Introduction

This is a basic crackme written by Cruehead that uses a basic XOR operation to generate the serial.
 

The Essay

Alright, this is my first tutorial ever, so don't be too hard on me, yet if you have any questions email me at craftie@geocities.com and I'll try my best to answer you. Anyways first I'll give you a little background on this program. It was written by Cruehead, and uses an interesting little algorythm to generate your serial from your name. It uses the XOR function...What's that? You don't know what that is? Well basically, XOR (exclusive-or) is a logic operation with binary digits (bitwise operation.) For more information on bitwise operations, see CrackZ's page (http://www.wco.com/~micuan) or the Messing in Bytes page (www.messinginbytes.home.ml.org) Anyways, on with this...The only tools you will need for this is Soft-ICE, and that calculator that you should have on your computer if you have Win95/98. Alright, registration screen, name serial...no problem...Enter some dummy data into both boxes (Craftie and 123123 in my case), and then press CTRL-D to pop into Soft-ICE. Type 'bpx getdlgitemtexta' and enter to set a breakpoint on the getdlgitemtexta function, which is a common Win32 function for reading text entered. Now press the 'OK' button. You should be back in Soft-ICE...Now comes a part that may take a while...Press F10 to step through the code LOT, I'm not sure how many times, until you get to this code section: (From here on prepare to be bombarded with ASM codes :)

By the way, to make your life easier instead of F10ing so much, just type 'g 00401228' in Soft-ICE to go here:

:00401228 688E214000     push 0040218E  step over this with F10, and type
                                        'd 0040218E' to get a dump <--- of
                                        the location that data is being
                                        pushed to---In the data window you
                                        should see your name.
:0040122D E84C010000     call 0040137E  This is the call to do manipulations
                                        xon your name---Enter this call by
                                        pressing F10 till its highlighted,
                                        and pressing F8.
:00401232 50             push eax
:00401233 687E214000     push 0040217E
:00401238 E89B010000     call 004013D8
:0040123D 83C404         add esp, 00000004
:00401240 58             pop eax
:00401241 3BC3           cmp eax, ebx

See that CALL at 0040122D???That looks interesting---Lets trace into it by F10ing till its highlighted, and then pressing F8.

You should be at this code segment now: What you see from 00401383-0040139A is the upcasing loop...It converts your name to UPPERCASE

:0040137E 8B742404     mov esi, dword ptr [esp+04] puts your name in ESI
:00401382 56           push esi             pushes your name onto the stack
:00401383 8A06         mov al, byte ptr [esi] <---moves the first byte of
                                              ESI (the first letter of your
                                              name) to AL
:00401385 84C0         test al, al            checks if AL is 0
:00401387 7413         je 0040139C            if yes, exit the loop
:00401389 3C41         cmp al, 41             Here through 040138F checks if
                                              AL is a valid uppercase letter
:0040138B 721F         jb 004013AC    <---If its hex value is less than the
                                      value of 'A' (41), jump to 'No luck'
                                      message
:0040138D 3C5A         cmp al, 5A  <---Checks if AL's value is greater than
                                   than that of 'Z' (or in other words,
                                   its lower case)
:0040138F 7303         jnb 00401394 <---If yes, jump to the UPCASING
                                        routine at 00401394
:00401391 46           inc esi      NOTE* YOU SHOULD ONLY BE HERE IF THE
                                    LETTER WAS CAPITAL  Move ESI to the next
                                    letter of your name
:00401392 EBEF         jmp 00401383        <---Redo loop for next letter
:00401394 E839000000   call 004013D2    Here's the call to UPCASE the letter
:00401399 46           inc esi <---move ESI to the next letter of your name
:0040139A EBE7         jmp 00401383     redo loop for next character of name

Alright, now keep pressing F10 until the jump at 00401387 jumps and you get out of the loop. Done? Alright we're ready to move on... You should now be here:

:0040139C 5E                     pop esi   ESI  now holds UPCASED name
:0040139D E820000000             call 004013C2  Call to do more
                                                manipulations on name ---
                                                interesting...
:004013A2 81F778560000           xor edi, 00005678

Now trace into the call at 0040139D by pressing F10 tills its highlighted, then pressing F8. You should be here, in yet ANOTHER loop:

:004013C2 33FF           xor edi, edi
:004013C4 33DB           xor ebx, ebx <---clear EBX
:004013C6 8A1E           mov bl, byte ptr [esi] move the first letter of
                                                your upcased name to bl
:004013C8 84DB           test bl, bl <----does BL equal 0??
:004013CA 7405           je 004013D1  if yes,exit the loop, and the call
:004013CC 03FB           add edi, ebx <----Add EDI to EBX---In other words,
      add the hex value of the current letter of your name to EDI, and keep
      adding.Note here: BL is the lower word of EBX since its a 16 bit
      register, so in this case they are the same
:004013CE 46             inc esi         Move onto next letter
:004013CF EBF5           jmp 004013C6    <----repeat loop.
:004013D1 C3             ret             <----leave call

Keep tracing till the jump at 004013CA jumps. Basically, this loop added up all the hex values of your name and moved the sum to EDI. Step over the RET instruction to leave the call. You should be here:

:004013A2 81F778560000      xor edi, 00005678

Hmm..Here the sum of the hex values of your name are being XORed with 5678h and then moved to EAX by the next instruction. keep tracing till the ret instruction... Reconize this place?? Yup---This is right outside the call at the beginning that was for the name manipulations...You should be here:

:0040122D E84C010000       call 0040137E This is where we just came out of
:00401232 50               push eax <----Pushes the XORed name's value onto
                                         the stack
:00401233 687E214000       push 0040217E <----Hmm...What's this? :) Type 'd
                                          0040217E' and you should see your
                                          dummy serial in the data window!
:00401238 E89B010000       call 004013D8  You guessed it :) The serial
                                          manipulation call

Alright, trace into the call at 00401238 which you should know how to do by now ;) You should be here:

:004013D8 33C0         xor eax, eax            clears eax
:004013DA 33FF         xor edi, edi      <---- clears edi
:004013DC 33DB         xor ebx, ebx      <----clears ebx
:004013DE 8B742404     mov esi, dword ptr [esp+04]
:004013E2 B00A         mov al, 0A
:004013E4 8A1E         mov bl, byte ptr [esi] Start of loop: Moves the first
                                              number of your serial to BL
:004013E6 84DB         test bl, bl       <---is BL 0?
:004013E8 740B         je 004013F5       <---If so, leave the loop
:004013EA 80EB30       sub bl, 30
:004013ED 0FAFF8       imul edi, eax
:004013F0 03FB         add edi, ebx
:004013F2 46           inc esi           Basicaly all this stuff sums up the
                                         HEX values of your serial number
:004013F3 EBED         jmp 004013E2      repeat loop on next number in your
                                         serial (store final sum in EDI)
:004013F5 81F734120000 xor edi, 00001234 another XOR function---XOR sum with
                                         1234h
:004013FB 8BDF         mov ebx, edi      moves the XORed value to EBX
:004013FD C3           ret

Whew this is shorter than the last one :) Alright so here's a sum up of what just happened here: It converts your decimal value to HEX and then XORs that with 1234.

:00401238 E89B010000      call 004013D8     we just got out of here
:0040123D 83C404          add esp, 00000004
:00401240 58              pop eax           remember how the XORed name got
                                            pushed to the stack way back
                                            when? Well this retrieves it
:00401241 3BC3            cmp eax, ebx      Compares the XORed serial with
                                            the XORed name
:00401243 7407            je 0040124C <---Do they match? Jump to good guy
                                      message Alright! Here it is!!!So now
                                      we know the algo! So if you didn't get
                                      it here it is.....

It takes all the letters of your name, upcases them,and converts them to hex...For Craftie that would be:

C = 43h
R = 52h
A = 41h
F = 46h
T = 54h
I = 49h
E = 45h

Now it adds those all up...For Craftie that would total to 1FEh. Now it XORs that with 5678. That would be (again for Craftie) 5786h. It stores that away for later use.

Now for the serial it converts the decimal value to HEX...For 123123 it would be 1E0F3. Then that is XORed with 1234, making 1F2C7...Now it compares 1F2C7 with that value 5786 we stored away earlier---If they are the same, its right, if not, the serial is wrong... So here's what we have (Where x is a value we don't know, not a character)... x XOR 1234 = 5786...How do we find x?? we XOR 5786h with 1234h, and convert that value to decimal....Voila, you have the correct serial for your name...Job done.....
 
 

The 'Crack'

None is required.
 
 

Final Notes

This was a great crack for newbies, and I think there is a lot to be learned from it. If you've never looked at a generation routine before, this is a good first one.

My thanks goes to:- The Sandman for all he's done for newbies like me and providing such a great site.

Everyone who helped me on the Sandman's forum, all writers of tutorials that helped me, and anyone who is reading this :).
 
 

Ob Duh

Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.

If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.