Cracking Tutorial, (c) Lucifer48 / ID

Keyfile crackme 3.14 (pii.exe)
by Shadow / hf

Tutorial by Lucifer48 [Immortal Descendants]
(July 19th, 1999)

First thing, we must know the name of the keyfile, CreateFileA is called two times (shadow.key and hf). In fact it is called 3 times, the crackme try to open x:\program file\numega\xxx but that's not important. For shadow.key the handle of the file (in eax) is not saved in memory... so the keyfile is called hf.

XXXX:004010AE  PUSH 004021A8                     ;number of bytes read (dword)
XXXX:004010B3  PUSH DWORD PTR [004021AC]         ;32h
XXXX:004010B9  PUSH 00402084                     ;buffer (load the keyfile here)
XXXX:004010BE  PUSH DWORD PTR [00402004]         ;handle of file (hf)
XXXX:004010C4  CALL KERNEL32!ReadFile
XXXX:004010C9  CMP  DWORD PTR [004021A8],17      ;size of keyfile: 17h = 23d
XXXX:004010D0  JNZ  00401162                     ;jmp = very bad cracker!

The program now checks is the keyfile is valid...

XXXX:004010D6  PUSH 00402084                     ;our keyfile
XXXX:004010DB  CALL 004011F6                     ;de/encrytion (XOR in one word !)
XXXX:004010E0  PUSH 0040229D                     ;result
XXXX:004010E5  CALL KERNEL32!lstrlen             ;length
XXXX:004010EA  CMP  EAX,0A
XXXX:004010ED  JNZ  00401162                     ;we mustn't jump!

In four words, the call 004011F6 makes a XOR 53 of the null-terminated string (adress given into the stack). And unfortunately, the job is already ended ! This is a possible keyfile:

1F 26 30 3A 35 36 21 67 6B 73 53 28 63 29 20 4C   .&0:56!gksS(c) L
34 38 20 2F 20 49 44                              48 / ID

The 11th byte must be 53. The first 10 bytes represent your name (XOR 53). The last 12 bytes aren't used. With this keyfile, you will see: registered to:Lucifer48.
Coding a key maker is really not a difficult excercise.

Greetings: All ID members (Volatility, Torn@do, ...), Eternal Bliss, ACiD BuRN, Duelist, LaZaRuS, people on #cracking4newbies, french crackers, and other crackme makers.