|
As vo!d was the first one ever who cracked my simple cpp-crackmes at crackmes.cjb.net this is my answer. I tried on his first crackme, and found it easy yet a nice algo and had some fun playing around with it.
|
W32Dasm V8.93 (for deadlisting)
Visual Basic 5.0 (or whatever) for coding Keygen... Yes, it's VB now!
|
|
:0040124D 68306A4000 push 00406A30 :00401252 6830694000 push 00406930 :00401257 E8A4FDFFFF call 00401000 :0040125C 83C408 add esp, 00000008 :0040125F 83F801 cmp eax, 00000001 :00401262 A3646C4000 mov dword ptr [00406C64], eax :00401267 7565 jne 004012CE <- BAD BOY!! :00401269 8B1528694000 mov edx, dword ptr [00406928] :0040126F 6A40 push 00000040 * Possible StringData Ref from Data Obj ->"GOOD JOB! - CRACKED!" | :00401271 6880604000 push 00406080 * Possible StringData Ref from Data Obj ->"Send your solution to : v0id2k1@hotmail.com " | :00401276 6850604000 push 00406050 :0040127B 52 push edx * Reference To: USER32.MessageBoxA, Ord:01BEh | :0040127C FF15C4504000 Call dword ptr [004050C4]So what this does is kinda easy: it pushes your name and serial at 40124D ff. and calls then the serial verification routine at 401000. afterwards it cleans up the stack and checks if the serial entered was ok (then eax will be 1). we could patch here to make itsay registered, but that was forbidden by vo!d. so we need a working serial. trace into the serial verification routine and you will find this:
:00401000 53 push ebx :00401001 8B5C240C mov ebx, dword ptr [esp+0C] :00401005 55 push ebp :00401006 56 push esi :00401007 8B742410 mov esi, dword ptr [esp+10] :0040100B 8A0B mov cl, byte ptr [ebx] :0040100D 33ED xor ebp, ebp :0040100F 57 push edi :00401010 8A06 mov al, byte ptr [esi] :00401012 3AC1 cmp al, cl :00401014 0F8569010000 jne 00401183this code checks, if the 1st char of the entered name and serial are the same. if not, it jumps to 401183, where it moves our name into eax and exits the verification routine. so eax is != 1 and the code is WRONG! so for our next attempt, enter name: Phueghy and Serial P9143214. try again and it won't jump away at 401014. tracing on we will find the next check:
:0040101A 8BFE mov edi, esi :0040101C 83C9FF or ecx, FFFFFFFF :0040101F 33C0 xor eax, eax :00401021 F2 repnz :00401022 AE scasb :00401023 F7D1 not ecx :00401025 49 dec ecx :00401026 83F905 cmp ecx, 00000005 :00401029 0F8254010000 jb 00401183 :0040102F 807B012D cmp byte ptr [ebx+01], 2D :00401033 0F854A010000 jne 00401183this gets the length of our name and compares it to 5. if lower, it jumps away to Bad Boy. remember our serial sitting in ebx. the 2nd char is compared to 2Dh, which is hex for "-". so change name/serial to Phueghy/P-143214 and try once again. there is some unnecessay check following and the real part starts at
:00401049 0FBE0C32 movsx ecx, byte ptr [edx+esi] :0040104D 03E9 add ebp, ecx :0040104F 8BFE mov edi, esi :00401051 83C9FF or ecx, FFFFFFFF :00401054 33C0 xor eax, eax :00401056 42 inc edx :00401057 F2 repnz :00401058 AE scasb :00401059 F7D1 not ecx :0040105B 49 dec ecx :0040105C 3BD1 cmp edx, ecx :0040105E 72E9 jb 00401049this loop gets the sum of the hex-values of our name and stores it in ebp.
:00401060 81C564600000 add ebp, 00006064it adds 6064h to it and pushes this values to some kind of wsprintf function which turns it into a readable string and stores this at 406b30. the following code
:00401076 8A16 mov dl, byte ptr [esi] :00401078 8BFE mov edi, esi :0040107A 83C9FF or ecx, FFFFFFFF :0040107D 33C0 xor eax, eax :0040107F 8815446B4000 mov byte ptr [00406B44], dl :00401085 C605456B40002D mov byte ptr [00406B45], 2D :0040108C F2 repnz :0040108D AE scasb :0040108E F7D1 not ecx :00401090 49 dec ecx :00401091 0FBE4431FF movsx eax, byte ptr [ecx+esi-01] :00401096 50 push eax :00401097 E8C4020000 call 00401360 :0040109C A2466B4000 mov byte ptr [00406B46], aldetermines, whether the last character of the name if upper/lowercase. its turned to uppercase in the call at 401360 if it isnt. then it's appended to the 1st 2 chars of the serial.
:004010B1 81C564600000 add ebp, 00006064again, so to the sum of our name + 6064h another 6064h is added again. this value is also turned into readable decimal format and the final serial is constructed at 406B44 in memory. the instruction
:00401137 A5 movsdfinally puts the whole serial together. so for my name Phueghy the correct serial is: P-Y25406-50082. and what we also have is the serial generating algo:
Private Sub Command1_Click() MsgBox "Coded by Phueghy in VB!", , "Phueghy@gmx.de" End End Sub Private Sub Form_Load() Call Text1_Change End Sub Private Sub Text1_Change() Dim serial As String, uname As String uname = Text1.Text If Len(uname) < 4 Then serial = "Enter 5 chars at least" GoTo ende End If ' part1 of serial serial = Left(uname, 1) & "-" & UCase(Right(uname, 1)) sum = 0 For i = 1 To Len(uname) sum = sum + Asc(Mid(uname, i, 1)) Next sum = sum + 24676 serial = serial & Trim(Str(sum)) & "-" sum = sum + 24676 serial = serial & Trim(Str(sum)) ende: Clipboard.SetText serial Text2.Text = serial End SubYou could also download the whole package including the keygen here.
|
|
As this is an essay on how to crack a crackme, all you have to accomplish is, that vo!d is the author.