SiFLyiNG's Tutorial #2 ___________________________________________________________ Target_______: -=Runnin' Butt-On=- [Lite version] _____________ Crackme By The AntiXryst and Terminal Cilla _____________ d/l it on Eternal Bliss Site : http://crackmes.cjb.net Level________: Intermediate (it's said in the cm_about.txt) Tools needed_: .SoftIce 3.xx .WinDasm (not really necessary...) .A calculator with XOR, AND, hexa/dec conversion .Some basis of cracking .A brain .Punk music (Millencolin/Screeching Weasel for the moment :) .Liters of beer ___________________________________________________________ Before beginning... This is my second tutor, but my first in English... so please excuse the numerous mistakes i'll make. It's said in the cm_about.txt that the aim of this crackme is to make a keygen. I'll only tell you how to find a valid serial in this tut, so that ur job will be to make the keygen. So, you run the crackme but what do u see ??? a window called Running butt-on like contains two textbox ( user name and serial) and a CommandButton called Register. So put the name u want -i'll make the tut with 'SiFLyiNG' as name- and the serial u want... press register :) ok you can't push the register button. I'm not very good at english but i believe that's why the crackme is called 'Running butt-on like'. Notice that even if u manage to press this crazy button, nothing will happen. Ok let's understand what happens... ___________________________________________________________ The essay... First of all you have to fill in the two textbox. So you write - User name : SiFLyiNG - Serial : 123456789 I think the first reflex is to make a breakpoint on GetWindowTextA or on GetDlgItemTextA... nothing happens... so you try Hmemcpy. But you can't press the Register button cause it is running so you suppose that the serial is compared each time you modify it. So add a character (0 for example)to your serial and *Boom* you're back in softice. Ok i won't retail exactly what you see... i suppose you know it. So F11, return from the call or trace with F10 until you see that in green : CM_LITE!CODE+0005540A (note that you might have another adresse after CM_LITE!CODE) There you see this piece of code : :0045640F mov eax, dword ptr [ebp-18] ; eax = name :00456412 call 00403AD0 ; get len of name in eax :00456417 add eax, 00000011 ; eax = len(name) + 11h :0045641A cmp eax, 00000014 ; cmp eax to 11h :0045641D jl 0045650C ; if lower, then jump to bad guy ...so u know now that your name must be upper or equal to (14h -11h) = 3... let's trace on : :00456423 lea edx, dword ptr [ebp-18] :00456426 mov eax, dword ptr [edi+000002DC] :0045642C call 00423854 :00456431 mov eax, dword ptr [ebp-18] ; eax = serial :00456434 call 00403AD0 :00456439 test eax, eax :0045643B je 0045650C ; jump if no serial entered :00456441 lea edx, dword ptr [ebp-18] :00456444 mov eax, dword ptr [edi+000002D8] :0045644A call 00423854 :0045644F mov eax, dword ptr [ebp-18] ; eax = name :00456452 call 00403AD0 :00456457 test eax, eax :00456459 jbe 004564A9 :0045645B mov dword ptr [ebp-14], eax :0045645E mov [ebp-0C], 00000001 Ok, this is not very interesting for the moment... but if u trace a bit, you arrive in a loop...wich begins the calculation of your serial in function of the name you entered : * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004564A7(C) | :00456465 lea edx, dword ptr [ebp-18] :00456468 mov eax, dword ptr [edi+000002D8] :0045646E call 00423854 :00456473 mov eax, dword ptr [ebp-18] ; 'd eax' and you see the name :00456476 mov edx, dword ptr [ebp-0C] ; edx = 1 at the beginning :00456479 movzx eax, byte ptr [eax+edx-01] ; move ascii code from the edx'th char from name to eax :0045647E imul [ebp-0C] ; eax = eax * [ebp-0C] :00456481 add ebx, eax ; ebx = ebx + eax :00456483 add esi, esi ; esi = esi * 2 (0 at the beginning) :00456485 add esi, ebx ; esi = ebx + esi :00456487 mov eax, dword ptr [ebp-04] ; eax = [ebp-04] (0 at the begin.) :0045648A add eax, esi ; eax = eax + esi :0045648C add eax, ebx ; eax= eax + ebx :0045648E add eax, dword ptr [ebp-0C] ; eax = eax + [ebp-0C] :00456491 mov dword ptr [ebp-04], eax ; saves eax in [ebp-04] :00456494 mov eax, dword ptr [ebp-04] :00456497 sub eax, esi ; eax = eax - esi :00456499 add eax, dword ptr [ebp-08] ; eax = eax + [ebp-08] :0045649C add eax, ebx ; eax = eax + ebx :0045649E mov dword ptr [ebp-08], eax ; save eax in [ebp-08] :004564A1 inc [ebp-0C] ; [ebp-0C] = [ebp-0C] + 1 :004564A4 dec [ebp-14] ; decrease [ebp-14] :004564A7 jne 00456465 ; jump if there are char left in the name Note that [ebp-14] is equal to the len of your name at the beginning of the loop. So the loop decreases each time [ebp-14] which is at the start equal to the len of the name. It means that it'll loop til there are characters in your name. So these part of code has begin the calculate of the valid serial in fonction of the name. But what do we see now... : :004564A9 mov eax, dword ptr [ebp-04] ; For 'SiFLyiNG', eax = 02A16Ch :004564AC imul [ebp-08] ; eax = eax * [ebp-08] with [ebp-08] = 02A1C0 for my name :004564AF add esi, eax ; esi = esi + eax :004564B1 xor esi, ebx ; esi = esi XOR ebx (ebx = C54h) :004564B3 and esi, 7FFFFFFF ; esi =esi AND 7FFF FFFFh :004564B9 lea edx, dword ptr [ebp-18] ; eax = serial :004564BC mov eax, dword ptr [edi+000002DC] :004564C2 call 00423854 ; Converts serial(string) to a number and stores it in eax :004564C7 mov eax, dword ptr [ebp-18] :004564CA lea edx, dword ptr [ebp-10] :004564CD call 004048EC :004564D2 cmp dword ptr [ebp-10], 00000000 :004564D6 jne 0045650C :004564D8 lea eax, dword ptr [ebx+eax] ; eax = eax + ebx eax = 499602D2h+C54h Note : 499602D2h=1234567890 (our serial) :004564DB xor eax, ebx ; eax = eax XOR ebx :004564DD and eax, 7FFFFFFF ; eax = eax AND 7FFF FFFFh :004564E2 cmp esi, eax ; compare eax to esi :004564E4 jne 0045650C ; -> bad cracker if not equal Ok, now you know that if eax and esi are equal then you will have won. But in our case, we're going to the bad cracker code. but if you type ? esi at 4564E2 you get : 1817657840 in decimal and ? eax : 1234568050 '' '' so you understand that this cmp compares esi (got from the name) and eax (got from the serial). So eax must be 1817657840 in this case to be able to register. Bingo !!! We know that we must have eax =1817657680 to register... it's easy now. We can deduce the serial we must have entered to be a good cracker. Remember : :004564C2 call 00423854 ; Converts serial :004564C7 mov eax, dword ptr [ebp-18] :004564CA lea edx, dword ptr [ebp-10] :004564CD call 004048EC :004564D2 cmp dword ptr [ebp-10], 00000000 :004564D6 jne 0045650C :004564D8 lea eax, dword ptr [ebx+eax] ; eax = eax + ebx :004564DB xor eax, ebx ; eax = eax XOR ebx :004564DD and eax, 7FFFFFFF ; eax = eax AND 7FFF FFFFh we make the reverse way : eax = esi = 1817657840 = 6C5741F0h eax = eax AND 7FFF FFFFh = 6C5741F0h AND 7FFF FFFFh = 6C5741F0h eax = eax xor ebx = 6C574150h XOR C54h = 6C574DA4h eax = eax - ebx = 6C574DA4h - C54h = 6C574150h So, if we convert eax in decimal, it must be the valid serial for 'SiFLyiNG' Let's try : eax = 6C574150h = 1817657680 So enter 'SiFLyiNG' as name, '1817657680' as serial Hummm... the register button is calm now ... Press it : wowwwwwwwwww!!! "Congratulations, sweety! you have successfully managed..." Asd we say in french: Apres l'effort, le reconfort. Now i think it's the valid serial !!!!!!! Thanks to The AntiXryst and Terminal Cilla :) ___________________________________________________________ The end... Ok, my job is done. I hope you enjoyed with this tut. If not, then it's not necessary to insult me, but don't hesitate to make your critisms. Now, you must understand the calculation of the valid serial and you're able to provide a keygen. Good luck, it's not difficult :) I hope i didn't make too much mistakes... if it's the case, mail me. ... if someone know the phone number of the superb creature who congratulates u at the end, please send it to me :) SiFLyiNG/PsyKedelic siflying@ifrance.com Greetz : Gluconzip my friend, Lucifer48 (http://www.multimania.com/lucifer48/) Skymarshall, LittleBob, Earwax, Eternal Bliss (http://crackmes.cjb.net)... and all the french crackers that i forgot:). PS : my first tutor in french for pusillus crackme is available on Lucifer48's site but i think i'll translate it in english soon... ...et pour ce tutorial, si y'en a que ca interesse, je peux aussi en faire une traduc en francais... Voila, c'est fini... @+