CrackMe® Practices for Newbies
PROJECT 8: Conquer by MisterE

Re: TASK 2 Woo Hoo
Friday, 19-Mar-99 08:08:26

    It has everything to do with it!

    This battle uses a keyfile '1.123' .
    The 'OK' button is hardcoded with the fail message. The serial is actually checked when you press 'cancel'!

    After pressing 'cancel', CreateFileA is called which doesn't create a file but checks for file '1.123' then opens it. _lread is then called, which reads 14h bytes into :00403634.

    401B05 PUSH 004031BF <--------FILENAME"1.123"
    401B0A CALL 'CreateFileA' <----OPEN file

    401B0F PUSH 0014 <---------LENGTH to read (hex)
    401B11 PUSH 00403634 <-------LOC to read to
    401B16 PUSH EAX <----------FILE handle
    401B17 CALL '_lread'

    ECX, EDX and EBX are set to zero before some calculations are made using the contents of the keyfile(I think), that leaves a value in ECX, which is PUSHed for later use.

    :00401B2D add ecx, dword ptr [eax+00403634]
    :00401B33 add bl, byte ptr [eax+00403634] <---CAN someone explain exactly what these two adds do. Neither ecx, eax or bl seem to be affected??

    :00401B39 shl ebx, 1
    :00401B3B add ecx, ebx
    :00401B3D rol ecx, 1
    :00401B3F sub eax, 00000004 <-------EAX starts as 14h, so 5 time thru will hit zero
    :00401B42 add ecx, 004D7245
    :00401B48 add ecx, 00003B29

    :00401B4E or eax, eax
    :00401B50 jne 00401B2D <-- do it again until eax is zero.
    :00401B52 push ecx <-----KEEP for later comparison.

    'SendDlgItemMessageA' is then called twice, once to find out how long our serial is, then again it reads our serial + 1 blank byte(00) to :00403835.


    :00401B77 Call 'SendDlgItemMessageA' <-----THIS is the second one
    :00401B7C cmp eax, 00000000
    :00401B7F jbe 00401BD7
    :00401B81 push 00403634 <-----LOCN of keyfile contents
    :00401B86 push 00403835 <-----LOCN of typed serial


    :00401B8B Call 'lstrcmpA' <----THIS compare is a red herring. The result in EAX is wiped straight after.

    :00401B90 xor eax, eax
    :00401B92 xor ebx, ebx
    :00401B94 xor edx, edx
    :00401B96 jmp 00401BB1 <--NOW on to the real validation routine.


    The following routine reads each character of the entered serial, checks if it is a number between 0 and 9, if it's not it goes to the next character. If it is it uses it in a calculation.
    At the end it compares eax with the value of ecx that was pushed earlier.

    :00401B98 mov bl, byte ptr [edx+00403835]
    :00401B9E inc edx
    :00401B9F cmp bl, 2F
    :00401BA2 jbe 00401BB1 <------JMP if lower than '0'
    :00401BA4 cmp bl, 3A
    :00401BA7 jnb 00401BB1 <------JMP if higher than '9'

    :00401BA9 imul eax, 0000000A <---- multiply eax by A
    :00401BAC sub bl, 30 <----CONVERT ascii to decimal
    :00401BAF add eax, ebx


    :00401BB1 cmp byte ptr [edx+00403835], 00 <----IS next character null?
    :00401BB8 jne 00401B98 <---IF not, go thru calc again.

    This leaves a number in eax that was calculated from the serial you entered.

    :00401BBA pop ecx <---------POP the number that was calculated from the keyfile.
    :00401BBB cmp eax, ecx <-----COMPARE with number calculated from serial
    :00401BBD jne 00401BD7 <-----IF not equal, exit quietly.

    :00401BBF mov eax, 00403570 <---"orrect Serial"
    :00401BC4 dec eax <----------MOVES eax back to "Correct Serial", which is the title for the congratulations messagebox.

    :00401BC5 mov ebx, 0040354F <----"ou have conquered this crackme"
    :00401BCA dec ebx <----------MOVES ebx back to "You have......", text for message box.

    :00401BCB push 00000000
    :00401BCD push eax
    :00401BCE push ebx
    :00401BCF push [ebp+08]

    :00401BD2 Call 'MessageBoxA'

    So if you had the time you could figure out a valid serial/keyfile combination, or you could patch :00401BBD jne to je.

    Tired now, must rest.



    Sherwood


Message thread:

Sherwood's thread TASK 1 (Sherwood) (18-Mar-99 00:47:51)

Back to main board