CrackMe® Practices for Newbies
PROJECT 8: Conquer by MisterE

LiXuS thread (solution of the 2 battle)
Friday, 19-Mar-99 11:02:53

    Hi everyone!!

    This thread is about the second battle, the one I think is the best =)

    Well I hope I don’t say to much that has been already sead..

    Anyway to explain this battle short i just say:

    1: It needs a 20 byte long keyfile, the name of the file is 1.123
    2: Your name doesn’t seem to bother the protection scheme.
    3: The protection triggers when u step on the Cancel button.
    4: The serial u enter and the data in the file are mixed with and compared.
    5: There are some fake compares also, not to hard to find.

    NOTE!!

    Now u can crack This protection scheme two ways,:

    1: U can make a serial of your choice and make the keyfile data depending on that
    2: Or u can make a keyfile with for example your name in and make the serial depend on that

    I cracked the proggie with method nr 2.. I think it’s better because the u can have your name in the
    keyfile, and it’s also easier to do. I think anyway!!

    SO lets begin enter some data in the fields:
    LiXuS and 12341234
    Then do a fake keyfile with the start LiXuS followed by 15 null bytes and name it 1.123

    4C69587553000000000000000000000000000000 LiXuS……………

    Then fire s-ice and do a bpx _lread and push the Cancel button.
    BOOOOOM!! heh

    KERNEL32._lread

    :00401B17 E8AC030000 Call 00401EC8
    :00401B1C 83F814 cmp eax, 00000014 <- If not 14 bytes long then BAD guy..
    :00401B1F 0F85B2000000 jne 00401BD7
    :
    :

    SO this is the _lread function telling us that the file must be 14 hex bytes. Well e have One =)
    Next..

    :00401B2D 038834364000 add ecx, dword ptr [eax+00403634]
    :00401B33 029834364000 add bl, byte ptr [eax+00403634]
    :00401B39 D1E3 shl ebx, 1
    :00401B3B 03CB add ecx, ebx
    :00401B3D D1C1 rol ecx, 1
    :00401B3F 83E804 sub eax, 00000004 <- 20 / 4 = 5 times loop
    :00401B42 81C145724D00 add ecx, 004D7245
    :00401B48 81C1293B0000 add ecx, 00003B29
    :
    :00401B4E 0BC0 or eax, eax <- If not 0 the jump back.
    :00401B50 75DB jne 00401B2D
    :00401B52 51 push ecx


    Ohh, this looks heavy, but you don’t need to bother about reversing this one =)
    This just take 4 bytes each time out of the keyfile and mix with them.
    The reason for that i don’t explain this calculation any further is that we don’t need to
    know what it does with the data just the result value in this case.
    REMEMBER we are cracking with method nr 2!!
    And therefore do a ? ecx after the jne 00401B2D and write down the walue..
    If u did write LiXuS in the keyfile the value should be 9680244h (in hex).

    Now we have two USER32.SendDlgItemMessageA calls and one KERNEL32.lstrcmpA

    But u don’t really need to matter about this.

    USER32.SendDlgItemMessageA <- This is the second call ..

    :00401B77 E816030000 Call 00401E92
    :00401B7C 83F800 cmp eax, 00000000
    :00401B7F 7656 jbe 00401BD7
    :00401B81 6834364000 push 00403634 \ <- This is just fake!!
    :00401B86 6835384000 push 00403835 /

    KERNEL32.lstrcmpA

    :00401B8B E83E030000 Call 00401ECE
    :00401B90 33C0 xor eax, eax <- The eax is whiped out
    :00401B92 33DB xor ebx, ebx
    :00401B94 33D2 xor edx, edx
    :00401B96 EB19 jmp 00401BB1 <- Just jump to next pice of code

    Now u can se the fake code. The program pushes to strings and compare them, but the
    result who are stored in eax is whiped out before any action take place.
    Next we have the calculation of the serial u entered in the program box..

    :00401B98 8A9A35384000 mov bl, byte ptr [edx+00403835]
    :00401B9E 42 inc edx
    :00401B9F 80FB2F cmp bl, 2F
    :00401BA2 760D jbe 00401BB1
    :00401BA4 80FB3A cmp bl, 3A
    :00401BA7 7308 jnb 00401BB1
    :00401BA9 6BC00A imul eax, 0000000A
    :00401BAC 80EB30 sub bl, 30
    :00401BAF 03C3 add eax, ebx
    :
    --->:00401BB1 80BA3538400000 cmp byte ptr [edx+00403835], 00
    :00401BB8 75DE jne 00401B98

    The jump goes to 00401BB1, that line checks if any serial was entered, if not, bad cracker!!
    This routine just converts the serial to hex..

    :00401BBA 59 pop ecx <- The calculated value from keyfile
    :00401BBB 3BC1 cmp eax, ecx <- Compare with your serial!!
    :00401BBD 7518 jne 00401BD7
    :00401BBF B870354000 mov eax, 00403570 <- Holds Good message
    :00401BC4 48 dec eax
    :00401BC5 BB4F354000 mov ebx,
    0040354F <- Holds Good message
    :00401BCA 4B dec ebx


    NOW we se the solution!! I hope u do anyway.
    If u don’t se how to do then read this.

    If u remember the value u wrote down, 9680244h = 157811268 dec (decimal)
    take this number and convert it to decimal and write it in the serial filed and the press Cancel..

    BOOOM!! Your now a good cracker!!
    The last calculation just converted the serial into hex, and the compare was between
    the serial in hex and the value from the first calculation in hex..
    Understand???? If not, take a martini and wish that u had a bigger brain =o)

    I hope this was a fairly good explanation, and I’m sorry for my grammatical errors.

    Happy cracking

    /LiXuS


    LiXuS


Message thread:

LiXuS thread (solution of the 2 battle) (LiXuS) (19-Mar-99 11:02:53)

Back to main board