1.6.2
Windows Commander v4.03 (I use it coz of easier to multitask)
Delphi, VB, C++, or TASM to code a keygen or a patch..
Don't ask me where to download all these tools since you had
a chance to get them when you used my older tutorials. Here
are a few good sites where you can grab tools from:
http://protools.cjb.net
http://w3.to/protools
http://www.crackstore.com
or ask any crackers to get you these tools!
Are you ready?!
OK! ;)
----------------------
Cracking tute by _cdk_
^^^^^^^^^^^^^^^^^^^^^^
Target: Sid Meier's Alpha Centauri (updated 4.0!) [UK]
Toolz: W32Dasm, SICE, Hex-Editor, NotePad+ with Wordwrap ON
Level: 1
Protection: cd-check kinda..
Background info:
I love Sid Meier games and as I hadn't cracked this yet this was an obvious
choice for a subject of this tute..
btw.. if I'm not totally wrong it is possible to play this game without a CD present
but there's this nag we wanna remove (thou I'd recommend playing with the CD)..
oh.. also.. it seems like the original (v1.0?) version has Securom (which I don't care
coz I have the ORIGINAL!) but updated version doesn't... leet.. :)
Again a common approach, BPX GetDriveTypeA and you'll land here:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005E896E(C)
|
:005E8912 8D542410 lea edx, dword ptr [esp+10]
:005E8916 52 push edx
* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h
|
:005E8917 FF1540B16400 Call dword ptr [0064B140]
:005E891D 83F805 cmp eax, 00000005 <-- u are here, test if its CD drive
:005E8920 753E jne 005E8960 <-- its not, jump
:005E8922 8D442410 lea eax, dword ptr [esp+10] <-- move current drive letter to eax
:005E8926 881DB8DD9700 mov byte ptr [0097DDB8], bl
:005E892C 50 push eax
:005E892D 68B8DD9700 push 0097DDB8
:005E8932 E819FA0300 call 00628350 <-- uhm..get the path for the movie to play?
:005E8937 8B8C2468020000 mov ecx, dword ptr [esp+00000268] <-- move the path to ecx
:005E893E 51 push ecx <-- push the path
:005E893F 68B8DD9700 push 0097DDB8
:005E8944 E807FA0300 call 00628350 <-- same call as above
:005E8949 83C410 add esp, 00000010
:005E894C 8D94241C010000 lea edx, dword ptr [esp+0000011C] <- same as above, but move to edx
:005E8953 52 push edx <-- push the path
:005E8954 68B8DD9700 push 0097DDB8
:005E8959 FFD5 call ebp <-- call to FindFirstFileA
:005E895B 83F8FF cmp eax, FFFFFFFF <-- compare results
:005E895E 756B jne 005E89CB <-- jump if not equal...<g>
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005E8920(C)
|
:005E8960 8A542410 mov dl, byte ptr [esp+10] <-- mov current drive letter to dl
:005E8964 FEC2 inc dl <-- increase counter
:005E8966 46 inc esi <-- increase counter
:005E8967 83FE1A cmp esi, 0000001A <-- compare if all drives done
:005E896A 88542410 mov byte ptr [esp+10], dl
:005E896E 7CA2 jl 005E8912 <-- jump if not, (loop getdrivetype
:005E8970 399C2464020000 cmp dword ptr [esp+00000264], ebx routine until all done)
:005E8977 7572 jne 005E89EB
:005E8979 53 push ebx
:005E897A 53 push ebx
:005E897B 53 push ebx
:005E897C 6AFF push FFFFFFFF
* Possible StringData Ref from Data Obj ->"FILEFIND_NOCD" <-- this tells pretty much...
ok.. i prolly made some mistakes but I think the routine consists of checks like i've
described.. but i may be wrong.. but anyways I do already know where to patch.. ;) do you?
prolly not.. lemme clear it out for ye..
so the above routine is indeed a failed routine for cd-check, well in fact it checks if all
cd-drives done and loops back to start when all done.. it does nothing more i believe.. but
again.. i may be wrong
but the point of interest is the call to FindFirstFileA ..it is in fact the cd-check, urh..
but i cant really remember what it does.. heh.. wait a sec.. I'll re-trace it ;) (and eat
sumfin in the while).. w00p.. uhm, heh.. i'm still not quite sure but I'd say it seeks for
the movie path/file and if its found on the target drive (CD) return value is the search
handle used in a subsequent call. So the return value changes depending on the drive the file
is found on.
eg. the return value for my drive G:\ -> BF0304, might differ on your comp
and coz of this kinda procedure its safer to change the following jump instead of comparing or
nopping out the whole call, so lets do like this:
:005E895E 756B jne 005E89CB
-> :005E895E 746B je 005E89CB or
-> :005E895E EB6B jmp 005E89CB
I'm sure you can do the modification on your own so I won't explain it.. if your having
problems plz read some of my earlier tutes or someone else's tutes
but anywayz if u did like i showed you shouldnt have any nags left when u start the game. i
dunno if you can play it now without a cd in the drive coz i was too lazy to test it. but i
dont really care coz the main intention in this tute (and in all my other cd-check tutes!)
is just to disable the cd-check, whether it renders the game playable or not.. but enuff crap
already... whats done is done, cd-check destroyed!
Heh.. might I also add that if u look terran.exe with ProcDump you can see something like
Selfmod or similar.. self-modifying? kinda i'd say.. when I first patched this file in Hiew
it changed the opcodes to something way of cmp & jne that were supposed to be there... but its
no use if u type the offset straightly so that it takes u straight on the jne code, then its
safe to patch.
-C_DKnight
well ok.. C_D can stand for Compact Disc if u really want.. its kinda leet in that way too..
heh.. since almost every tute of mine are about cd-check defeating.. so I'm a valiant knight
who protects poor games from evil CD-Check wizards! Huuh.. I thrust with my dark sword and
see Wizards eventually perishing.. ;) Haha.. well lets proceed onto greetings, shall we?
My greets:
#Cracking4Newbies, you guys I respect and greet: (not in any order)
AB4DS, r!SC, Dead-Mike, NrOC, Warezpup, Hutch, [yAtEs], [E_BLiss], [LaZaRuS], SeKt0r, nchanta,
Icecream, |Xmen|, LordOfLA, F0dder, Predator, aCiDHaC, ACiD BuRN, DnNuke, noos, nu, Thesmurf,
defiler, Sinn0r, ^tCM^, Norika, cTT, Weazel, MisterE, Dawai, RevX, Maybird, BlackBird, FireWorx,
SheeP14o, extasy_, KaOsAuS, _zoltan, Torn@do, ByteBurn, Miscreant, croc, Br4t, [ViKiNg], N|Te,
=Metal=, B|aze, Moredhel, Seffren, Speedsta, Rad|cal, [Daze], VisionZ, KaKTuZ, Stilgreen,
Kwazy Webbit, Falcon, Gandalf plus all my friends at #cracking4newbies and other chans..
plus all newbie crackers and those I just simply forgot
-------------------
A tute by C_DKnight
^^^^^^^^^^^^^^^^^^^
Target: Xcrypt CrackME 1.0
Coder: f4k3 (or N1TR0)
Tools: SICE (additionally W32Dasm if you feel like it..)
Level: 1 (mebbe 2 if you go for keymaker)
Background: (Taken from xcrypt.nfo)
Well here it is final the offial Xcrypt crackme. I have made this
quite easy so that does not mean it is easy in Xcrypt! Just crack it and
send all the nfo on how you cracked it and so on to f4k3_chaos@hotmail.com
and if you make a Keymaker you will go straght into Xcrypt. Rember no
patching! Have Phun! ;)
Let's go!
You launch the crackme and see name & serial boxes.. i fill the boxes
Name: C_DKnight
Serial: 22446688
Since the creator tells me he coded this in Delphi, I know there prolly isnt
a "straight" breakpoint so we'll just bpx on hmemcpy.. SICE breaks 5 times!
Alrighty.. if you take the fifth call to hmemcpy and trace to the first call
you can check your serial and the correct one in cmp eax,ecx or something..
but thats not what we're after
BPX HMEMCPY and stop at the second call.. you'll be here: (after skipping RETs)
:00444099 0FB600 movzx eax, byte ptr [eax] <-- 1.
:0044409C 8BF0 mov esi, eax <-- 2.
:0044409E C1E602 shl esi, 02 <-- 3.
:004440A1 8D3476 lea esi, dword ptr [esi+2*esi] <-- 4.
Well well well.. doesnt it seem like the serial gen start.. yep :] Works like this:
1. Move the first char of your name to EAX
2. Store it in ESI
3. Shift ESI 2 times left (4 * ESI)
4. ESI * 3 and store result in ESI
If you scroll a bit down you'll see four of similar cals as this.. and if you were
observant in the beginning, the program only takes four first chars of your name
and calcs with them.. (cmp eax,4 -> jge ifnameentered>=4)
:004440B5 0FB64001 movzx eax, byte ptr [eax+01] <-- 1.
:004440B9 8D0480 lea eax, dword ptr [eax+4*eax] <-- 2.
:004440BC 8D0480 lea eax, dword ptr [eax+4*eax] <-- 3.
:004440BF 03F0 add esi, eax <-- 4.
1. Second char
2. EAX * 5
3. EAX * 5
4. EAX + ESI (ESI is the result of the first calc)
:004440D2 0FB64002 movzx eax, byte ptr [eax+02] <-- 1.
:004440D6 03C0 add eax, eax <-- 2.
:004440D8 03F0 add esi, eax <-- 3.
1. Third char to EAX
2. EAX * 2
3. EAX + ESI (ESI is the result of the previous calc now)
:004440EB 0FB64003 movzx eax, byte ptr [eax+03] <-- 1.
:004440EF 6BC00B imul eax, 0000000B <-- 2.
:004440F2 03F0 add esi, eax <-- 3
:004440F4 89354C684400 mov dword ptr [0044684C], esi <-- 4.
:004440FA A150684400 mov eax, dword ptr [00446850] <-- dont mind
:004440FF E8CC3BFCFF call 00407CD0 <-- these two
:00444104 8B154C684400 mov edx, dword ptr [0044684C] <-- 5.
:0044410A 0FAF154C684400 imul edx, dword ptr [0044684C] <-- 6.
:00444111 F7EA imul edx <-- 7.
1. Fourth and last char
2. EAX * 12 (0Bh = 12d)
3. EAX + ESI (Where ESI is again the previous result)
4. Store the current result in [0044684C]
5. Move the result to EDX
6. EDX * EDX
7. TheLengthOfYourName * EDX (Store the result in EAX)
Get it? I'll show the calcs for my name (every values are DECIMAL unless otherwise mentioned):
:00444099 0FB600 movzx eax, byte ptr [eax] <-- 67 (C) to EAX
:0044409C 8BF0 mov esi, eax
:0044409E C1E602 shl esi, 02 <-- 67 * 4 = 268
:004440A1 8D3476 lea esi, dword ptr [esi+2*esi] <-- 268 * 3 = 804
ESI = 804 at this point
:004440B5 0FB64001 movzx eax, byte ptr [eax+01] <-- 95 (_) to EAX
:004440B9 8D0480 lea eax, dword ptr [eax+4*eax] <-- 95 * 5 = 475
:004440BC 8D0480 lea eax, dword ptr [eax+4*eax] <-- 475 * 5 = 2375
:004440BF 03F0 add esi, eax <-- 2375 + 804 = 3179
ESI = 3179
:004440D2 0FB64002 movzx eax, byte ptr [eax+02] <-- 68 (D) to EAX
:004440D6 03C0 add eax, eax <-- 68 + 68 = 136
:004440D8 03F0 add esi, eax <-- 136 + 3179 = 3315
ESI = 3315
:004440EB 0FB64003 movzx eax, byte ptr [eax+03] <-- 75 (K) to EAX
:004440EF 6BC00B imul eax, 0000000B <-- 75 * 11 = 825
:004440F2 03F0 add esi, eax <-- 825 + 3315 = 4140
:004440F4 89354C684400 mov dword ptr [0044684C], esi
:004440FA A150684400 mov eax, dword ptr [00446850]
:004440FF E8CC3BFCFF call 00407CD0
:00444104 8B154C684400 mov edx, dword ptr [0044684C]
:0044410A 0FAF154C684400 imul edx, dword ptr [0044684C] <-- 4140 * 4140 = 17139600
:00444111 F7EA imul edx <-- 17139600 * 9 = 154256400
ESI = 154256400
So the correct serial in my case is 154256400
Have we got enough info for keygen? I'd say so.. I'll show you my source in lame VB5
(I have it in Delphi too.. but VB produces smaller EXEs and i cant do any other coding :))
You need two text boxes and one button for the code above.. just paste this code plus add the
remaining code in the button and you'll have a working keygen..
----------------------------------------------------------------------------------------------
name = Text1.Text
namelength = Len(Name) 'Get the length of the name entered
regchar = Mid(namelength, 1) 'Take the first char of it
ascchar = Asc(regchar) 'And its ascii value
num1 = ascchar * 4 'Do the calcs..
num1 = num1 * 3
sum1 = num1
regchar = Mid(namelength, 2) 'Take the second char..
ascchar = Asc(regchar)
num2 = ascchar * 5
num2 = num2 * 5
num2 = sum1 + num2
sum2 = num2
.........and so forth.. you get the basics..
reg = num4
Text2.Text = reg 'Display the Reg code in text2.text
----------------------------------------------------------------------------------------------
Final notes:
According to the .nfo file I could now join Xcrypt immediately.. heh.. :p
Also I must add this crackme was pretty kewl for newbies like me.. its easy
to learn from a crackme like this
-C_DKnight, at c_dknight@iobox.com / c_dknight@hotmail.com
ps. uuh.. dont mind if i was a bit drunk whilst writing this tute.. i wasnt badly affected :)
Greets to following ppl:
AB4DS, r!SC, Dead-Mike, NrOC, Warezpup, Hutch, [yAtEs], [E_BLiss], [LaZaRuS], SeKt0r, nchanta,
Icecream, |Xmen|, LordOfLA, F0dder, Predator, aCiDHaC, ACiD BuRN, DnNuke, noos, nu, Thesmurf,
defiler, Sinn0r, ^tCM^, Norika, cTT, Weazel, MisterE, Dawai, RevX, Maybird, BlackBird, FireWorx,
SheeP14o, extasy_, KaOsAuS, _zoltan, Torn@do, ByteBurn, Miscreant, croc, Br4t, [ViKiNg], N|Te,
=Metal=, B|aze, Moredhel, Seffren, Speedsta, Rad|cal, [Daze], VisionZ, KaKTuZ, Stilgreen,
Kwazy Webbit, Falcon, Gandalf plus all my friends at #cracking4newbies and other chans..
and greets to those I forgot
Written on 5th of May 2000
------------------------
A lame tute by C_DKnight
^^^^^^^^^^^^^^^^^^^^^^^^
Target: Classify 98 1.04
Toolz: SICE, W32Dasm
Level: 1
Protection: Serial
URL: www.trellian.com/classify
Some words before we start
W00p, it seems like we got some time to do this little crack before South Park's on TV. Let us
be hasty this time :) But let's get to the biznezz shall we.. I fill the reg boxes with this
stuff:
Name: C_DKnight
Serial: 22446688
I try my favorite breakpoints of which GetDlgItemTextA seems to be the correct one
BPX GetDlgItemTextA -> breaks twice coz of two reg boxes
As always we're more interested on the second break than the first one (coz usually the serial
is calc'ed during the second break, and the first break gets just the name)...
NOTE! This is a pretty long code listing - yet easy to understand - so if you don't feel like
cracking right now quit and come back later. Get some refreshments, c00l out your brains
whatever Also I know the code below is very messy.. but I hope you can get the important parts
out
:0040EEAC FFD6 call esi <-- this calls GetDlgItemTextA
:0040EEAE 8D442410 lea eax, dword ptr [esp+10] <-- you are here (your serial in [esp+10]
:0040EEB2 6A52 push 00000052
:0040EEB4 50 push eax
:0040EEB5 E806EB0000 call 0041D9C0
:0040EEBA 59 pop ecx
:0040EEBB BEE0DB4200 mov esi, 0042DBE0
:0040EEC0 85C0 test eax, eax
:0040EEC2 59 pop ecx
:0040EEC3 742E je 0040EEF3 <-- this'll jump
This is the usual start.. trace on til u get here:
:0040EF17 E828080000 call 0040F744 <-- this is actually the call we're interested in
:0040EF1C 83C410 add esp, 00000010 <-- tidy up stack
:0040EF1F 85C0 test eax, eax <-- test if valid reg
:0040EF21 7544 jne 0040EF67 <-- nope, it aint
Very common piece of code. Call to serial calculation/checking. After it's done test it (test
eax,eax) and jump (jne 0040EF67) according to the test. But the main interest is of course in
behind the call which we have to trace: (I cut some code from the beginning)
:0040F763 803E43 cmp byte ptr [esi], 43 <-- compare 43h (C) to first char
:0040F766 7512 jne 0040F77A <-- jump if they dont match
:0040F768 807E0145 cmp byte ptr [esi+01], 45 <-- compare 45h (E) to second char
:0040F76C 750C jne 0040F77A <-- jump if they dont match
:0040F76E C70560A4420001000000 mov dword ptr [0042A460], 00000001 <-- set flag for succesful
:0040F778 EB07 jmp 0040F781 start :)
Ok. This a little piece of the serial (in fact the beginning of it). First the routine will
compare your serial's first char to 43 (43h = C) and jumps away if it doesnt' match. Another
compare followed immediately but this time compare the second char to 45h = E. When the two
checks are passed succesfully, flag is set and you'll jump out of the routine.
You will jump here if the values matched:
:0040F781 803E43 cmp byte ptr [esi], 43 <-- confirm
:0040F784 0F850D010000 jne 0040F897
:0040F78A 8A4601 mov al, byte ptr [esi+01] <-- some more
:0040F78D 3C57 cmp al, 57 <-- stuff
:0040F78F 7408 je 0040F799 <-- which we
:0040F791 3C45 cmp al, 45 <-- dont care about
:0040F793 0F85FE000000 jne 0040F897
:0040F799 6A2D push 0000002D <-- push "-"
:0040F79B 56 push esi <-- push the serial onto stack
:0040F79C E85FE60000 call 0041DE00 <-- do some checks
:0040F7A1 59 pop ecx
:0040F7A2 59 pop ecx
:0040F7A3 85C0 test eax, eax <-- check
:0040F7A5 56 push esi
:0040F7A6 0F84EC000000 je 0040F898 <-- yes good serial so far
Ok, here goes another call at 40F79C which we're interested in. Notice push 2D.. But trace
the call now:
*Again some pieces cut*
:0041DE12 8A450C mov al, byte ptr [ebp+0C] <-- [ebp+0C] holds "-", move it to al
:0041DE15 FD std
:0041DE16 F2 repnz
:0041DE17 AE scasb
:0041DE18 47 inc edi
:0041DE19 3807 cmp byte ptr [edi], al <-- compare al to [edi]
:0041DE1B 7404 je 0041DE21 <-- jump if the values match
:0041DE1D 33C0 xor eax, eax
:0041DE1F EB02 jmp 0041DE23
As you can see the cmp syntax: compare al (-) to [edi] (C)
If the values match (there has to be "-" in the serial after CE: CE-1234567890 eg.)
you'll arrive here shortly:
:0040F81D 8B5508 mov edx, dword ptr [ebp+08] <-- name to edx 1.
:0040F820 8A0A mov cl, byte ptr [edx] <-- the current char to cl 2.
:0040F822 84C9 test cl, cl <-- test if it matches 3.
:0040F824 7412 je 0040F838 <-- nope, dont jump 4.
:0040F826 33C0 xor eax, eax <-- zero out eax 5.
:0040F828 80C10C add cl, 0C <-- add 12 to the current char 6.
:0040F82B 304C05F8 xor byte ptr [ebp+eax-08], cl <-- xor 0 with [ebp+eax-8] 7.
:0040F82F 40 inc eax <-- increase counter 8.
:0040F830 83F804 cmp eax, 00000004 <-- all done? 9.
:0040F833 7CF6 jl 0040F82B <-- not yet, loop 10.
:0040F836 EBE8 jmp 0040F820 <-- loop back to start (40F820) 11.
This is the essential point when considering the serial, because it's generated here. Works
somehow like this:
1. Move the name to edx
2. Move the current character (1st, 2nd, 3rd etc.) from your name to cl
3. Test if it's same with some other character
4. No it's not (in our case), go on
5. Zero out EAX -> means EAX becomes 0
6. add 0Ch (12 in decimal) to the current char (which is in cl) eg. -> 43 (C) + 12 = 55
7. Xor the character (55 eg.) with the value in [ebp+eax-08]
8. Increase counter (first number done, second done, third done etc.) by one
9. Compare 4 to EAX (EAX is the counter)
10. If EAX is less than 4, jump back to 40F82B and go thru this routine until EAX is 4
11. Move onto next character until all characters in your name are xor'ed.
This is how the xoring happens with my name (C_DKnight)
1. BD A1 BC B5 <-- this is the starting value in [ebp+eax-8]
2. F2 EE F3 FA <-- you'll get these values after xoring C
3. 99 85 98 91 <-- these after _
4. C9 D5 C8 C1 <-- with D
5. 9E 82 9F 96 <-- K
6. E4 F8 E5 EC <-- etc.
7. 91 8D 90 99
8. E2 FE E3 EA
9. 96 8A 97 9E
= 16 0A 17 1E -> reverse this = 1E170A16
Yeah, this is the serial generation routine. See it for yourself to fully understand it.
You have to figure out the correct serial yourself.. but I can give ya few hints:
1. You should find out the correct serial is 10 chars long
2. Remember to add CE- in the beginning..
Final Notes:
Not a moment too early I could say, South Park's on TV any minute now and we're finished with
this tute. I think I learnt alot from this app and I suggest you SHOULD TRACE IT TOO, not just
read my notes. I guarantee you'll understand it much better than you do by looking at the code
listing. This in fact my first tute in which I show the serial generation, yet i don't know if
its correct but I'm satisfied with it :) if you feel/know I made a mistake somewhere plz let
me know
-C_DKnight, c_dknight@iobox.com
I'd like to greet all my friends:
AB4DS, r!SC, Dead-Mike, NrOC, Warezpup, Hutch, [yAtEs], [E_BLiss], [LaZaRuS], Doufas, SeKt0r,
nchanta, Icecream, |Xmen|, LordOfLA, F0dder, Predator, aCiDHaC, ACiD BuRN, X-Calibre, DnNuke,
noos, nu, Thesmurf, defiler, Sinn0r, ^tCM^, Norika, cTT, Weazel, MisterE, Dawai, RevX, Maybird,
BlackBird, FireWorx, SheeP14o, extasy_, KaOsAuS, _zoltan, Torn@do, ByteBurn, Miscreant, croc,
Br4t, [ViKiNg], N|Te, Phrekie, =Metal=, B|aze, Moredhel, Seffren, Dafoe, Speedsta, Rad|cal,
[Daze], VisionZ, KaKTuZ, Stilgreen, Kwazy Wabbit plus everyone else at #cdrinfo,
#cracking4newbies and other chans.. and of course those whom I forgot, my deepest apologies
Target: Xara 3D 3.04 (there might be newer version(s) around..)
Tools: SICE, W32Dasm for code listing
Level: ? (i can't tell since I didn't "fully" complete this)
Protection: Some nice calcs..
Background:
I think most of you know what is Xara 3D, so I won't go into deeper details
Add-on after going thru the whole process:
This program proved to be more challenging I had anticipated in the first place, so I think
I have to say I DID NOT fully complete this program since I really don't know how to reverse
the correct serial. If you think you can help me out plz contact me, see my e-mail at EOF
Ok, the program asks you to enter a serial. I can spare you by telling the correct breakpoint
which is GetWindowTextA.
You'll land here:
* Reference To: USER32.GetWindowTextA, Ord:013Fh
|
:0048E23A FF15100D5100 Call dword ptr [00510D10]
:0048E240 8B4D10 mov ecx, dword ptr [ebp+10] <-- here!
You have to trace quite a lot until you come across the serial comparison (notice comparison :))
I suppose I could spare you again by telling the address (on my comp at least) where the serial
comparison begins -> 40FA31: (lots of code yet easy to understand and follow on)
:0040FA31 3958F8 cmp dword ptr [eax-08], ebx <-- 1.
:0040FA34 0F85DC010000 jne 0040FC16 <-- beggar off 2.
:0040FA3A 0FBE10 movsx edx, byte ptr [eax] <-- [eax] holds the first char of
:0040FA3D 52 push edx your serial
:0040FA3E E89D7E0500 call 004678E0 <-- 3.
:0040FA43 83C404 add esp, 00000004
:0040FA46 85C0 test eax, eax <-- 4.
:0040FA48 0F84C8010000 je 0040FC16 <-- beggar off
:0040FA4E 8B842440010000 mov eax, dword ptr [esp+00000140] <-- it did
:0040FA55 0FBE4801 movsx ecx, byte ptr [eax+01]<-- 5.
:0040FA59 51 push ecx
:0040FA5A E8817E0500 call 004678E0 <-- compare
:0040FA5F 83C404 add esp, 00000004
:0040FA62 85C0 test eax, eax <-- test
:0040FA64 0F84AC010000 je 0040FC16 <-- beggar off
:0040FA6A 8B942440010000 mov edx, dword ptr [esp+00000140] <-- etc.
:0040FA71 0FBE4202 movsx eax, byte ptr [edx+02]
:0040FA75 50 push eax
:0040FA76 E8657E0500 call 004678E0
:0040FA7B 83C404 add esp, 00000004
:0040FA7E 85C0 test eax, eax
:0040FA80 0F8490010000 je 0040FC16
:0040FA86 8B8C2440010000 mov ecx, dword ptr [esp+00000140]
:0040FA8D 0FBE5103 movsx edx, byte ptr [ecx+03]
:0040FA91 52 push edx
:0040FA92 E8497E0500 call 004678E0
:0040FA97 83C404 add esp, 00000004
:0040FA9A 85C0 test eax, eax
:0040FA9C 0F8474010000 je 0040FC16
:0040FAA2 8B842440010000 mov eax, dword ptr [esp+00000140]
:0040FAA9 0FBE4804 movsx ecx, byte ptr [eax+04]
:0040FAAD 51 push ecx
:0040FAAE E82D7E0500 call 004678E0
:0040FAB3 83C404 add esp, 00000004
:0040FAB6 85C0 test eax, eax
:0040FAB8 0F8458010000 je 0040FC16
:0040FABE 8B942440010000 mov edx, dword ptr [esp+00000140]
:0040FAC5 0FBE4205 movsx eax, byte ptr [edx+05]
:0040FAC9 50 push eax
:0040FACA E8117E0500 call 004678E0
:0040FACF 83C404 add esp, 00000004
:0040FAD2 85C0 test eax, eax
:0040FAD4 0F843C010000 je 0040FC16
:0040FADA 8B8C2440010000 mov ecx, dword ptr [esp+00000140]
:0040FAE1 0FBE5106 movsx edx, byte ptr [ecx+06]
:0040FAE5 52 push edx
:0040FAE6 E8F57D0500 call 004678E0
:0040FAEB 83C404 add esp, 00000004
:0040FAEE 85C0 test eax, eax
:0040FAF0 0F8420010000 je 0040FC16
Conditional jump to 40FC16 is the beggar off jump.. the routine is very simple:
1. Compare the length of your serial to the real serial
2. Beggar off if your serial is longer/shorter than the real one
Goto number 3 when your serial matches the real one (from its length)
3. Compare the first letter of your serial to a valid char
4. Beggar off if the first letter in your serial sux ass (read: is wrong :))
If your char matches the real one goto 5
5. Repeat all the stuff for remaining chars..
BUT.. its not all here.. if u were blind and didn't notice the chars you had to use were the
given unlock key (in my case JVHCLIH).. see this last part:
:0040FAF6 8B842440010000 mov eax, dword ptr [esp+00000140]
:0040FAFD 0FBE4804 movsx ecx, byte ptr [eax+04]
:0040FB01 0FBE5006 movsx edx, byte ptr [eax+06]
:0040FB05 8D0C49 lea ecx, dword ptr [ecx+2*ecx]
:0040FB08 8D0CCA lea ecx, dword ptr [edx+8*ecx]
:0040FB0B 0FBE5002 movsx edx, byte ptr [eax+02]
:0040FB0F 8D0C49 lea ecx, dword ptr [ecx+2*ecx]
:0040FB12 8D0CCA lea ecx, dword ptr [edx+8*ecx]
:0040FB15 0FBE5005 movsx edx, byte ptr [eax+05]
:0040FB19 8D0C49 lea ecx, dword ptr [ecx+2*ecx]
:0040FB1C 8D0CCA lea ecx, dword ptr [edx+8*ecx]
:0040FB1F 0FBE10 movsx edx, byte ptr [eax]
:0040FB22 8D0C49 lea ecx, dword ptr [ecx+2*ecx]
:0040FB25 8D0CCA lea ecx, dword ptr [edx+8*ecx]
:0040FB28 0FBE5001 movsx edx, byte ptr [eax+01]
:0040FB2C 8D0C49 lea ecx, dword ptr [ecx+2*ecx]
:0040FB2F 8D0CCA lea ecx, dword ptr [edx+8*ecx]
:0040FB32 0FBE5003 movsx edx, byte ptr [eax+03]
:0040FB36 8D0C49 lea ecx, dword ptr [ecx+2*ecx]
:0040FB39 8D84CA67216BFB lea eax, dword ptr [edx+8*ecx-0494DE99]
:0040FB40 8BD5 mov edx, ebp
:0040FB42 8BCD mov ecx, ebp
:0040FB44 D1EA shr edx, 1
:0040FB46 81E155555555 and ecx, 55555555
:0040FB4C 81E255555555 and edx, 55555555
:0040FB52 8D0C4A lea ecx, dword ptr [edx+2*ecx]
:0040FB55 69C951ED8764 imul ecx, 6487ED51
:0040FB5B 3BC1 cmp eax, ecx <-- does the serial match or not?
:0040FB5D 0F85B3000000 jne 0040FC16 <-- no it does not, beggar off l0zer
Wh0a! Helluva calcs I must say.. If you trace the whole computing you'll end up
in the comparing (40FB5D) with some weird values in eax & ecx of which the eax (i think) is
the correct value and ecx is the one built from your serial. Now these numbers have to match
in order to unlock the program. .. Only problem is how the hell you get the numbers to match
(w/out any patching!)
Heh.. you tell me.. I can admit I couldn't work out the good serial
but had to patch (but hey, it works even with patching)..
I think it's possible to reverse the mathematics to get the correct serial but that requires
a good mathematic brain which I know I don't have :) Mebbe if you wrote a program of your own
to produce you the correct key... I dunno, if u happen to know I'd appreciate if you could
share the info with me :)
-C_DKnight
c_dknight@iobox.com
Target: Anonymous Crackme (i dunno who made it)
Tools: SICE, W32Dasm
Level: 1
Protection: Name/Serial
Background:
I'd remember I received this crackme a very long time ago from some guy via e-mail
I think he told me he had written a crackme and wanted me to explain how it works
.. (???).. at the time then I tried my best but no.. i couldnt crack it.. and now
today I found out I still had this crackme on my hd and since I felt i could give
it another shot i decided to try it again, after a long time.. and guess what?
It proved to be a hell easy :) (lets face the reality, took me almost 5 mins ;))
I don't know where to get this crackme or who coded it but I'll show how it works
nevertheless. I think it's a good exercise
As you launch the crackme it asks your name and serial, I enter:
C_DKnight
22446688
No msgboxes.. a text appears a bit below the boxes saying NO. Ok we need hmemcpy bpx
BPX HMEMCPY, breaks ten times (press f5 until your out of SICE and count them)..
so I stop at nine, trace back to main program (F12 or F10) and get here:
:0042892E 8A4410FF mov al, byte ptr [eax+edx-01] <-- 1.
(you're here!)
:00428932 34FF xor al, FF <-- 2.
:00428934 25FF000000 and eax, 000000FF <-- 3.
:00428939 03F8 add edi, eax <-- 4.
:0042893B FF45F8 inc [ebp-08] <-- 5.
:0042893E 4B dec ebx <-- 6.
:0042893F 75D9 jne 0042891A <-- 7.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00428911(C)
|
:00428941 81F7FFFF0000 xor edi, 0000FFFF <-- 8.
:00428947 3B7DFC cmp edi, dword ptr [ebp-04] <-- 9.
Looks simple huh? Believe me it was almost a year ago when i didnt
understand the
whole thing at all, well now i think i get the whole routine
1. [eax+edx-1] holds the current char (eg. C, D, _ etc.) in your name, move it to al
2. Xor FF with the char (C, D, _ etc.), note that the remainder is stored in eax
3. Add FF (255) to eax
4. Store the value in EAX to EDI (!)
5. Increase counter
6. Decrease the other counter
7. Loop back until all chars in your name done
8. Xor FFFF with the value in EDI
9. Compare [ebp-4] (your serial) to EDI (real serial)
So if you do ? EDI at :00428947 you can see the correct serial which is 64083 for me
If you know any coding language well enough you could translate the above to a working
keygen
-C_DKnight
Special Greeting to the fella I got this crackme from, if your reading this plz get in
touch :)
You know the greetings already I believe :)
But I wish to greet everyone on efnet IRC, #cracking4newbies
If you feel like talking to me find me on the chan above or mail me at
c_dknight@iobox.com
I really hope you've enjoyed this tutorial as much as I did!
Don't miss Tutor #82 soon! ;)
Credits goto:
bM[tfgx] for Splash Logo.
C_DKnight for providing 5 tuts in this version.
To ALL the crackers: You are welcome to send me your tutors
to publish them .. see below for my email address!
*** 95 chars per line in textfile please! ***
And all the tutors can be found at:
http://www.crackersinaction.org
(or on IRC, ask CiA ops for urls!)
Greetz goto all my friends!
You can find me on IRC or email me at tkc@reaper.org
Coded by The Keyboard Caper - tKC
The Founder of PhRoZeN CReW/Crackers in Action 2000
Compiled with Delphi 5 on 17 May 2000
Cracking Tutorial #81 is dedicated to Sonia...