Cracking vo!d's Crackme #1
Written by Phueghy
 
 
Introduction
As vo!d was the first one ever who cracked my simple cpp-crackmes at crackmes.cjb.net this
is my answer. I tried on his first crackme, and found it easy yet a nice algo and had some
fun playing around with it.
 


 
Tools required 

W32Dasm V8.93 (for deadlisting)
Visual Basic 5.0 (or whatever) for coding Keygen... Yes, it's VB now!

Target's Url 

http://crackmes.cjb.net


 
Essay
So, letz get it on. vo!d promised, this one would be very easy, so have a look at it. start the crackme, enter a name and a code (i use Phueghy and 39143214) and press [Check]! Nothing happens. hm. so start disassembling the crackme in W32Dasm and have a look at the code. Search the S.D.R.'s for some kind of important message and what do we find? "GOOD JOB! CRACKED!" - the good-boy message. double-click on this and you should be landed here: (scroll up a bit)

:0040124D 68306A4000              push 00406A30
:00401252 6830694000              push 00406930
:00401257 E8A4FDFFFF              call 00401000
:0040125C 83C408                  add esp, 00000008
:0040125F 83F801                  cmp eax, 00000001
:00401262 A3646C4000              mov dword ptr [00406C64], eax
:00401267 7565                    jne 004012CE     <- BAD BOY!!
:00401269 8B1528694000            mov edx, dword ptr [00406928]
:0040126F 6A40                    push 00000040

* Possible StringData Ref from Data Obj ->"GOOD JOB! - CRACKED!"
                                  |
:00401271 6880604000              push 00406080

* Possible StringData Ref from Data Obj ->"Send your solution to : v0id2k1@hotmail.com "
                                  |
:00401276 6850604000              push 00406050
:0040127B 52                      push edx

* Reference To: USER32.MessageBoxA, Ord:01BEh
                                  |
:0040127C FF15C4504000            Call dword ptr [004050C4]
So what this does is kinda easy: it pushes your name and serial at 40124D ff. and calls then the serial verification routine at 401000. afterwards it cleans up the stack and checks if the serial entered was ok (then eax will be 1). we could patch here to make itsay registered, but that was forbidden by vo!d. so we need a working serial. trace into the serial verification routine and you will find this:
:00401000 53                      push ebx
:00401001 8B5C240C                mov ebx, dword ptr [esp+0C]
:00401005 55                      push ebp
:00401006 56                      push esi
:00401007 8B742410                mov esi, dword ptr [esp+10]
:0040100B 8A0B                    mov cl, byte ptr [ebx]
:0040100D 33ED                    xor ebp, ebp
:0040100F 57                      push edi
:00401010 8A06                    mov al, byte ptr [esi]
:00401012 3AC1                    cmp al, cl
:00401014 0F8569010000            jne 00401183
this code checks, if the 1st char of the entered name and serial are the same. if not, it jumps to 401183, where it moves our name into eax and exits the verification routine. so eax is != 1 and the code is WRONG! so for our next attempt, enter name: Phueghy and Serial P9143214. try again and it won't jump away at 401014. tracing on we will find the next check:
:0040101A 8BFE                    mov edi, esi
:0040101C 83C9FF                  or ecx, FFFFFFFF
:0040101F 33C0                    xor eax, eax
:00401021 F2                      repnz
:00401022 AE                      scasb
:00401023 F7D1                    not ecx
:00401025 49                      dec ecx
:00401026 83F905                  cmp ecx, 00000005
:00401029 0F8254010000            jb 00401183
:0040102F 807B012D                cmp byte ptr [ebx+01], 2D
:00401033 0F854A010000            jne 00401183
this gets the length of our name and compares it to 5. if lower, it jumps away to Bad Boy. remember our serial sitting in ebx. the 2nd char is compared to 2Dh, which is hex for "-". so change name/serial to Phueghy/P-143214 and try once again. there is some unnecessay check following and the real part starts at
:00401049 0FBE0C32                movsx ecx, byte ptr [edx+esi]
:0040104D 03E9                    add ebp, ecx
:0040104F 8BFE                    mov edi, esi
:00401051 83C9FF                  or ecx, FFFFFFFF
:00401054 33C0                    xor eax, eax
:00401056 42                      inc edx
:00401057 F2                      repnz
:00401058 AE                      scasb
:00401059 F7D1                    not ecx
:0040105B 49                      dec ecx
:0040105C 3BD1                    cmp edx, ecx
:0040105E 72E9                    jb 00401049
this loop gets the sum of the hex-values of our name and stores it in ebp.
:00401060 81C564600000            add ebp, 00006064
it adds 6064h to it and pushes this values to some kind of wsprintf function which turns it into a readable string and stores this at 406b30. the following code
:00401076 8A16                    mov dl, byte ptr [esi]
:00401078 8BFE                    mov edi, esi
:0040107A 83C9FF                  or ecx, FFFFFFFF
:0040107D 33C0                    xor eax, eax
:0040107F 8815446B4000            mov byte ptr [00406B44], dl
:00401085 C605456B40002D          mov byte ptr [00406B45], 2D
:0040108C F2                      repnz
:0040108D AE                      scasb
:0040108E F7D1                    not ecx
:00401090 49                      dec ecx
:00401091 0FBE4431FF              movsx eax, byte ptr [ecx+esi-01]
:00401096 50                      push eax
:00401097 E8C4020000              call 00401360
:0040109C A2466B4000              mov byte ptr [00406B46], al
determines, whether the last character of the name if upper/lowercase. its turned to uppercase in the call at 401360 if it isnt. then it's appended to the 1st 2 chars of the serial.
what we have so far: 1st char of name + "-" + UPPERCASE(last char of name) + [sum(name) + 6064h] (which is in my case P-Y25406
and we go on. though some needless checks and bit copying (i guess vo!d really loves repnz) it finally does an
 :004010B1 81C564600000            add ebp, 00006064 
again, so to the sum of our name + 6064h another 6064h is added again. this value is also turned into readable decimal format and the final serial is constructed at 406B44 in memory. the instruction
:00401137 A5                      movsd
finally puts the whole serial together. so for my name Phueghy the correct serial is: P-Y25406-50082. and what we also have is the serial generating algo:
  • 1.: Take 1st char of name
  • 2.: append "-"
  • 3.: take last char of name in uppercase
  • 4.: calculate ascii sum of name chars and add 6064h, convert to dec and append
  • 5.: append "-"
  • 6.: add 6064h again to the sum and append dec value -> ready!
    so it's easy now to code a keygen. i decided to do it in vb this time. heres my source:
    Private Sub Command1_Click()
     MsgBox "Coded by Phueghy in VB!", , "Phueghy@gmx.de"
     End
    End Sub
    
    Private Sub Form_Load()
     Call Text1_Change
    End Sub
    
    Private Sub Text1_Change()
     Dim serial As String, uname As String
     uname = Text1.Text
     If Len(uname) < 4 Then
      serial = "Enter 5 chars at least"
      GoTo ende
     End If
     ' part1 of serial
     serial = Left(uname, 1) & "-" & UCase(Right(uname, 1))
     sum = 0
     For i = 1 To Len(uname)
      sum = sum + Asc(Mid(uname, i, 1))
     Next
     sum = sum + 24676
     serial = serial & Trim(Str(sum)) & "-"
     sum = sum + 24676
     serial = serial & Trim(Str(sum))
    ende:
     Clipboard.SetText serial
     Text2.Text = serial
    End Sub
    
    You could also download the whole package including the keygen here.


     
    Final Notes 
     

    My Greetz Goes to:

    Laokoon
    everyone in #Cracking4newbies
    everyone in #win32asm
    tnHuan and all members of Tres2000
    and all who I forgot..
     
     
     

    When ever there is a door,
    there is an entrance.
    And behind an entrance can no secret hide,
    when a cracker takes his knowledge for a ride
                                                                                   McCodEMaN

     
    ObDuh

    As this is an essay on how to crack a crackme, all you have to accomplish is, that vo!d is the author.
     
     
     
     
     
     

    Essay written by Phueghy ©TRES2000. All Rights Reserved.