|  | ("Very simple serial protection") | Win Code Reversing | 
|  |  | |
|  |  |  | 
| Program Details
 | ||
| Softice 3.2 - Debugger W32Dasm V8.9 - Disassembler | ||
|  |  | There is a crack, a crack in everything. That's how the light gets in. | 
MexElite's Crackme V1.0
("Very simple serial protection")
Written by Borna Janes
 
 
|  | 
When you press "CHECK IT" button
you'll see GOOD  or BAD
serial message appeared in second text
box.
GOOD MESSAGE = "Thanks you made it"
BAD MESSAGE = "Wrong Code DUDE"
|  | 
Of course you locate "Thanks you made it!"
message... if not, locate it now!
Now make dead list of crack1.exe file,
and open file crack1.alf with WordPad(or another editor)
Select Edit...Find...."Thanks you made
it"!
Here is the code that you'll see:
 
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0042D541(C)
|
* Possible StringData
Ref from Code Obj ->"Thanks you made it"
                                 
|
:0042D555 BABCD54200             
mov edx, 0042D5BC
:0042D55A 8B83E8010000           
mov eax, dword ptr [ebx+000001E8]
:0042D560 E853CCFEFF             
call 0041A1B8
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0042D553(U)
|
:0042D565 33C0                   
xor eax, eax
:0042D567 5A                     
pop edx
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0042D4F9(C)
|
:0042D568 59                     
pop ecx
:0042D569 59                     
pop ecx
:0042D56A 648910                 
mov dword ptr fs:[eax], edx
We can see that function witch pops up
the "Thanks you made it" text is called
with (C)onditional jump at 42D541!
Of course, you think same as I ! :)
There at 42D541 is some comparation routine
and after that  jump to
"Thanks, you made it" if serial is correct!
Ok, let's now backtrace the code(all in
WordPad).
Go back until you get somewhere around
42D541.
You'll see this part of code:
 
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0042D4A2(C)
|
:0042D518 33C0                   
xor eax, eax
:0042D51A 55                     
push ebp
:0042D51B 687BD54200             
push 0042D57B
:0042D520 64FF30                 
push dword ptr fs:[eax]
:0042D523 648920                 
mov dword ptr fs:[eax], esp
:0042D526 8D55FC                 
lea edx, dword ptr [ebp-04]
:0042D529 8B83DC010000           
mov eax, dword ptr [ebx+000001DC]
:0042D52F E854CCFEFF             
call 0041A188
:0042D534 8B45FC                 
mov eax, dword ptr [ebp-04]
* Possible StringData
Ref from Code Obj ->"Benadryl"            
;...mmmm something STRANGE!?!? :)
                                 
|
:0042D537 BA90D54200             
mov edx, 0042D590
:0042D53C E88F63FDFF             
call 004038D0
:0042D541 7412                   
je 0042D555
* Possible StringData
Ref from Code Obj ->"Wrong Code DUDE"
                                 
|
:0042D543 BAA4D54200             
mov edx, 0042D5A4
:0042D548 8B83E8010000           
mov eax, dword ptr [ebx+000001E8]
:0042D54E E865CCFEFF             
call 0041A1B8
:0042D553 EB10                   
jmp 0042D565
Hmmm, what can be this "Benadryl" string???
Let's guess! Maybe Clintons lover?..No!...Maybe
some actress??
..No!...Maybe new M$ofts name??..Maybe!...Maybe
correct serial??...YES!!!
Ok, maybe this is our correct serial.
Load program, type "Benadryl" and press
"CHECK IT" button.
Welldone!..you find correct serial. It was hard, isn't it??
|  | 
This program realy has very simple protection, based on serial number!
We can find correct serial without help of Softice but If you haven't
W32dasm :-) here is
how we can find correct serial with softice:
Load program,
Enter any random serial,
Pop up softice("CTRL-D"),  set breakpoint at hmemcpy function("BPX
HMEMCPY"),
leave softice("CTRL-D"), and press "CHECK IT" button
Softice will break at the beginning of hmemcpy function!
First disable breakpoint at hmemcpy with "BD *"
Now press "F11" once,  "F12" six
times, and type "BPX 42D534"
Press "CTRL-D" again.
You'll see this part of code:
:0042D529 8B83DC010000           
mov eax, dword ptr [ebx+000001DC]
:0042D52F E854CCFEFF             
call 0041A188
:0042D534 8B45FC                 
mov eax, dword ptr [ebp-04]            
;EAX = your "fake" serial
:0042D537 BA90D54200             
mov edx, 0042D590                      
;EDX = correct serial
:0042D53C E88F63FDFF             
call 004038D0                          
;Compare them
:0042D541 7412                   
je 0042D555                            
;If our serial is correct then jump
:0042D543 BAA4D54200             
mov edx, 0042D5A4
:0042D548 8B83E8010000           
mov eax, dword ptr [ebx+000001E8]
:0042D54E E865CCFEFF             
call 0041A1B8
That was second way to get correct serial number!
 
Great thanks to Eternal Bliss for best
resource of crackme programs!
 
 
|  | 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will encourage them to produce even *better* software for us to use and enjoy.
Ripping off software through serials and cracks is for lamers..
If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.
 
Essay by: Borna
Janes
Page Created: 2th January
1999