Tutorial Number 20 Written by Etenal Bliss Email: Eternal_Bliss@hotmail.com Website: http://crackmes.cjb.net http://surf.to/crackmes Date written: 27th May 1999 Program Details: Name: W32Dasm CrackMe I Author: LaZaRuS Language: Borland Delphi 2.0 Tools Used: W32Dasm Cracking Method: Zen Viewing Method: Use Notepad with Word Wrap switched on Screen Area set to 800 X 600 pixels (Optional) __________________________________________________________________________ About this protection system Protection is based on a code which is hardcoded. How I know? Well, look at what LaZaRuS has to say in his CrackMe. "Actually in my opinion it is damn hard to code a CrackMe for W32Dasm. It can't have serial calculation or something else you can only follow in SICE. I tried my best and I believe it is little tricky." From here, I know that I will be able to follow easily, there will be no serial calculation. So what's left? Hard-coded codes hiding somewhere... _________________________________________________________________________ W32Dasm First, disassemble the CrackMe using W32Dasm. You do this by running W32Dasm, then choose "Disassembler" -> "Open File To Disassemble". As usual, you should look at the String Data Reference (SDR). That is the last 2nd icon (just next to the printer icon). What did you see? A lot of words I don't understand because they are not in English. Don't give up yet. Scroll through everything and see what you have. Towards the end, you will see "Sometimes, the wrong code can " and "Wrong code". To go to where the Strings are, double click on the string you want. In this instant, we would like to see where the string "Wrong code" is used. So, double click on "Wrong code". You will see ================================================================= :0042689B 8B45FC mov eax, dword ptr [ebp-04] * Possible StringData Ref from Code Obj ->"Wrong code" | :0042689E BA0C694200 mov edx, 0042690C :004268A3 E8CCCBFDFF call 00403474 :004268A8 7518 jne 004268C2 ================================================================= To make sure that this string is only used once, double click it again. You should see another location where this string is used. ================================================================= * Possible StringData Ref from Code Obj ->"Wrong code" | :004268C9 BA50694200 mov edx, 00426950 :004268CE A124864200 mov eax, dword ptr [00428624] :004268D3 E830B3FFFF call 00421C08 ================================================================= You should see that they are very near one another... I've combined the two references together below. ================================================================= :0042689B 8B45FC mov eax, dword ptr [ebp-04] * Possible StringData Ref from Code Obj ->"Wrong code" <<-- 1st reference | :0042689E BA0C694200 mov edx, 0042690C :004268A3 E8CCCBFDFF call 00403474 :004268A8 7518 jne 004268C2 :004268AA 6A00 push 00000000 * Possible StringData Ref from Code Obj ->";-)" | :004268AC B918694200 mov ecx, 00426918 * Possible StringData Ref from Code Obj ->"Sometimes, the wrong code can " ->"be the good code" | :004268B1 BA1C694200 mov edx, 0042691C :004268B6 A124864200 mov eax, dword ptr [00428624] :004268BB E848B3FFFF call 00421C08 :004268C0 EB16 jmp 004268D8 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004268A8(C) | :004268C2 6A00 push 00000000 :004268C4 B94C694200 mov ecx, 0042694C * Possible StringData Ref from Code Obj ->"Wrong code" <<-- 2nd reference | :004268C9 BA50694200 mov edx, 00426950 :004268CE A124864200 mov eax, dword ptr [00428624] :004268D3 E830B3FFFF call 00421C08 ================================================================= Notice the "Sometimes, the wrong code can "? Isn't it weird? Instead of saying "Congrats, you have cracked my CrackMe" or something of that sort, we get this. What is LaZaRuS trying to tell us??? Well, he is giving us a BIG hint. 8) Look at the 2nd reference of "Wrong code". There is a reference of a conditional jump (at 4268A8) which will bring us to it . This might mean that if we enter the code wrongly, we will be shown the message saying "Wrong code". Run the CrackMe and type anything and try to register. You will get a message saying "Wrong code". 8) So, what is the 1st "Wrong code" doing there then? And what does the "Sometimes, the wrong code can be the good code" mean??? Notice the call at (4268A3) and then followed by the conditional jump we mentioned? Normally, in a compare routine, there is always a CALL and then a conditional jump. This might be the case for the CrackMe. In this case, the 1st "Wrong code" is moved in EDX. A line above it moves something into EAX. Then the call... With a bit of Zen and frustration, let's try entering "Wrong code" as the code. 8) Did you see a message showing you "Sometimes, the wrong code can be the good code"? Do you know what this means? You have just cracked the CrackMe... __________________________________________________________________________ Final Notes This tutorial is dedicated to all the newbies like me. And because I'm a newbie myself, I may have explained certain things wrongly So, if that is the case, please forgive me. Email me if there is anything you are not clear about. My thanks and gratitude goes to:- All the writers of Cracks tutorials and CrackMes and also to all the crackers that have been supporting my site and project forum.