January 1999
"MexElites's Crackme V1.0"
("Simple protection based on serial number")
Win '95 PROGRAM
Win Code Reversing
 Essay No. 2
by  Borna Janes
 
 
Code Reversing For Beginners 
Program Details
Program Name: mexcrk1..zip
Program Type: Crackme program
Program Location: Here
Program Size: 123 K 
 
 

Tools Used:
Softice 3.2 - Debugger
W32Dasm V8.9 - Disassembler
Rating
Easy ( X )  Medium (   )  Hard (    )  Pro (    )
There is a crack, a crack in everything. That's how the light gets in.

MexElite's Crackme V1.0
("Simple protection based on serial number")

Written by Borna Janes



 
About this protection system

If you ever run the program you'll see little window, where
you must put correct serial number.

When you press "CHECK IT" button you'll see GOOD  or BAD
serial message appeared in second text box.

GOOD MESSAGE = "Thanks you made it"
BAD MESSAGE = "Wrong Code DUDE"


 
 
The Essay
First!...open W32dasm and load file Crack1.exe!
Click at "Strn REF" button and search for some useful messages,
like "Right code", "Nice work, you find the code" or such.

Of course you locate "Thanks you made it!" message... if not, locate it now!
Now make dead list of crack1.exe file, and open file crack1.alf with WordPad(or another editor)
Select Edit...Find...."Thanks you made it"!

Here is the code that you'll see:
 

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D541(C)
|

* Possible StringData Ref from Code Obj ->"Thanks you made it"
                                  |
:0042D555 BABCD54200              mov edx, 0042D5BC
:0042D55A 8B83E8010000            mov eax, dword ptr [ebx+000001E8]
:0042D560 E853CCFEFF              call 0041A1B8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D553(U)
|
:0042D565 33C0                    xor eax, eax
:0042D567 5A                      pop edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D4F9(C)
|
:0042D568 59                      pop ecx
:0042D569 59                      pop ecx
:0042D56A 648910                  mov dword ptr fs:[eax], edx

We can see that function witch pops up the "Thanks you made it" text is called
with (C)onditional jump at 42D541!

Of course, you think same as I ! :)
There at 42D541 is some comparation routine and after that  jump to
"Thanks, you made it" if serial is correct!
Ok, let's now backtrace the code(all in WordPad).
Go back until you get somewhere around 42D541.

You'll see this part of code:
 

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D4A2(C)
|
:0042D518 33C0                    xor eax, eax
:0042D51A 55                      push ebp
:0042D51B 687BD54200              push 0042D57B
:0042D520 64FF30                  push dword ptr fs:[eax]
:0042D523 648920                  mov dword ptr fs:[eax], esp
:0042D526 8D55FC                  lea edx, dword ptr [ebp-04]
:0042D529 8B83DC010000            mov eax, dword ptr [ebx+000001DC]
:0042D52F E854CCFEFF              call 0041A188
:0042D534 8B45FC                  mov eax, dword ptr [ebp-04]

* Possible StringData Ref from Code Obj ->"Benadryl"             ;...mmmm something STRANGE!?!? :)
                                  |
:0042D537 BA90D54200              mov edx, 0042D590
:0042D53C E88F63FDFF              call 004038D0
:0042D541 7412                    je 0042D555

* Possible StringData Ref from Code Obj ->"Wrong Code DUDE"
                                  |
:0042D543 BAA4D54200              mov edx, 0042D5A4
:0042D548 8B83E8010000            mov eax, dword ptr [ebx+000001E8]
:0042D54E E865CCFEFF              call 0041A1B8
:0042D553 EB10                    jmp 0042D565

Hmmm, what can be this "Benadryl" string???
Let's guess! Maybe Clintons lover?..No!...Maybe some actress??
..No!...Maybe new M$ofts name??..Maybe!...Maybe correct serial??...YES!!!

Ok, maybe this is our correct serial.
Load program, type "Benadryl" and press "CHECK IT" button.

Welldone!..you find correct serial. It was hard, isn't it??
 
 
Final Notes

This program realy has very simple protection, based on serial number!
We can find correct serial without help of Softice but If you haven't W32dasm :-) here is
how we can find correct serial with softice:

Load program,
Enter any random serial,
Pop up softice("CTRL-D"),  set breakpoint at hmemcpy function("BPX HMEMCPY"),
leave softice("CTRL-D"), and press "CHECK IT" button
Softice will break at the beginning of hmemcpy function!

First disable breakpoint at hmemcpy with "BD *"
Now press "F11" once"F12" six times, and type "BPX 42D534"
Press "CTRL-D" again.

You'll see this part of code:

:0042D529 8B83DC010000            mov eax, dword ptr [ebx+000001DC]
:0042D52F E854CCFEFF              call 0041A188
:0042D534 8B45FC                  mov eax, dword ptr [ebp-04]             ;EAX = your "fake" serial
:0042D537 BA90D54200              mov edx, 0042D590                       ;EDX = correct serial
:0042D53C E88F63FDFF              call 004038D0                           ;Compare them
:0042D541 7412                    je 0042D555                             ;If our serial is correct then jump
:0042D543 BAA4D54200              mov edx, 0042D5A4
:0042D548 8B83E8010000            mov eax, dword ptr [ebx+000001E8]
:0042D54E E865CCFEFF              call 0041A1B8

Press "F10" until you step at 42D53C.
Type "D EAX", and you'll see your "fake" serial in data window!
Now type "D EDX". This is correct serial.

That was second way to get correct serial number!
 

My thanks and gratitude goes to:-

The Sandman for his great site(the best site for newbies) full of knowledge and for
his cracking forum(also the best on the net)!

Eternal Bliss, my best 'virtual' friend, for all what he done for me!
 
Ob Duh

Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will encourage them to produce even *better* software for us to use and enjoy.