(This essay is still under construction, see notes, 10-02-99)
Open the program, you'll see a name, group and serialfield.
Disassemble the program in W32Dasm, take a look at the string data reference, click on "Register"
Scroll up in the sourcecode follow back the calls and write down all the conditional jumps and other important stuff.
Now open SoftICE set a breakpoint at dlgitemtexta enter some info in the fields and press the check button.
Press F11 to step out of the call, you're name has been read from the field and put into memory, what I did is printing out the whole piece of code and started studying it which took me over 8 hours in total (It was fun though :oP)
The key to succesfully reversing this crackme is noticing that there are two predefined arrays. One at 407057 and one at 40701F.
For every character of your name the code walks through a loop, getting one value from the one array, getting another from the other array and taking the n'd character of your name.
These value's are being multiplied or/added (Read the source for a complete review of this).
The result is saved in the ebx register. So ebx contains our encrypted serial.
So far the encryption of the name. Start all over. Set the same breakpoint. Press F5 two times. And F11 to get out of the function. You'll notice the same encryptionroutine here as before. The result is stored in edi.
Now comes the fun part (and the most confusing and time-taking part)
Go to the third dlgitemtexta. Step out of the call once again. Enter the first call (call 402970)
I hope you're all willing to try this one out yourself, I'll only name some important things (The Source contains the whole rule).
There's a lot of bogus code in here like this:
Xor edx,edx
Mov ecx, dword ptr [4086F8]
Mov dl, byte ptr [esi]
Xor eax, eax
Mov ax, word ptr [ecx * edx]
And eax, 8
Test eax, eax
Je
Why is this bogus, because it's always equal (try it out yourself)
The most important part of this call is the loop located at 4029C8. This mess around with your serial.
There's also some manipulation with the first char (is it a "-", "+" or another character)
The most original thing of this whole crackme is located here too.
It's this three lines that kept me busy for quite a while:
Mov ax, word ptr [ecx + 2 * ebx]
And eax, 4
Test eax, eax
Ecx contains the value/pointer 408702
Take a good look at this address and the following locations.
You'll notice a lot of values thereà What are they ??? What do they mean ???
After a while I discovered that only the "84" could be anded with 4 not having a 0 as solution, then I noticed that there where 10 "84"s
And that they represented the places where one would land entering the value 0à9
So this is just a check to:
1. See if the value entered is a valid integer
2. See if your whole serial has been looped yet (The value at the address behind your serial is 00 and 00 while get you to the pointer 408702 which contains the value 20, and guess 20 anded with 4 is 0. This means that the looping has ended.
So this whole huge call is just a validation routine for your serial !!!!
We're almost there. The values of the encrypted name and serial are added. With another secret number..
This was where I went wrong :((
Take a look at the import function table notice the getlocaltime. Set a breakpoint on it before starting the program, start the program, press F11, Take a good look at the code, here are two other predefined arrays, take the month, and get the value from the array, take the day and get value from that place, multiply this two values and there's the secret number !! :)))))))))))))))))))
And there's your magic serial (You have to convert it to a decimal value of course) !!!
I hope you all try this crackme out yourself !! It's really worth it !!
Looking at the other crackme's on this cool site I think the difficulty of 1 is somewhat low for this crackme (Things like the pointer-enlarging, the predefined arrays, the routine used to validate your serial etc. make this crackme quite challenging)
