home *** CD-ROM | disk | FTP | other *** search
/ Cracking 2 / Cracking II..iso / Texty / crackme / adrenalin_crackme2.txt < prev    next >
Encoding:
Text File  |  1999-05-30  |  6.7 KB  |  152 lines
  1. CrackMe #2 By AdrΘnalin
  2. -----------------------
  3. Tools Used:
  4. SoftIce
  5.  
  6. ---
  7. Protection:
  8. Name/Serial
  9.  
  10. ---
  11. First, you need to have MSVBVM50.DLL loaded in your S-ICE exports.
  12. Start the crackme, enter a name and serial and set a breakpoint on rtcAnsiValueBstr
  13. and press the OK button, when S-ICE breaks you will land here:
  14.  
  15. :00402170  FF150C414000        CALL    [MSVBVM50!rtcAnsiValueBstr]
  16. :00402176  6689854CFFFFFF      MOV     [EBP-00B4],AX
  17. :0040217D  8D55CC              LEA     EDX,[EBP-34]
  18. :00402180  8D8544FFFFFF        LEA     EAX,[EBP-00BC]
  19.  
  20. there we are, in the middle of the routine.. the whole routine is:
  21.  
  22. :00402132  85C0                TEST    EAX,EAX                     ; EAX = counter
  23. :00402134  0F849C000000        JZ      004021D6                    ; checks if all chars is processed
  24. :0040213A  8D5594              LEA     EDX,[EBP-6C]
  25. :0040213D  8D45DC              LEA     EAX,[EBP-24]
  26. :00402140  52                  PUSH    EDX
  27. :00402141  50                  PUSH    EAX
  28. :00402142  C7459C01000000      MOV     DWORD PTR [EBP-64],00000001
  29. :00402149  895D94              MOV     [EBP-6C],EBX
  30. :0040214C  FF1590414000        CALL    [MSVBVM50!__vbaI4Var]
  31. :00402152  8D4DBC              LEA     ECX,[EBP-44]
  32. :00402155  50                  PUSH    EAX
  33. :00402156  8D5584              LEA     EDX,[EBP-7C]
  34. :00402159  51                  PUSH    ECX
  35. :0040215A  52                  PUSH    EDX
  36. :0040215B  FF1538414000        CALL    [MSVBVM50!rtcMidCharVar]
  37. :00402161  8D4584              LEA     EAX,[EBP-7C]
  38. :00402164  8D4DA8              LEA     ECX,[EBP-58]
  39. :00402167  50                  PUSH    EAX
  40. :00402168  51                  PUSH    ECX
  41. :00402169  FF1570414000        CALL    [MSVBVM50!__vbaStrVarVal]
  42. :0040216F  50                  PUSH    EAX
  43. :00402170  FF150C414000        CALL    [MSVBVM50!rtcAnsiValueBstr]; gets the asc value of the current char, and puts it into EAX
  44. :00402176  6689854CFFFFFF      MOV     [EBP-00B4],AX
  45. :0040217D  8D55CC              LEA     EDX,[EBP-34]
  46. :00402180  8D8544FFFFFF        LEA     EAX,[EBP-00BC]
  47. :00402186  52                  PUSH    EDX
  48. :00402187  8D8D74FFFFFF        LEA     ECX,[EBP-008C]
  49. :0040218D  50                  PUSH    EAX
  50. :0040218E  51                  PUSH    ECX
  51. :0040218F  899D44FFFFFF        MOV     [EBP-00BC],EBX
  52. :00402195  FF1594414000        CALL    [MSVBVM50!__vbaVarAdd]     ; adds all values to one var
  53. :0040219B  8BD0                MOV     EDX,EAX
  54. :0040219D  8D4DCC              LEA     ECX,[EBP-34]
  55. :004021A0  FFD6                CALL    ESI
  56. :004021A2  8D4DA8              LEA     ECX,[EBP-58]
  57. :004021A5  FF15B8414000        CALL    [MSVBVM50!__vbaFreeStr]
  58. :004021AB  8D5584              LEA     EDX,[EBP-7C]
  59. :004021AE  8D4594              LEA     EAX,[EBP-6C]
  60. :004021B1  52                  PUSH    EDX
  61. :004021B2  50                  PUSH    EAX
  62. :004021B3  53                  PUSH    EBX
  63. :004021B4  FFD7                CALL    EDI
  64. :004021B6  83C40C              ADD     ESP,0C
  65. :004021B9  8D8DE8FEFFFF        LEA     ECX,[EBP-0118]
  66. :004021BF  8D95F8FEFFFF        LEA     EDX,[EBP-0108]
  67. :004021C5  8D45DC              LEA     EAX,[EBP-24]
  68. :004021C8  51                  PUSH    ECX
  69. :004021C9  52                  PUSH    EDX
  70. :004021CA  50                  PUSH    EAX
  71. :004021CB  FF15AC414000        CALL    [MSVBVM50!__vbaVarForNext]; next char
  72. :004021D1  E95CFFFFFF          JMP     00402132                  ; loop
  73. :004021D6  8D4DCC              LEA     ECX,[EBP-34]
  74. :004021D9  8D9554FFFFFF        LEA     EDX,[EBP-00AC]
  75. :004021DF  51                  PUSH    ECX
  76. :004021E0  8D4594              LEA     EAX,[EBP-6C]
  77. :004021E3  52                  PUSH    EDX
  78. :004021E4  50                  PUSH    EAX
  79. :004021E5  C7855CFFFFFFD2029649MOV     DWORD PTR [EBP-00A4],499602D2;499602D2h=1234567890
  80. :004021EF  C78554FFFFFF03000000MOV     DWORD PTR [EBP-00AC],00000003
  81. :004021F9  FF155C414000        CALL    [MSVBVM50!__vbaVarMul]       ;multiply the sum of our name with 1234567890
  82. :004021FF  8BD0                MOV     EDX,EAX
  83. :00402201  8D4DCC              LEA     ECX,[EBP-34]
  84. :00402204  FFD6                CALL    ESI
  85. :00402206  8B1DA0414000        MOV     EBX,[MSVBVM50!__vbaMidStmtVar]
  86. :0040220C  8D4DCC              LEA     ECX,[EBP-34]
  87. :0040220F  51                  PUSH    ECX
  88. :00402210  6A04                PUSH    04                           ;pos 4
  89. :00402212  8D9554FFFFFF        LEA     EDX,[EBP-00AC]
  90. :00402218  6A01                PUSH    01
  91. :0040221A  52                  PUSH    EDX
  92. :0040221B  C7855CFFFFFF341C4000MOV     DWORD PTR [EBP-00A4],00401C34;do a d 401c34 and you'll see a -
  93. :00402225  C78554FFFFFF08000000MOV     DWORD PTR [EBP-00AC],00000008
  94. :0040222F  FFD3                CALL    EBX                          ;check if there is a - at pos 4
  95. :00402231  8D45CC              LEA     EAX,[EBP-34]
  96. :00402234  8D8D54FFFFFF        LEA     ECX,[EBP-00AC]
  97. :0040223A  50                  PUSH    EAX
  98. :0040223B  6A09                PUSH    09                           ;pos 9
  99. :0040223D  6A01                PUSH    01
  100. :0040223F  51                  PUSH    ECX
  101. :00402240  C7855CFFFFFF341C4000MOV     DWORD PTR [EBP-00A4],00401C34;do a d 401c34 and you'll see a -
  102. :0040224A  C78554FFFFFF08000000MOV     DWORD PTR [EBP-00AC],00000008
  103. :00402254  FFD3                CALL    EBX                          ;check if there is a - at pos 9
  104. :00402256  8B4508              MOV     EAX,[EBP+08]
  105. :00402259  50                  PUSH    EAX
  106. :0040225A  8B10                MOV     EDX,[EAX]
  107. :0040225C  FF9204030000        CALL    [EDX+00000304]
  108. :00402262  50                  PUSH    EAX
  109. :00402263  8D45A4              LEA     EAX,[EBP-5C]
  110.  
  111. so the routine is this, it takes each char from our name, and adds the asc value of them
  112. into a var, then multiplys it with 1234567890, and checks if it is a - at the 4th and 9th
  113. char of the entered serial.. so now let's code a keygen
  114. ---ADR2.C------BOF---
  115.  
  116. //Keygen by Klefz
  117. int main(){
  118. unsigned char name[50]={0},temp[100]={0};
  119. int i,length=0;
  120. long double sum=0;
  121.  
  122. clrscr();
  123. tryagain:
  124. length=0;
  125. printf("Adrénalin's Crackme2 Keygen by Klefz\n");
  126. printf("Enter your name: "); gets(name);
  127.  
  128. /* work out length (tnx prophecy ;) */
  129. while (name[length] != '\0'){      length++;  }
  130. if(length==0){
  131.     printf("\nYou must enter a name!");      getch();
  132. goto tryagain;  }
  133.  
  134. for(i=0;i<length;i++){
  135.      sum+=name[i]; //takes each char and adds the asc value to sum
  136. }
  137.  
  138. sum*=1234567890; //multiply the sum with 1234567890
  139.  
  140. sprintf(temp,"%.Lf",sum); //convert sum to an string, so we can add the -'s
  141.  
  142. temp[3]=0x2D; //writes an - on pos 4
  143. temp[8]=0x2D; //writes an - on pos 9
  144.  
  145. printf("\nThe registration code is: %s",temp); // print out the result
  146. getch();
  147. return 0;  }
  148.  
  149. ---ADR2.C------EOF---
  150.  
  151. ---
  152. /Klefz - http://klefz.cjb.net