February 1999 |
"iCECREAM's first
Crackme" |
Win '95 PROGRAM |
|
by Thallium |
|
|
Code Reversing For Beginners |
|
Program Details |
||
Tools Used: |
||
Rating |
Very Easy ( X ) Easy ( ) Medium ( ) Hard ( ) Pro ( ) |
There is a crack, a crack in everything. That's how the light gets in. |
"iCECREAM's first Crackme"
("Simple name/serial registration")
Written by Thallium
Introduction |
What the author says:
There is one simple rule. No patching!
About this protection system |
When the program starts we see a small window, which promts us for a 'Name' and a 'Serial'.
If we enter an incorrect serial for our name we get a window with the message 'Sorry bad cracker. Wrong password. Patching is not allowed :)'
If we enter a correct serial for our name we get a different window with the message 'You made it. Send your name and code to knasig@kurir.net'
The Essay |
Ok, start the program and enter your name and a fake serial, i entered:
Name: Thallium
Serial: 12121212
Press Ctrl-D to open softice, and set a breakpoint on GetWindowTextA by typing bpx getwindowtexta (I tried GetDlgItemTextA first, but softice didn't break). Now press the 'Check' button and softice breaks. We land in User32 at GetWindowTextA, press F12 twice to return to the crackme code. Disable your breakpoint at this time by typing bd *. We are now at this code snippet:
:004012CB 50
push eax
:004012CC 68E8030000 push 000003E8
:004012D1 57 push
edi
* Reference To: MFC42.Ordinal:0942, Ord:0942h
|
:004012D2 E869050000 Call 00401840
; Get name
:004012D7 83C664 add esi, 00000064
; <-- We land here
:004012DA 56 push
esi
:004012DB 68E9030000 push 000003E9
:004012E0 57 push
edi
* Reference To: MFC42.Ordinal:093C, Ord:093Ch
|
:004012E1 E854050000 Call 0040183A
; Get serial
:004012E6 5F pop
edi
:004012E7 5E pop
esi
:004012E8 C20400 ret 0004
Now we need to get into the main code, and find the routine that calculates the correct serial, pressing F12 twice will bring you into the main code here:
:00401579 6A01
push 00000001
:0040157B 89742414 mov dword ptr [esp+14], esi
* Reference To: MFC42.Ordinal:18BE, Ord:18BEh
|
:0040157F E8E6020000 Call 0040186A
; Get name/serial
:00401584 8B7E60 mov edi, dword ptr
[esi+60]
; <-- We land here
:00401587 83C9FF or ecx, FFFFFFFF
:0040158A 33C0 xor eax, eax
:0040158C 33DB xor ebx, ebx
:0040158E 33ED xor ebp, ebp
:00401590 8D542414 lea edx, dword ptr [esp+14]
:00401594 F2 repnz
:00401595 AE scasb
:00401596 F7D1 not ecx
The actual calculation routine takes place at 004015E2 so press F10 untill you get to this location:
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:004015E2(C)
|
:004015BE 0FBE441414 movsx eax, byte ptr [esp+edx+14] ; Get letter of name
:004015C3 8D7C2414 lea edi, dword ptr [esp+14]
:004015C7 8D48FC lea ecx, dword ptr
[eax-04] ;
ecx = letter - 4
:004015CA 8D6C453A lea ebp, dword ptr [ebp+2*eax+3A]
; ebp = ebp + (letter * 2) + 0x3A
:004015CE 8BF1 mov esi, ecx
; esi = letter - 4
:004015D0 33C0 xor eax, eax
; eax = 0
:004015D2 03F3 add esi, ebx
; esi = esi + ebx
:004015D4 42 inc
edx
; edx = edx + 1 (used at 004015BE to get each letter)
:004015D5 8D1C4E lea ebx, dword ptr
[esi+2*ecx] ; ebx = esi +
((letter - 4) * 2)
:004015D8 83C9FF or ecx, FFFFFFFF
; \
:004015DB F2 repnz
;
\
:004015DC AE scasb
;
Count letters in name, and loop
:004015DD F7D1 not ecx
;
while edx > (number of letters)
:004015DF 49 dec
ecx
;
\
:004015E0 3BD1 cmp edx, ecx
;
\
:004015E2 72DA jb 004015BE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015BC(C)
|
:004015E4 8B742410 mov esi, dword ptr [esp+10]
; esi =
location of fake serial - 64
:004015E8 8D8C1D3C7D0000 lea ecx, dword ptr [ebp+ebx+00007D3C] ; Add
results of above calculation with 0x7D3C
:004015EF 6AFF push FFFFFFFF
:004015F1 394E64 cmp dword ptr [esi+64],
ecx ;
Compare serial's
:004015F4 7521 jne 00401617
; Jump if serial's dont match
We could stop here as we could get a valid serial for our name by typing d ecx, but I will go further and show how to make a key generator. We need to study the calculation code to see what is going on.
1. Get letter pointed to by edx, save it in eax.
2. Minus 4 from eax, save it in ecx.
3. Times eax by 2, add ebp, add 0x3A, save it in ebp.
4. Add ecx and ebx, save it in esi.
5. Times ecx by 2, add esi, save in ebx.
6. Increment edx (counter)
7. Loop steps 1 to 6, until all letters of name have been calculated
8. Serial = ebp + ebx + 0x7D3C
A key generator to perform this routine could be written in almost any language, C, C++, Pascal, Assembler, etc, etc. I chose to write mine in C (the only language I know) and here is what I came up with.
-------->8-------->8-------->8-------->8-------->8--------
#include <stdio.h>
#include <string.h>
int main()
{
char name[100];
int namelen, count;
unsigned int temp1 = 0;
unsigned int temp2 = 0;
unsigned int temp3 = 0;
unsigned long serial = 0;
printf("iCECREAM's first Crackme, Key Generator\n");
printf("Coded by Thallium, <Thallium@iName.com>\n");
printf("\nEnter your name: ");
gets(name);
namelen = strlen(name);
for(count = 0 ; count < namelen ; count++)
{
temp2 = (name[count] * 2) + temp2 + 0x3a;
temp3 = (name[count] - 4) + temp1;
temp1 = (name[count] - 4) * 2 + temp3;
}
serial = temp1 + temp2 + 0x7d3c;
printf("\nYour serial number is: %lu", serial);
return 0;
}
-------->8-------->8-------->8-------->8-------->8--------
Final Notes |
This protection is very simple but could be quite useful for learing to write keygens, etc, try picking another similar CrackMe or program and write your own keygen for it!
My thanks and gratitude goes to:-
The Sandman for his great site for newbies and for his newbies cracking forum!
+Fravia also for his great site and more advanced forum.
Ob Duh |
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will encourage them to produce even *better* software for us to use and enjoy.
Ripping off software through serials and cracks is for lamers..
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.
Essay by: Thallium
Page Created: 9th February 1999