Written by

Bjanes 

 

Date: 12th March 1999

Program name: IceCream's CrackMe V1.0

Program type: Win32 CrackMe 

Program location: Here

Program filename: icecream1.zip 

Program size: Around 4 Kb 

 

Tools required: 

Softice 3.2 - Debugger 

 

Difficult level: 

Easy ( X )  Medium (   )  Hard (    )  Pro (    ) 

IceCream says about crackme:  

"There is one simple rule. No patching! 

Send names + serials and keymakers to knasig@kurir.net 

Greets goes out to everyone in #cracking4newbies "

Type of protection: Name/Serial

In the main window, you'll be asked for: 
Name 
Serial 

'Good message' = "You made it. Send your name and code to knasig@kurir.net"
'Bad message' = "Sorry bad cracker. Wrong password. Patching is not allowed :)" 

I'll try to explain everythink as best as I can. So let's start... 
 

First, two crack this babe you must have Sice loaded in memory. If you don't know how  
to configure your config.sys and aoutoexec.bat files then check our site for more informations! 

Now run the proggie. Type the name into the first textbox and any random  
serial into the second one! Press "CTRL-D" to pop up the Sice! 
I entered: Bjanes 
                 998899 

Now we must put one breakpoint to break Sice. You can also find the most 
common breakpoints on our site! In this crackme bp at GetWindowTextA 
shoul work fine. So type "bpx GetWindowTextA" in the Sice! 
Press "CTRL-D" again to close Softice!...and click on the "Check" button 
and program will verify your code! 

You'll see that Sice breaks when proggie trys to read the informations from  
the textboxes. In other words, Sice breaks at the beginning of the  
GetWindowTextA routine! There are two textboxes, so press "CTRL-D" 
and proggie will break on the reading the text form second textbox. That's 
serial that you entered. Now press "F11" once to exit GetwindowTextA code. 

You'll now be here... 

015F:5F411905  FF1588B5495F        CALL    [USER32!GetWindowTextA] ;You land here 
015F:5F41190B  8D4518              LEA     EAX,[EBP+18] 
015F:5F41190E  50                  PUSH    EAX 
015F:5F41190F  8D45E0              LEA     EAX,[EBP-20] 
015F:5F411912  FF7510              PUSH    DWORD PTR [EBP+10] 
015F:5F411915  50                  PUSH    EAX 
015F:5F411916  E803010000          CALL    5F411A1E 
015F:5F41191B  85C0                TEST    EAX,EAX 
015F:5F41191D  0F84AB420500        JZ      5F465BCE 
015F:5F411923  5F                  POP     EDI 
015F:5F411924  5E                  POP     ESI 
015F:5F411925  C9                  LEAVE 
015F:5F411926  C3                  RET 

Now press "F12" four times and you'll land exactly on the calculation routine! 
So, we are now here: 

This is routine witch will copy your name to the another memory loaction... 

015F:00401584  8B7E60             MOV     EDI,[ESI+60]   ;EDI = User name; Type "d edi" here and  
                                                          you'll see your name in the data window 
015F:00401587  83C9FF             OR      ECX,-01        ;ECX = FFFFFFFF; Counter for routine below(1) 
015F:0040158A  33C0               XOR     EAX,EAX        ;EAX = 0 
015F:0040158C  33DB               XOR     EBX,EBX        ;EBX = 0 
015F:0040158E  33ED               XOR     EBP,EBP        ;EBP = 0 
015F:00401590  8D542414           LEA     EDX,[ESP+14]   ;EDX = Adress where name will be copyed 
015F:00401594  F2AE               REPNZ SCASB(1)         ;Get the lenght of the name; Negative result 
                                                          stored in ECX 
015F:00401596  F7D1               NOT     ECX            ;ECX = Lenght of name +1 
015F:00401598  2BF9               SUB     EDI,ECX        ;EDI = Pointer to name 
015F:0040159A  8BC1               MOV     EAX,ECX        ;EAX = Lenght of name +1 
015F:0040159C  8BF7               MOV     ESI,EDI        ;ESI = Pointer to name 
015F:0040159E  8BFA               MOV     EDI,EDX        ;EDX = Adress where name will be copyed 
015F:004015A0  33D2               XOR     EDX,EDX        ;EDX = 0 
015F:004015A2  C1E902             SHR     ECX,02    ;ECX = ECX / 2 XOR 2; Copy the first part of name 
015F:004015A5  F3A5               REPZ MOVSD        ;...so copy it! 
015F:004015A7  8BC8               MOV     ECX,EAX        ;ECX = Lenght, again! 
015F:004015A9  33C0               XOR     EAX,EAX        ;EAX = 0 
015F:004015AB  83E103             AND     ECX,03          ;ECX = Number of bytes to copy 
015F:004015AE  F3A4               REPZ MOVSB                  ;Copy the second part 
015F:004015B0  8D7C2414           LEA     EDI,[ESP+14]  ;EDI = Pointer to the name 
015F:004015B4  83C9FF             OR      ECX,-01            ;ECX = FFFFFFFF 
015F:004015B7  F2AE               REPNZ SCASB    ;REPNZ, again; This time really uses to get the lenght 
015F:004015B9  F7D1               NOT     ECX    ;ECX = Lenght of name +1 
015F:004015BB  49                 DEC     ECX    ;ECX = Lenght of name 
015F:004015BC  7426               JZ      004015E4 ;If there is no name than jump to the end of code(2) 

Look this carefuly, here is the most important piece of code, 'coz here is calculation routine... 

015F:004015BE  0FBE441414         MOVSX   EAX,BYTE PTR [EDX+ESP+14](3) ;Get the char of name;EAX 
015F:004015C3  8D7C2414           LEA     EDI,[ESP+14]     ;EDI = Pointer to the name 
015F:004015C7  8D48FC             LEA     ECX,[EAX-04]     ;ECX =  Char of name(EAX) -04 
015F:004015CA  8D6C453A           LEA     EBP,[EAX*2+EBP+3A]  ;EBP =  Char of name(EAX) * 2+ EBP+ 3A 
015F:004015CE  8BF1               MOV     ESI,ECX          ;ESI = ECX;Char of name(EAX) -04 
015F:004015D0  33C0               XOR     EAX,EAX          ;EAX = 0 
015F:004015D2  03F3               ADD     ESI,EBX          ;ESI = ESI + EBX 
015F:004015D4  42                 INC     EDX               ;EDX = EDX + 1;EDX = Counter 
015F:004015D5  8D1C4E             LEA     EBX,[ECX*2+ESI] ;EBX = ECX *2 +ESI;ECX=Char of name(EAX) -04 
015F:004015D8  83C9FF             OR      ECX,-01               ;ECX = FFFFFFFF 
015F:004015DB  F2AE               REPNZ SCASB                ;Get the lenght of the name 
015F:004015DD  F7D1               NOT     ECX                ;ECX = Lenght of name +1 
015F:004015DF  49                 DEC     ECX                ;ECX = Lenght of name 
015F:004015E0  3BD1               CMP     EDX,ECX            ;Compare lenght of name and counter 
015F:004015E2  72DA               JB      004015BE           ;If counter is less then lenght, loop this(3) 
015F:004015E4  8B742410           MOV     ESI,[ESP+10](1) ;Here's the end of calculation 
015F:004015E8  8D8C1D3C7D0000     LEA     ECX,[EBX+EBP+00007D3C]  ;ECX = EBX+EBP+7D3C 
015F:004015EF  6AFF               PUSH    FF 
015F:004015F1  394E64             CMP     [ESI+64],ECX    ;Compare ECX with some number stored in memory 
015F:004015F4  7521               JNZ     00401617            ;If they aren't same then goto bad code(4) 
015F:004015F6  FF1530444000       CALL    [USER32!MessageBeep] ;Here is 'good guy' code!  
015F:004015FC  6A00               PUSH    00 
015F:004015FE  68A4304000         PUSH    004030A4 
015F:00401603  6868304000         PUSH    00403068 
015F:00401608  8BCE               MOV     ECX,ESI 
015F:0040160A  E855020000         CALL    00401864              ;Display 'good' message! 
015F:0040160F  5F                 POP     EDI 
015F:00401610  5E                 POP     ESI 
015F:00401611  5D                 POP     EBP 
015F:00401612  5B                 POP     EBX 
015F:00401613  83C468             ADD     ESP,68 
015F:00401616  C3                 RET 
015F:00401617  FF1530444000       CALL    [USER32!MessageBeep](3)   ;Here is 'bad guy' code!  
015F:0040161D  6A00               PUSH    00 
015F:0040161F  6860304000         PUSH    00403060 
015F:00401624  6820304000         PUSH    00403020 
015F:00401629  8BCE               MOV     ECX,ESI 
015F:0040162B  E834020000         CALL    00401864               ;Display 'bad' message! 
015F:00401630  5F                 POP     EDI 
015F:00401631  5E                 POP     ESI 
015F:00401632  5D                 POP     EBP 
015F:00401633  5B                 POP     EBX 
015F:00401634  83C468             ADD     ESP,68 
015F:00401637  C3                 RET 
 
 So this was calculation routine. Hope you understand it :) 
Ok, ok...I'll explain it... 

You can see at address 4015F1 the comparation! Here program 
compares the result of calculation with some number stored in 
memory. And just when I saw this number my cell brains start  
to work without trying to find where this number comes from! 

In my case that number was "...F3 3D 0F...". You must note 
that all numbers stored in memory are in the reversed form. 
So this number is actually "0F3DF3". There is many proggies 
that do same as this one. And that's comparing hex value of 
the serial number. I use for serial "998899" and its hex 
value is "F3DF3". You just saw this number in memory! 
So correct code is that another number(ECX) converted into 
decimal! To convert it just type "? number_in_ECX" into Sice! 
In my case(for handle "Bjanes") it was "89EF" witch converted  
to decimal gives "35311", so that's my correct serial! 

Here is also calculation in short, so you can easy make your 
KeyGenerator... 

1. Do
2. Take a char from the name
3. Result1 = Char of name - 04
4. Result2 = Char of name * 2 + Result2 + 3A
5. Result3 = Result3 + Result4
6. Result4 = Result1 * 2 + Result1
7. Loop this 'lenght of name' times
8. Result5 = Result4 + Result2 + 7D3C

Your keygen can be something like this. Result5 is the end
result and it's hex value of correct serial. You only must
convert it to the decimal. So we can add one step more...

9. Correct_Serial = Decimal(Result5)

And, that's all!...hope you learn something from this essay!
Cya!

The Sandman for his great site(the best site for newbies) full of knowledge and for 
his cracking forum(also the best on the net)! 

Eternal Bliss, my best 'virtual' friend, for all what he done for me! 

MiZ, also the GREAT friend of mine. For all the time that I spent with you :) 

And all at EFNET #cracking4newbies and Sandman's messageboard!