Writtenby

Klefz 

 

Date:18th April 1999

Programname: Duelist's Crackme 2

Programtype: Win32 CrackMe 

Programlocation: Here

Programfilename: due-cm2.zip 

Programsize: 12 Kb 

 

Toolsrequired: 

Softice3.2 - Debugger 

 

Difficultlevel: 

Easy(   )  Medium ( X)  Hard (    )  Pro (    ) 

Duelist says:
------------ Duelist's Crackme #2 --------------

Hi there. This is my second crackme, and it will
be much harder than the first one, for newbies,
since this time i will add keyfiles to the mix,
and you'll need some knowledge of the ascii table
to solve it.

I would like to greet tC because i got the idea
for one protection inside this crackme while
cracking a crackme coded by him using Delphi.

Please send me your name/keyfile to my email at
"duelist@beer.com", first 2 people will get the
crackme's source...

------------ Duelist's Crackme #2 --------------

        [eof]

Typeof protection:
Keyfile

1.Making a valid keyfile for your name

Ok, it is a keyfile,then we have to set a breakpoint on CreateFileA
so do that, andrun the crackme, and the first break is from Explorer,
so press F5 to jumpto the crackme's break, then you should land here:

:0040106E  6879204000         PUSH    00402079
:00401073 E80B020000          CALL   KERNEL32!CreateFileA
:00401078 83F8FF             CMP     EAX,-01
:0040107B 751D               JNZ     0040109A

do a d402079 and you'll see DUE-CM2.DATwhich is the name of our
KeyFile, so disablethe breakpoints, get back to windows and create
the file, entersome junk in it..
enable the breakpointsand re-start the crackme and trace on until
you come here:

:004010A8  50                 PUSH    EAX
:004010A9 E82F020000          CALL   KERNEL32!ReadFile       ;triesto read the file
:004010AE 85C0               TEST    EAX,EAX
:004010B0 7502               JNZ     004010B4               ;jump if it works
:004010B2 EB43               JMP     004010F7
:004010B4 33DB               XOR     EBX,EBX
:004010B6 33F6               XOR     ESI,ESI
:004010B8 833D7321400012      CMP    DWORD PTR [00402173],12 ;checks the lengthof the file
:004010BF 7C36               JL      004010F7               ;it must be >12h
:004010C1 8A831A214000        MOV    AL,[EBX+0040211A]       ;processeach char
:004010C7 3C00               CMP     AL,00                  ;if it's a 00h jump to the 1st check
:004010C9 7408               JZ      004010D3
:004010CB 3C01               CMP     AL,01                  ;if it's a 01h ESI+1
:004010CD 7501               JNZ     004010D0
:004010CF 46                 INC     ESI
:004010D0 43                 INC     EBX                    ;EBX+1 (char pos)
:004010D1 EBEE               JMP     004010C1               ;loop
:004010D3 83FE02             CMP     ESI,02                 ;check if there has been at least two 01h's before the 00h
:004010D6 7C1F               JL      004010F7               ;jump to bad cracker if lower
:004010D8 33F6               XOR     ESI,ESI                ;ESI=0
:004010DA 33DB               XOR     EBX,EBX                ;EBX=0
:004010DC 8A831A214000        MOV    AL,[EBX+0040211A]      ;AL=current char
:004010E2 3C00               CMP     AL,00                  ;if it's a 00h jump to 2nd check
:004010E4 7409               JZ      004010EF
:004010E6 3C01               CMP     AL,01                  ;if it's a 01h jump to 2nd check
:004010E8 7405               JZ      004010EF
:004010EA 03F0               ADD     ESI,EAX                ;ESI+current char
:004010EC 43                 INC     EBX                    ;EBX+1 (char pos)
:004010ED EBED               JMP     004010DC               ;loop
:004010EF 81FED5010000        CMP    ESI,000001D5           ;check if the sum is 1D5h
:004010F5 741D               JZ      00401114               ;if it is, jump, else show bad cracker box
:004010F7 6A00               PUSH    00
:004010F9 6801204000          PUSH   00402001
:004010FE 6886204000          PUSH   00402086
:00401103 6A00               PUSH    00
:00401105 E85D020000          CALL   USER32!MessageBoxA
:0040110A E8AA010000          CALL   KERNEL32!ExitProcess
:0040110F E9AE000000          JMP    004011C2
:00401114 33F6               XOR     ESI,ESI                ;ESI=0
:00401116 43                 INC     EBX                    ;EBX+1 (char pos)
:00401117 8A831A214000        MOV    AL,[EBX+0040211A]      ;AL=current char
:0040111D 3C00               CMP     AL,00                  ;if it's a 00h jump to begining of 3rd check
:0040111F 7418               JZ      00401139
:00401121 3C01               CMP     AL,01                  ;if it's a 01h jump to begining of 3rd check
:00401123 7414               JZ      00401139
:00401125 83FE0F             CMP     ESI,0F                 ;if processed char's is  over Fh gotobeg of 3rd check
:00401128 730F               JAE     00401139
:0040112A 32861A214000        XOR    AL,[ESI+0040211A]      ;XOR current char with the chars from check2
:00401130 898660214000        MOV    [ESI+00402160],EAX      ;movesthe decrypted chars to 402160
:00401136 46                 INC     ESI                    ;ESI+1
:00401137 EBDD               JMP     00401116               ;loop
:00401139 43                 INC     EBX                    ;EBX+1 (char pos)
:0040113A 33F6               XOR     ESI,ESI                ;ESI=0
:0040113C 8A831A214000        MOV    AL,[EBX+0040211A]      ;AL=current char
:00401142 3C00               CMP     AL,00                  ;if it's a 00h goto 3rd check
:00401144 7409               JZ      0040114F
:00401146 3C01               CMP     AL,01                  ;if it's a 01h goto 3rd check
:00401148 74F2               JZ      0040113C
:0040114A 03F0               ADD     ESI,EAX                ;ESI+current char
:0040114C 43                 INC     EBX                    ;EBX+1 (char pos)
:0040114D EBED               JMP     0040113C               ;loop
:0040114F 81FEB2010000        CMP    ESI,000001B2           ;if sum is 1B2h then goto good cracker
:00401155 75A0               JNZ     004010F7               ;else jump to bad cracker!

ok,now we know whatwe need to know to make a sample keyfile for your name..
the first charsuntil a 01h or a 00h will be XOR'ed with the chars beginning
after the 01h or00h, and the sum of the chars BEFORE the 01h or 00h must be
1D5h,and there must be two 01h's before the 00h somewhere in the file..

And the sum of thechar's after the first 01h and before the second 01h or 00h
must be 1B2h..

So let's start calculate,i want mine to be registered to Klefz (you can do the same
thing, but withyour name, and remember, max length is 16 chars)

i start with xor'ingthe f & z with 02h

 66 7A
XOR
 02 02
------
 64 78

64h + 78h = DCh

then i xor l &e with 77h

 6C 65
XOR
 77 77
------
 1B 12

1Bh + 12h = 2Dh

DCh + 2Dh = 109h

1D5h - 109h = CCh

so i'll XOR the Kwith CCh to get the value to XOR the K with

 4B
XOR
 CC
---
 87 

 4B
XOR
 87
---
 CC

109h + CCh = 1D5h

Checksum 2 filled.

so my file lookslike this now:

CC 1B 12 64 78                                  ¦dx

now we have to adda 01h to get Checksum 1 filled.

CC 1B 12 64 78 01                               ¦dx

now add the XOR valuesafter the 01h

CC 1B 12 64 78 0187 77 77 02 02                ¦dx
çww

and the second 01h

CC 1B 12 64 78 0187 77 77 02 02 01             ¦dx
çww

and now we have tofill Checksum 3, so let's enter FFh first, and 1B2h - FFh =
B3h so our two bytesis FF B3

CC 1B 12 64-78 0187 77-77 02 02 01-FF B3        ¦dx
çww
¦

and to complete Checksum1 we have to add 00h to the end

CC 1B 12 64-78 0187 77-77 02 02 01-FF B3 00    ¦dx
çww
¦ 

Save, and you haveregistered it :)

My thanks and gratitude goesto:-

Duelist for making this Crackme
All members of ReFleXZ, andall ppl that knows me..