Tutorial Number 28 Written by Etenal Bliss Email: Eternal_Bliss@hotmail.com Website: http://crackmes.cjb.net http://surf.to/crackmes Date written: 21st Jul 1999 Program Details: Name: CrackMe v8.5 by BuLLeT[CiA] Tools Used: SoftIce Cracking Method: Serial Sniffing Hex Conversion to Ascii Viewing Method: Use Notepad with Word Wrap switched on Screen Area set to 800 X 600 pixels (Optional) __________________________________________________________________________ About this protection system This program requires a RegID to register. The RegID is derived from the Name and Company you entered. It is made up of some non-typable characters. Thus, you might want to use Crackers' Tool that can be found on my website. _________________________________________________________________________ About this tutorial This is a very short tutorial to show what serial fishing is like and how easy it can be. The aim of this tutorial is to show you that sometimes you need not trace into all the calls you see. A bit of patience and a bit of intelligence will bring you to the correct serial. _________________________________________________________________________ SoftIce Run the CrackMe. Enter any Name/Company/RegID you want. Just make sure you enter at least 5 characters for each. There are a few checks to make sure that. Then, set the breakpoint hmemcpy by typing "bpx hmemcpy" in SoftIce. Once you have done that, press F5 to return to the program and click on Register. You will break inside SoftIce. What you must know now is that the bpx hmemcpy will bring you deep inside Windows. Keep pressing F12 until you see CRKME!.ficken between the code window and the command window. Then you will see a "ret" very near. You are not at the right place yet. The codes here are useless for us. Keep pressing F12 until you reach a place where a "ret" cannot be seen. I have pasted the tracing below and also commented on some codes. :00442080 E82313FEFF CALL 004233A8 <- hmemcpy is inside :00442085 8D55F8 LEA EDX,[EBP-08] <- land here. :00442088 8B86D0020000 MOV EAX,[ESI+000002D0] :0044208E E81513FEFF CALL 004233A8 :00442093 8B45F8 MOV EAX,[EBP-08] :00442096 E8C919FCFF CALL 00403A64 :0044209B 8BD8 MOV EBX,EAX :0044209D 85DB TEST EBX,EBX :0044209F 7E0B JLE 004420AC (NO JUMP) :004420A1 8D45FC LEA EAX,[EBP-04] :004420A4 E847FFFFFF CALL 00441FF0 :004420A9 4B DEC EBX :004420AA 75F5 JNZ 004420A1 : __________Snip___________ : There are a few loops for this conditional jump : : __________Snip___________ :004420AC 8B45FC MOV EAX,[EBP-04] :004420AF E8B019FCFF CALL 00403A64 :004420B4 8BD8 MOV EBX,EAX :004420B6 85DB TEST EBX,EBX :004420B8 7E0B JLE 004420C5 (NO JUMP) :004420BA 8D45F8 LEA EAX,[EBP-08] :004420BD E8B6FEFFFF CALL 00441F78 :004420C2 4B DEC EBX :004420C3 75F5 JNZ 004420BA : __________Snip___________ : There are a few loops for this conditional jump : : __________Snip___________ :004420C5 8D45F4 LEA EAX,[EBP-0C] :004420C8 8B4DFC MOV ECX,[EBP-04] :004420CB 8B55F8 MOV EDX,[EBP-08] :004420CE E8DD19FCFF CALL 00403AB0 :004420D3 837DF400 CMP DWORD PTR [EBP-0C],00 :004420D7 7507 JNZ 004420E0 (JUMP ) :004420E0 8D55F0 LEA EDX,[EBP-10] :004420E3 8B86CC020000 MOV EAX,[ESI+000002CC] :004420E9 E8BA12FEFF CALL 004233A8 :004420EE 8B45F0 MOV EAX,[EBP-10] :004420F1 E86E19FCFF CALL 00403A64 :004420F6 83F805 CMP EAX,05 : __________Explanation___________ : Name must be more than 5 characters : : __________Explanation___________ :004420F9 7D0D JGE 00442108 (JUMP ) :00442108 8D55F0 LEA EDX,[EBP-10] :0044210B 8B86D0020000 MOV EAX,[ESI+000002D0] :00442111 E89212FEFF CALL 004233A8 :00442116 8B45F0 MOV EAX,[EBP-10] :00442119 E84619FCFF CALL 00403A64 :0044211E 83F803 CMP EAX,03 : __________Explanation___________ : Company must be more than 3 characters : : __________Explanation___________ :00442121 7D0D JGE 00442130 (JUMP ) :00442130 8D55F0 LEA EDX,[EBP-10] :00442133 8B86E4020000 MOV EAX,[ESI+000002E4] :00442139 E86A12FEFF CALL 004233A8 :0044213E 8B45F0 MOV EAX,[EBP-10] :00442141 E81E19FCFF CALL 00403A64 :00442146 83F802 CMP EAX,02 : __________Explanation___________ : RegID must be more than 2 characters : : __________Explanation___________ :00442149 7D0D JGE 00442158 (JUMP ) :00442158 8D55F0 LEA EDX,[EBP-10] :0044215B 8B86E4020000 MOV EAX,[ESI+000002E4] :00442161 E84212FEFF CALL 004233A8 :00442166 837DF000 CMP DWORD PTR [EBP-10],00 :0044216A 750D JNZ 00442179 (JUMP ) :00442179 8D55F0 LEA EDX,[EBP-10] :0044217C 8B86E4020000 MOV EAX,[ESI+000002E4] :00442182 E82112FEFF CALL 004233A8 :00442187 8B45F0 MOV EAX,[EBP-10] :0044218A 8B55F4 MOV EDX,[EBP-0C] :0044218D E8E219FCFF CALL 00403B74 :00442192 7532 JNZ 004421C6 At 0044218D, can you see the CALL and then followed by a conditional jump? Well, the typical thing a newbie cracker will look out for... Usually, at this point, this call will compare the correct RegID with the one you type. If they are not the same, you will jump away from the "Congratz" message. If you look what is immediately below this conditional jump, you will see this: :00442194 BA28224400 MOV EDX,00442228 :00442199 8B86CC020000 MOV EAX,[ESI+000002CC] :0044219F E83412FEFF CALL 004233D8 :004421A4 BA40224400 MOV EDX,00442240 :004421A9 8B86D0020000 MOV EAX,[ESI+000002D0] :004421AF E82412FEFF CALL 004233D8 :004421B4 BA68224400 MOV EDX,00442268 :004421B9 8B86E4020000 MOV EAX,[ESI+000002E4] Using your mouse and right click on 00442228, 00442240, 00442268 and choose display or simply type "d 00442228", "d 00442240", "d 00442268" You will see 1) CONGRATZ !!! 2) Now go get the next version! 3) Catch me in #CRACKS or #C.I.A respectively. This means that I am right, we will jump away from this message. Therefore the call IS to compare the correct RegID and the one we entered. So, scrolling upwards above that call, there are two mov: :00442187 8B45F0 MOV EAX,[EBP-10] :0044218A 8B55F4 MOV EDX,[EBP-0C] If you type "d eax" to display the content of eax, you will see what you typed. If you type "d edx", you will see the following if you use Name: Eternal Bliss Company: Intel 00D720F0 6B FF 77 ED 7C E3 5B 0E-F9 E2 71 73 CF 4D 68 29 k.w.|.[...qs.Mh) 00D72100 AC 16 00 00 04 21 D7 00-04 21 D7 00 60 00 00 00 .....!...!..`... Doesn't look much like a RegID? Well, we will need Crackers' Tool here because the RegID contains non-typable characters. Copy down all the hex value until you reach 00 Hex Value: 6BFF77ED7CE35B0EF9E27173CF4D6829AC16 Using Crackers' Tool, we can convert it to Ascii which is the stuff we see and it will become: kÿwí|ã[ùâqsÏMh)¬ The reason why we have to use Crackers' Tool is because if you just copy k.w.|.[...qs.Mh).. and paste it into the RegID, you won't register... So, try out my RegID Name: Eternal Bliss Company: Intel RegID: kÿwí|ã[ùâqsÏMh)¬ CrackMe Cracked! __________________________________________________________________________ Additional Points If you were to trace into the CALL, you will see more of the compare method. __________________________________________________________________________ Final Notes This tutorial is dedicated to all the newbies like me. My thanks and gratitude goes to:- All the writers of Cracks tutorials and CrackMes and also to all the crackers that have been supporting my site and project forum.