NEO'X'QuiCk


Tutorial for  CrackMe_Nr.7  by ScareByte

Application:

Crackme

Download Application:

http://move.to/tgc or http://kickme.to/scarebyte

Cracker:

NeO'X'Quick

Tools:

SoftIce 4.05,FRogice,Procdump,Hexworkshop

 

Beginner [ ]                 Intermediate [ x ]                Advanced [ ]                 Expert [ ]

:: Introduction ::

       First i thought that this crackme was hard.So i download it and cracked.Then i decided to write a tut for it because i think that newbies like should start learn and more tuts avaliable better for us. I noticed that it's packed with ASpack 1.08.03  so i unpacked it!I used Procdump. File name after unpacking was new.exe.

:: Start Cracking ::


******************************************************************************************************************************************************************************


1:   Task to disable the NaG

2:   Task to find Password   
 
3:   Task to find SErial  
 
  4:  Task to find the right buttons for CheckBox
 
5:   Task to find TrackBar
    
 
 

******************************************************************************************************************************************************************************


:: Solution FOr Task One :





Open unpacked crackme and you will see the annoying Nag appearing before the real crackme starts.  Then i open a softice and put a break on Bpx hmemcpy.Then i started the crackme again.Softice breaks . I DISABLED ALL BREAKS BY " DB * " I pressed F11(return to a call) once and F12* 7 times until i saw NEw!Code+... at the bottom of the WIndow! The i pressed F10 to trace until here:



-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------



0167:0044D03E 55 PUSH EBP
0167:0044D03F 68F1D04400 PUSH 0044D0F1
0167:0044D044 64FF30 PUSH DWORD PTR FS:[EAX]
0167:0044D047 648920 MOV FS:[EAX],ESP
0167:0044D04A B898F84400 MOV EAX,0044F898
0167:0044D04F BA08D14400 MOV EDX,0044D108
0167:0044D054 E8F367FBFF CALL 0040384C
0167:0044D059 B898F84400 MOV EAX,0044F898
0167:0044D05E E809FEFFFF CALL 0044CE6C
0167:0044D063 B894F84400 MOV EAX,0044F894
0167:0044D068 BA38D14400 MOV EDX,0044D138
0167:0044D06D E8DA67FBFF CALL 0040384C
0167:0044D072 B894F84400 MOV EAX,0044F894
0167:0044D077 E8F0FDFFFF CALL 0044CE6C
0167:0044D07C 6A00 PUSH 00
0167:0044D07E A194F84400 MOV EAX,[0044F894]
0167:0044D083 E8B06BFBFF CALL 00403C38
0167:0044D088 50 PUSH EAX
0167:0044D089 A198F84400 MOV EAX,[0044F898]
0167:0044D08E E8A56BFBFF CALL 00403C38
0167:0044D093 8BD0 MOV EDX,EAX
0167:0044D095 A1A0ED4400 MOV EAX,[0044EDA0]
0167:0044D09A 8B00 MOV EAX,[EAX]

0167:0044D09C 59 POP ECX
0167:0044D09D E8724BFFFF CALL 00441C14                                   /**Important**/
0167:0044D0A2 A1A0ED4400 MOV EAX,[0044EDA0]
0167:0044D0A7 8B00 MOV EAX,[EAX]
0167:0044D0A9 E87649FFFF CALL 00441A24
0167:0044D0AE A1A0ED4400 MOV EAX,[0044EDA0]
0167:0044D0B3 8B00 MOV EAX,[EAX]
0167:0044D0B5 BA4CD14400 MOV EDX,0044D14C
0167:0044D0BA E8A145FFFF CALL 00441660



-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

On a Call press F8 and press F10 until you come to here:

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


0167:00441CD2 7406 JZ 00441CDA                                          /**Important**/
0167:00441CD4 81CB00001000 OR EBX,00100000
0167:00441CDA 33C9 XOR ECX,ECX
0167:00441CDA 33C9 XOR ECX,ECX
0167:00441CDC 55 PUSH EBP
0167:00441CDD 68591D4400 PUSH 00441D59
0167:00441CE2 64FF31 PUSH DWORD PTR FS:[ECX]
0167:00441CE5 648921 MOV FS:[ECX],ESP
0167:00441CE8 53 PUSH EBX
0167:00441CE9 57 PUSH EDI
0167:00441CEA 56 PUSH ESI
0167:00441CEB 8B45FC MOV EAX,[EBP-04]
0167:00441CEE 8B4024 MOV EAX,[EAX+24]
0167:00441CF1 50 PUSH EAX
0167:00441CF2 E85946FCFF CALL USER32!MessageBoxA              /**Important**/
0167:00441CF7 8945F8 MOV [EBP-08],EAX
0167:00441CFA 33C0 XOR EAX,EAX
0167:00441CFC 5A POP EDX
0167:00441CFD 59 POP ECX
0167:00441CFE 59 POP ECX
0167:00441CFF 648910 MOV FS:[EAX],EDX 


-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

So there is a NAg so if you want the get rid off it you need to NOP it.When you are with curson in Softice on a 00441CF2 Write "A"+ Enter the write NOP 5 times and press Enter Twice and the Call is Gone

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


:a
0167:00441CF2 nop
0167:00441CF3 nop
0167:00441CF4 nop
0167:00441CF5 nop
0167:00441CF6 nop
0167:00441CF7

 

After Noping is should look like this:



0167:00441CEB 8B45FC MOV EAX,[EBP-04]
0167:00441CEE 8B4024 MOV EAX,[EAX+24]
0167:00441CF1 50 PUSH EAX
0167:00441CF2 90 NOP
0167:00441CF3 90 NOP
0167:00441CF4 90 NOP
0167:00441CF5 90 NOP
0167:00441CF6 90 NOP
0167:00441CF7 8945F8 MOV [EBP-08],EAX
0167:00441CFA 33C0 XOR EAX,EAX
0167:00441CFC 5A POP EDX
0167:00441CFD 59 POP ECX
0167:00441CFE 59 POP ECX
0167:00441CFF 648910 MOV FS:[EAX],EDX

 


-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Now Start Hexworkshop open crackme new.exe USe Goto offset 412F2.Write 9090909090 .Save the file .Start the crackme and Nag is gone.Easy.

 

:: Solution FOr Task Two :




Open crackme Press Password . Write you serial in edit box ! I wrote for serial : 123123 Why ?? Because i always do heh.Then i open a softice and put a break on Bpx hmemcpy.Then i pressed Check on crackme and softice breaks.I DISABLED ALL BREAKS BY " DB * " I pressed F11 (go to return address) once and F12*11 times.You Should see something like this.PRESS F10 to go down in Softice:

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------




0044C3D5 E89A76FBFF call 00403A74

0044C3DA 83F80C cmp eax, +$0C                          /** Compares our leght of serial with hex( C ) which is dec 12 **/
0044C3DD 0F8553010000 jnz 0044C536                 /** If our lenght of serial isn't 12 letters long jmp to Bad msg  **/
0044C3E3 8D55FC lea edx, [ebp-$04]

* Reference to control TForm1.Edit1 : TEdit |

0044C3E6 8B83E8020000 mov eax, [ebx+$02E8]

* Reference to: Controls.TControl.GetText() |

0044C3EC E83394FDFF call 00425824
0044C3F1 8B45FC mov eax, [ebp-$04]
0044C3F4 803843 cmp byte ptr [eax], $43                                       /** Compares our 1 letter with hex( 43 ) which is dec " C " **/
0044C3F7 0F8527010000 jnz 0044C524                                          /** If our 1 letter of serial isn't " C "  jmp to Bad msg **/
0044C3FD 8D55F8 lea edx, [ebp-$08]

* Reference to control TForm1.Edit1 : TEdit |

0044C400 8B83E8020000 mov eax, [ebx+$02E8]

* Reference to: Controls.TControl.GetText() |

0044C406 E81994FDFF call 00425824
0044C40B 8B45F8 mov eax, [ebp-$08]

* Reference to field TEdit.OFFS_0003 |

0044C40E 8078036F cmp byte ptr [eax+$03], $6F                        /** Compares our 4 letter with hex( 6F ) which is dec " o " **/
0044C412 0F850C010000 jnz 0044C524                                      /** If our 4 letter of serial isn't " o "  jmp to Bad msg **/
0044C418 8D55F4 lea edx, [ebp-$0C]

* Reference to control TForm1.Edit1 : TEdit |

0044C41B 8B83E8020000 mov eax, [ebx+$02E8]

* Reference to: Controls.TControl.GetText() |

0044C421 E8FE93FDFF call 00425824
0044C426 8B45F4 mov eax, [ebp-$0C]

* Reference to field TEdit.OFFS_0008 |

0044C429 8078086F cmp byte ptr [eax+$08], $6F                       /** Compares our 9 letter with hex( 6F ) which is dec " o " **/
0044C42D 0F85F1000000 jnz 0044C524                                    /** If our 9 letter of serial isn't " o "  jmp to Bad msg **/
0044C433 8D55F0 lea edx, [ebp-$10]

* Reference to control TForm1.Edit1 : TEdit |

0044C436 8B83E8020000 mov eax, [ebx+$02E8]

* Reference to: Controls.TControl.GetText() |

0044C43C E8E393FDFF call 00425824
0044C441 8B45F0 mov eax, [ebp-$10]

* Reference to field TEdit.OFFS_0001 |

0044C444 8078016C cmp byte ptr [eax+$01], $6C                  /** Compares our 2 letter with hex( 6C ) which is dec " l " **/
0044C448 0F85D6000000 jnz 0044C524                                /** If our 2 letter of serial isn't " l "  jmp to Bad msg **/
0044C44E 8D55EC lea edx, [ebp-$14]

* Reference to control TForm1.Edit1 : TEdit |

0044C451 8B83E8020000 mov eax, [ebx+$02E8]

* Reference to: Controls.TControl.GetText() |

0044C457 E8C893FDFF call 00425824
0044C45C 8B45EC mov eax, [ebp-$14]

* Reference to field TEdit.OFFS_0004 |

0044C45F 80780420 cmp byte ptr [eax+$04], $20                         /** Compares our 5 letter with hex( 20 ) which is dec "  " **/
0044C463 0F85BB000000 jnz 0044C524                                      /** If our 5 letter of serial isn't "  "  jmp to Bad msg **/
0044C469 8D55E8 lea edx, [ebp-$18]

* Reference to control TForm1.Edit1 : TEdit |

0044C46C 8B83E8020000 mov eax, [ebx+$02E8]

* Reference to: Controls.TControl.GetText() |

0044C472 E8AD93FDFF call 00425824
0044C477 8B45E8 mov eax, [ebp-$18]

* Reference to field TEdit.OFFS_000A |

0044C47A 80780A52 cmp byte ptr [eax+$0A], $52                      /** Compares our 11 letter with hex( 52 ) which is dec " R " **/
0044C47E 0F85A0000000 jnz 0044C524                                    /** If our 11 letter of serial isn't " R "  jmp to Bad msg **/
0044C484 8D55E4 lea edx, [ebp-$1C] 

* Reference to control TForm1.Edit1 : TEdit |

0044C487 8B83E8020000 mov eax, [ebx+$02E8]

* Reference to: Controls.TControl.GetText() |

0044C48D E89293FDFF call 00425824
0044C492 8B45E4 mov eax, [ebp-$1C]

* Reference to field TEdit.OFFS_0007 |

0044C495 80780775 cmp byte ptr [eax+$07], $75                      /** Compares our 8 letter with hex( 75 ) which is dec " u " **/
0044C499 0F8585000000 jnz 0044C524                                    /** If our 8 letter of serial isn't " u "  jmp to Bad msg **/
0044C49F 8D55E0 lea edx, [ebp-$20]

* Reference to control TForm1.Edit1 : TEdit |

0044C4A2 8B83E8020000 mov eax, [ebx+$02E8]

* Reference to: Controls.TControl.GetText() |

0044C4A8 E87793FDFF call 00425824
0044C4AD 8B45E0 mov eax, [ebp-$20]

* Reference to field TEdit.OFFS_0009 |

0044C4B0 8078096E cmp byte ptr [eax+$09], $6E                     /** Compares our 10 letter with hex( 6E ) which is dec " n " **/
0044C4B4 756E jnz 0044C524                                                  /** If our 10 letter of serial isn't " n "  jmp to Bad msg **/
0044C4B6 8D55DC lea edx, [ebp-$24]

* Reference to control TForm1.Edit1 : TEdit |

0044C4B9 8B83E8020000 mov eax, [ebx+$02E8]

* Reference to: Controls.TControl.GetText() |

0044C4BF E86093FDFF call 00425824
0044C4C4 8B45DC mov eax, [ebp-$24]

* Reference to field TEdit.OFFS_0002 |

0044C4C7 8078026E cmp byte ptr [eax+$02], $6E                     /** Compares our 3 letter with hex( 6E ) which is dec " n " **/
0044C4CB 7557 jnz 0044C524                                                 /** If our 3 letter of serial isn't " n "  jmp to Bad msg **/
0044C4CD 8D55D8 lea edx, [ebp-$28]

* Reference to control TForm1.Edit1 : TEdit |

0044C4D0 8B83E8020000 mov eax, [ebx+$02E8]

* Reference to: Controls.TControl.GetText() |

0044C4D6 E84993FDFF call 00425824
0044C4DB 8B45D8 mov eax, [ebp-$28]

* Reference to field TEdit.OFFS_0005 |

0044C4DE 80780569 cmp byte ptr [eax+$05], $69                   /** Compares our 6 letter with hex( 69 ) which is dec " i " **/
0044C4E2 7540 jnz 0044C524                                               /** If our 6 letter of serial isn't " i "  jmp to Bad msg **/
0044C4E4 8D55D4 lea edx, [ebp-$2C]

* Reference to control TForm1.Edit1 : TEdit |

0044C4E7 8B83E8020000 mov eax, [ebx+$02E8]

* Reference to: Controls.TControl.GetText() |

0044C4ED E83293FDFF call 00425824
0044C4F2 8B45D4 mov eax, [ebp-$2C]

* Reference to field TEdit.OFFS_000B |

0044C4F5 80780B6E cmp byte ptr [eax+$0B], $6E                /** Compares our 12 letter with hex( 6E ) which is dec " n " **/
0044C4F9 7529 jnz 0044C524                                              /** If our 12 letter of serial isn't " n "  jmp to Bad msg **/

0044C4FB 8D55D0 lea edx, [ebp-$30]

* Reference to control TForm1.Edit1 : TEdit |

0044C4FE 8B83E8020000 mov eax, [ebx+$02E8]

* Reference to: Controls.TControl.GetText() |

0044C504 E81B93FDFF call 00425824
0044C509 8B45D0 mov eax, [ebp-$30]

* Reference to field TEdit.OFFS_0006 |

0044C50C 80780667 cmp byte ptr [eax+$06], $67                /** Compares our 7 letter with hex( 67 ) which is dec " g " **/
0044C510 7512 jnz 0044C524                                             /** If our 7 letter of serial isn't " g "  jmp to Bad msg **/

 * Possible String Reference to: 'Right Password' |

0044C512 BA78C54400 mov edx, $0044C578

* Reference to control TForm1.Edit1 : TEdit |

0044C517 8B83E8020000 mov eax, [ebx+$02E8]

* Reference to: Controls.TControl.SetText(System.AnsiString) |

0044C51D E83293FDFF call 00425854
0044C522 EB22 jmp 0044C546

* Possible String Reference to: 'Wrong Password' |

0044C524 BA90C54400 mov edx, $0044C590

* Reference to control TForm1.Edit1 : TEdit |

0044C529 8B83E8020000 mov eax, [ebx+$02E8]

* Reference to: Controls.TControl.SetText(System.AnsiString) |
0044C52F E82093FDFF call 00425854
0044C534 EB10 jmp 0044C546

* Possible String Reference to: 'Wrong Password' | 0044C536 BA90C54400 mov edx, $0044C590



-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


So now you have just to put together all letters and you will get the valid serial! The serial is : "Clno iguonRn" write it in Right password heh!



:: Solution FOr Task Three :



Open crackme Press Serial you should see in serial box "SoftIce detected. Use some tricks :-)" Ok now use frogice and you should see empty box :
NOw i wrote for Name :NeO'X'QuiCk for Company:TnT/TCA and for serial : 123123 Then I Start Dede In themenu Options-->Symbol-->Load all symbols! I opened the new.exe in DEde and pressed Process! Then click on Procedures and click on Unit1(or Form1)!Click on Events and on FormCreate! Choice SpeedButton2Click and You should see this :





-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------




0044C66F E80074FBFF call 00403A74
0044C674 83F806 cmp eax, +$06                            /** Compares our leght of the Name is more then  ( 6 )**/
0044C677 0F8EF0000000 jle 0044C76D                   /** If our lenght of Name isn't more then  6 letters long jmp to nothing  **/
0044C67D A180F84400 mov eax, dword ptr [$44F880]

* Reference to: System..DynArrayLength() | or: System..LStrLen() |

0044C682 E8ED73FBFF call 00403A74

0044C687 83F814 cmp eax, +$14                                     /** Compares our leght of the Name is more then  hex( 14 ) is 20 dec**/
0044C68A 0F8DDD000000 jnl 0044C76D                           /** If our lenght of Name is more then 20 letters long jmp to nothing  **/
0044C690 A180F84400 mov eax, dword ptr [$44F880]

* Reference to: System..DynArrayLength() | or: System..LStrLen() |

0044C695 E8DA73FBFF call 00403A74
0044C69A 85C0 test eax, eax
0044C69C 7E17 jle 0044C6B5
0044C69E BA01000000 mov edx, $00000001
0044C6A3 8B0D80F84400 mov ecx, [$44F880]
0044C6A9 0FB64C11FF movzx ecx, byte ptr [ecx+edx-$01]
0044C6AE 014DFC add [ebp-$04], ecx
0044C6B1 42 inc edx
0044C6B2 48 dec eax
0044C6B3 75EE jnz
0044C6A3 0044C6B5 A184F84400 mov eax, dword ptr [$44F884]



-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

GO A little down!In DEDE!!

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

* Possible String Reference to: 'I Love Cracking and ' |

0044C6DC 6898C74400 push $0044C798
0044C6E1 8D55F8 lea edx, [ebp-$08]
0044C6E4 8B45FC mov eax, [ebp-$04]

* Reference to: Sysutils.IntToStr(Integer) |

0044C6E7 E868B0FBFF call 00407754
0044C6EC FF75F8 push dword ptr [ebp-$08]

* Possible String Reference to: ' Girls ;)' |

0044C6EF 68B8C74400 push $0044C7B8
0044C6F4 B88CF84400 mov eax, $0044F88C
0044C6F9 BA03000000 mov edx, $00000003

* Reference to: System..LStrCatN() |

0044C6FE E83174FBFF call 00403B34
0044C703 33C0 xor eax, eax
0044C705 8945FC mov [ebp-$04], eax
0044C708 A188F84400 mov eax, dword ptr [$44F888]

* Reference to: System..DynArrayLength() | or: System..LStrLen() |

0044C70D E86273FBFF call 00403A74
0044C712 8BD8 mov ebx, eax
0044C714 A18CF84400 mov eax, dword ptr [$44F88C]

* Reference to: System..DynArrayLength() | or: System..LStrLen() |

0044C719 E85673FBFF call 00403A74                                                                    /** Important **/
0044C71E 3BD8 cmp ebx, eax
0044C720 754B jnz 0044C76D                                                                                /** Important **/
0044C722 A188F84400 mov eax, dword ptr [$44F888] 
 



-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

On a Call write D EAX and you will see the "I Love Cracking and 1802 Girls ;)" write this in the serial and you get You have found the correct Serial :)   her easy!

:: Solution FOr Task Four :



Choice SpeedButton3Click and You should see this

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------





* Reference to control TForm1.cb3 : TCheckBox |                                          /** Important **/

0044C80A 8B8324030000 mov eax, [ebx+$0324]
0044C810 8B10 mov edx, [eax]

* Reference to method TCheckBox.GetChecked() |

0044C812 FF92B8000000 call dword ptr [edx+$00B8]
0044C818 84C0 test al, al
0044C81A 0F84CD000000 jz 0044C8ED

* Reference to control TForm1.cb5 : TCheckBox |                                          /** Important **/
 
0044C820 8B8328030000 mov eax, [ebx+$0328]
0044C826 8B10 mov edx, [eax]

* Reference to method TCheckBox.GetChecked() |

0044C828 FF92B8000000 call dword ptr [edx+$00B8]
0044C82E 84C0 test al, al
0044C830 0F84B7000000 jz 0044C8ED

* Reference to control TForm1.cb6 : TCheckBox |                                        /** Important **/

0044C836 8B832C030000 mov eax, [ebx+$032C]
0044C83C 8B10 mov edx, [eax]

* Reference to method TCheckBox.GetChecked() |

0044C83E FF92B8000000 call dword ptr [edx+$00B8]
0044C844 84C0 test al, al
0044C846 0F84A1000000 jz 0044C8ED

* Reference to control TForm1.cb12 : TCheckBox |                                     /** Important **/

0044C84C 8B8358030000 mov eax, [ebx+$0358]
0044C852 8B10 mov edx, [eax]

* Reference to method TCheckBox.GetChecked() |

0044C854 FF92B8000000 call dword ptr [edx+$00B8]
0044C85A 84C0 test al, al 0044C85C
0F848B000000 jz 0044C8ED

* Reference to control TForm1.cb15 : TCheckBox |                                  /** Important **/

0044C862 8B8364030000 mov eax, [ebx+$0364]
0044C868 8B10 mov edx, [eax]

* Reference to method TCheckBox.GetChecked() |

0044C86A FF92B8000000 call dword ptr [edx+$00B8]
0044C870 84C0 test al, al 0044C872 7479 jz 0044C8ED
 
* Reference to control TForm1.cb20 : TCheckBox |                                   /** Important **/
 
0044C874 8B8330030000 mov eax, [ebx+$0330]
0044C87A 8B10 mov edx, [eax]

* Reference to method TCheckBox.GetChecked() |

0044C87C FF92B8000000 call dword ptr [edx+$00B8]
0044C882 84C0 test al, al 0044C884 7467 jz 0044C8ED

* Reference to control TForm1.cb9 : TCheckBox |                                  /** Important **/
 
0044C886 8B834C030000 mov eax, [ebx+$034C]
0044C88C 8B10 mov edx, [eax]

* Reference to method TCheckBox.GetChecked() |

0044C88E FF92B8000000 call dword ptr [edx+$00B8]
0044C894 84C0 test al, al 0044C896 7455 jz 0044C8ED

* Reference to control TForm1.cb11 : TCheckBox |                               /** Important **/
 
0044C898 8B8354030000 mov eax, [ebx+$0354]
0044C89E 8B10 mov edx, [eax]

* Reference to method TCheckBox.GetChecked() |
 
0044C8A0 FF92B8000000 call dword ptr [edx+$00B8]
0044C8A6 84C0 test al, al 0044C8A8 7443 jz 0044C8ED

* Reference to control TForm1.cb13 : TCheckBox |                              /** Important **/
 
0044C8AA 8B835C030000 mov eax, [ebx+$035C]
0044C8B0 8B10 mov edx, [eax]

* Reference to method TCheckBox.GetChecked() |

0044C8B2 FF92B8000000 call dword ptr [edx+$00B8]
0044C8B8 84C0 test al, al 0044C8BA 7431 jz 0044C8ED

* Reference to control TForm1.cb19 : TCheckBox |                              /** Important **/
 
0044C8BC 8B833C030000 mov eax, [ebx+$033C]
0044C8C2 8B10 mov edx, [eax]

* Reference to method TCheckBox.GetChecked() |
 
0044C8C4 FF92B8000000 call dword ptr [edx+$00B8]
0044C8CA 84C0 test al, al
0044C8CC 741F jz 0044C8ED
0044C8CE 8D45FC lea eax, [ebp-$04]

* Possible String Reference to: GOOD MESSAGE

0044C8D1 BA34C94400 mov edx, $0044C934



-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


Now do you see the number After Tform1.ch?? this mean the number of button .SO you can see number 3,5,6,12,15,20,9,11,13,19::SO the number got like this:


             2 3             9 10
           1     4        8      11
          20      5    7        12
             19      6        13
                18          14
                  17     15
                      16

Hope i you get which numbers to press SO DO heh !And you crack it.

                

:: Solution FOr Task Five :



Ok the last one .First move trackbars !As you noticed you have fife of then so i will say like A,B,C,D,E :A is for first number...  In DEde press SpeedButton4Click and you should see this: 

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------




| 0044C168 64FF30 push dword ptr fs:[eax]
0044C16B 648920 mov fs:[eax], esp
0044C16E 8D55C4 lea edx, [ebp-$3C]

* Reference to control TForm1.sN1 : TLabel |

0044C171 8B8380030000 mov eax, [ebx+$0380]

* Reference to: Controls.TControl.GetText() |

0044C177 E8A896FDFF call 00425824
0044C17C 8B45C4 mov eax, [ebp-$3C]

* Reference to: Sysutils.StrToFloat(System.AnsiString) |

0044C17F E8B0C0FBFF call 00408234                             /**Takes the first number puts it into Float**/
0044C184 DD5DE8 fstp qword ptr [ebp-$18]
0044C187 9B wait
0044C188 8D55C4 lea edx, [ebp-$3C]

* Reference to control TForm1.sN2 : TLabel |

0044C18B 8B8398030000 mov eax, [ebx+$0398]

* Reference to: Controls.TControl.GetText() |

0044C191 E88E96FDFF call 00425824
0044C196 8B45C4 mov eax, [ebp-$3C]

* Reference to: Sysutils.StrToFloat(System.AnsiString) |

0044C199 E896C0FBFF call 00408234                         /**Takes the second number puts it into Float**/
0044C19E DD5DE0 fstp qword ptr [ebp-$20]
0044C1A1 9B wait
0044C1A2 8D55C4 lea edx, [ebp-$3C]

* Reference to control TForm1.sN3 : TLabel |

0044C1A5 8B839C030000 mov eax, [ebx+$039C]

* Reference to: Controls.TControl.GetText() |

0044C1AB E87496FDFF call 00425824
0044C1B0 8B45C4 mov eax, [ebp-$3C]

* Reference to: Sysutils.StrToFloat(System.AnsiString) |

0044C1B3 E87CC0FBFF call 00408234                      /**Takes the third number puts it into Float**/
0044C1B8 DD5DD8 fstp qword ptr [ebp-$28]
0044C1BB 9B wait
0044C1BC 8D55C4 lea edx, [ebp-$3C]

* Reference to control TForm1.sN4 : TLabel |

0044C1BF 8B83A0030000 mov eax, [ebx+$03A0]

* Reference to: Controls.TControl.GetText() |

0044C1C5 E85A96FDFF call 00425824
0044C1CA 8B45C4 mov eax, [ebp-$3C]

* Reference to: Sysutils.StrToFloat(System.AnsiString) |

0044C1CD E862C0FBFF call 00408234                          /**Takes the fourth number puts it into Float**/
0044C1D2 DD5DD0 fstp qword ptr [ebp-$30]
0044C1D5 9B wait 0044C1D6 8D55C4 lea edx, [ebp-$3C]

* Reference to control TForm1.sN5 : TLabel |

0044C1D9 8B83A4030000 mov eax, [ebx+$03A4]

* Reference to: Controls.TControl.GetText() |

0044C1DF E84096FDFF call 00425824
0044C1E4 8B45C4 mov eax, [ebp-$3C]

* Reference to: Sysutils.StrToFloat(System.AnsiString) |

0044C1E7 E848C0FBFF call 00408234                      /**Takes the fifth number puts it into Float**/
0044C1EC DD5DC8 fstp qword ptr [ebp-$38]
0044C1EF 9B wait
0044C1F0 DD45E0 fld qword ptr [ebp-$20]
0044C1F3 83C4F4 add esp, -$0C
0044C1F6 DB3C24 fstp tbyte ptr [esp]
0044C1F9 9B wait
0044C1FA B803000000 mov eax, $00000003 |
0044C1FF E8ECF6FCFF call 0041B8F0                     /**Gets Second number (B) and do (B)^3 if your track has number 3 you get out 27**/
0044C204 D80550C34400 fadd dword ptr [$44C350]    /**the add 5 to that and sguare all**/
0044C20A D9FA fsqrt

* Reference to: System..COS() |

0044C20C E8F365FBFF call 00402804                     /**and that number you get out of you have to COs, so algo is Cos(sqr(b^3)+5)**/
0044C211 DB7DB8 fstp tbyte ptr [ebp-$48]
0044C214 9B wait
0044C215 D90554C34400 fld dword ptr [$44C354]     /**Gets First number (A) **/
0044C21B DC45E8 fadd qword ptr [ebp-$18]             /**Add one **/
0044C21E D9FA fsqrt 0044C220 D9E0 fchs             /** Square all and puts to - infront the number so B becames -B and add the number you got from above**/
0044C222 DB6DB8 fld tbyte ptr [ebp-$48]
0044C225 DEC1 faddp st(1), st(0)
0044C227 DB7DAC fstp tbyte ptr [ebp-$54]
0044C22A 9B wait
0044C22B D90558C34400 fld dword ptr [$44C358]      /**Gets number 3 ( C ) **/
0044C231 DC4DD8 fmul qword ptr [ebp-$28]              /** multiplay that with 3 **/ 
0044C234 D80554C34400 fadd dword ptr [$44C354]   /**add 1 and Ln all **/
0044C23A D9ED fldln2                                            /**And add that ( C ) to the number you get put from A and B**/
0044C23C D9C9 fxch st(0), st(1)
0044C23E D9F1 fyl2x
0044C240 DB6DAC fld tbyte ptr [ebp-$54]              
0044C243 DEC1 faddp st(1), st(0)                         
0044C245 DB7DA0 fstp tbyte ptr [ebp-$60]          
0044C248 9B wait
0044C249 D9055CC34400 fld dword ptr [$44C35C]     /**Gets Number 4 ( D )**/
0044C24F DC45D0 fadd qword ptr [ebp-$30]              /** add 2 **/
0044C252 D9FA fsqrt                                              /**square all and add TO A,B,C**/ 
0044C254 DB6DA0 fld tbyte ptr [ebp-$60]
0044C257 DEE1 fsubrp st(1), st(0)
0044C259 D90558C34400 fld dword ptr [$44C358]   /**Get number 5 ( E ) multiplay that with 3 and divide all with 2**/
0044C25F DC4DC8 fmul qword ptr [ebp-$38]           /**And add E to A+B+C+D**/
0044C262 D8355CC34400 fdiv dword ptr [$44C35C]
0044C268 DEC1 faddp st(1), st(0)
0044C26A DB2D60C34400 fld tbyte ptr [$44C360]
0044C270 DEC1 faddp st(1), st(0)                             /**And add to A+B+C+D+E+0.37**/  
0044C272 D80D6CC34400 fmul dword ptr [$44C36C]
0044C278 DD5DF0 fstp qword ptr [ebp-$10]
0044C27B 9B wait
0044C27C DD45F0 fld qword ptr [ebp-$10]

* Reference to: System..ROUND() |

0044C27F E89065FBFF call 00402814
0044C284 894598 mov [ebp-$68], eax                         /** Here you can see our number from algo Do ? eax you get 5415 for tackbar 12345**/
0044C287 89559C mov [ebp-$64], edx
0044C28A DF6D98 fild qword ptr [ebp-$68]
0044C28D 83C4F4 add esp, -$0C
0044C290 DB3C24 fstp tbyte ptr [esp]
0044C293 9B wait 0044C294 8D45FC lea eax, [ebp-$04]

* Reference to: Sysutils.FloatToStr(Extended) |

0044C297 E868BFFBFF call 00408204
0044C29C 8D45FC lea eax, [ebp-$04] |
0044C29F E85CFCFFFF call 0044BF00                        /**Important compares our serial with his serial**/
0044C2A4 8B45FC mov eax, [ebp-$04]

* Possible String Reference to: 'µ؛²؛' |

0044C2A7 BA78C34400 mov edx, $0044C378

* Reference to: System..LStrCmp() |

0044C2AC E8D378FBFF call 00403B84                            /**Important compares our serial with his serial**/
0044C2B1 7538 jnz 0044C2EB
0044C2B3 8D45F8 lea eax, [ebp-$08]

* Possible String Reference to: 'إُّلنوٍ' |

0044C2B6 BA88C34400 mov edx, $0044C388


-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Ok now go on a call 44C2AC do D EAX you get the number out of the algo and D Edx is the number it has to be : So On tracbar i set 12345 : and my eax is : B8 B7 BD B6 and Edx is BA B2 BA B5 NOw look at the call at 44C29F you will see this :


-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------




0044BF1E 7638 jbe 0044BF58
0044BF20 880424 mov [esp], al
0044BF23 B301 mov bl, $01
0044BF25 B81C000000 mov eax, $0000001C |
0044BF2A E8516AFBFF call
00402980 0044BF2F 0D80000000 or eax, $00000080
0044BF34 8BFB mov edi, ebx
0044BF36 81E7FF000000 and edi, $000000FF
0044BF3C 8B16 mov edx, [esi]
0044BF3E 0FB6543AFF movzx edx, byte ptr [edx+edi-$01]
0044BF43 33C2 xor eax, edx
0044BF45 50 push eax
0044BF46 8BC6 mov eax, esi
* Reference to: System.UniqueString(System.AnsiString) |

0044BF48 E8F77CFBFF call 00403C44
0044BF4D 5A pop edx
0044BF4E 885438FF mov [eax+edi-$01], dl
0044BF52 43 inc ebx
0044BF53 FE0C24 dec byte ptr [esp]
0044BF56 75CD jnz 0044BF25
0044BF58 5A pop edx



-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

So if you look at the algo you will he how its works! Our number from algo is 5415 so see it:and B6 BD B7 B8 is eax:


83 XOr 35 = B6

89 XOr 34 = BD

86 XOr 31 = B7

8D XOr 35 =B8



So instead of Eax use EDx which is B5 BA B2 BA :and you get out the number :How?



B5 XOr 83 = 36

BA XOr 89 = 33

B2 XOr 86 = 34

BA XOr 8D = 37

So our nuber out of first also should be 6347::heh Now i will write the whole algo again (the first one):



A B C D E ::

(cos((B)^3+5)sqr))+(-(sqr (1+A))+(Ln(3*C+1))+(-(sqr(2+D))+(3*E/2)+0.37=6,347

So this would eb crazy to calculate by hand so i made a bruteforce in java::

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------



import java.util.*;
import java.io.*;

public class klemen {
                               static void main(String[] s) throws Exception0  { 
                               
                                                   double a,b,c,d,e;
                                           double az,bz,cz,dz,ez;

                             PrintStream lojze = new PrintStream(new FileOutputStream("klemen.txt", false));

 for(az=0;az<10;az++){ for(bz=0;bz<10;bz++){
               for(cz=0;cz<10;cz++){ for(dz=0;dz<10;dz++){
                           for(ez=0;ez<10;ez++){
                                 a=Math.cos(Math.sqrt(Math.pow(bz,3.0)+5.0)); b=-Math.sqrt(az+1.0); c=Math.log(3.0*cz+1.0); d=-Math.sqrt(dz+2.0); e=1.5*ez;

if(Math.abs((a+b+c+d+e+0.37)-6.347)<0.001)

{ System.out.println("resitev: "+az+" "+bz+" "+cz+" "+dz+" "+ez); lojze.println(+az+" "+bz+" "+cz+" "+dz+" "+ez);
System.out.println(a+b+c+d+e+0.37); /*System.out.println("");*/

} } } } } } lojze.close(); } }



-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


So i got solutions in the file :here is some and try it :

1.0 4.0 4.0 3.0 5.0
1.0 5.0 2.0 4.0 5.0
4.0 4.0 4.0 0.0 5.0

Finally the crakme is done ..Its got and i like more taks so i can solve one i do the other but in this case i did all heh ..Bye until next time

 

::Greetings ::

         Special and biggest Thanks goes to Corbio who made my cracking skill become better ! To Nukem for helping to make a html and To Chordless for helping to learn about it.ANd to VATi who likes to pay with color and like to make good gfx !

Greetings:
                   XasX,Santmat,,Noodle,Q+,SEvando2000,Wishmaker,Acid_Cool_178, am4,Woody,SV,Bratch,Batilog,Code_Inside, to all members of TNT and TCA...and to all that i have forgotten!!

And of course to all crackme's writes and to all people that have helped me!
SOrry about grammer mistakes!!


  NeO'X'QuiCK

© 2001 by NeO'X'Quick