Tutorial: Crackme 1a (nOp3x) By: Sanhedrin Tools: W32DASM Softice This was a fun crackme to do because it forces the cracker to use a little brain power to get the correct code. So, let's begin. Startup softice, enter the serial 12344321 and set a breakpoint: bpx getdlgitemtexta press OK and once you have broken into softice, disable the breakpoint. * Reference To: USER32.GetDlgItemTextA, Ord:0000h | :0040115D E8E4030000 Call 00401546 :00401162 8D4DF4 lea ecx, dword ptr [ebp-0C]<--- you will land here :00401165 51 push ecx :00401166 E811FFFFFF call 0040107C<----call to the serial calculation :0040116B 59 pop ecx * Possible Reference to Dialog: DialogID_0001 At 00401166 press F8 to trace into the call function. This will get you to 0040107C. This crackme takes our serial number and, after a few calculations, compares it with the actual number. A curve is thrown at us however. Our entered number is compared to a hardcoded number, and are calulcated with different equations. The end numbers should be the same for the program to be cracked. Thus, following code: * Referenced by a CALL at Address: |:00401166 | :0040107C 55 push ebp<----you will land here :0040107D 8BEC mov ebp, esp :0040107F 53 push ebx :00401080 57 push edi :00401081 8B5D08 mov ebx, dword ptr [ebp+08] :00401084 53 push ebx * Reference To: cw3220._atol, Ord:0000h | :00401085 E880040000 Call 0040150A :0040108A 59 pop ecx :0040108B 8BD0 mov edx, eax :0040108D B9E7030000 mov ecx, 000003E7 :00401092 81C2495F0E00 add edx, 000E5F49<----add 000E5F49 to our number (12344321) :00401098 81C1A93E0F00 add ecx, 000F3EA9<----add 000F3EA9 to the hard coded number (999) :0040109E 90 nop :0040109F 90 nop :004010A0 40 inc eax :004010A1 47 inc edi :004010A2 43 inc ebx :004010A3 48 dec eax :004010A4 4F dec edi :004010A5 4B dec ebx :004010A6 90 nop :004010A7 90 nop :004010A8 83C258 add edx, 00000058<----add 58 to our new number :004010AB 83C1A9 add ecx, FFFFFFA9<----subtract 57 from the new hard coded number :004010AE 3BD1 cmp edx, ecx<----compare the two numbers :004010B0 7518 jne 004010CA<----jump to bad luck if not correct :004010B2 6800100000 push 00001000 * Possible StringData Ref from Data Obj ->"Well Done" | :004010B7 68AB204000 push 004020AB * Possible StringData Ref from Data Obj ->"Congratulations. You successfully " ->"cracked this program" | :004010BC 6874204000 push 00402074 :004010C1 6A00 push 00000000 * Reference To: USER32.MessageBoxA, Ord:0000h | :004010C3 E872040000 Call 0040153A :004010C8 EB16 jmp 004010E0 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004010B0(C) | :004010CA 6800100000 push 00001000 * Possible StringData Ref from Data Obj ->"Bad luck" | :004010CF 68E5204000 push 004020E5 * Possible StringData Ref from Data Obj ->"Bad luck. You have failed to crack " ->"this program" | :004010D4 68B5204000 push 004020B5 :004010D9 6A00 push 00000000 * Reference To: USER32.MessageBoxA, Ord:0000h | :004010DB E85A040000 Call 0040153A --Solution-- First, at 004010AE (cmp EDX, ECX), type ? EDX <---- 13286306 (our number) ? ECX <---- 999993 (the number we want it to be) Knowing the calculation above, we know that ECX + 999051 - 57 = 999993 EDX + 941927 + 58 = 13286306 Therefore, to get the real number we use 999993 - 58 - 941927 = 58008 Thanks to all of those coders that make these crackmes, and of course to Eternal Bliss. Sanhedrin stachi@geocities.com