January 1999
"BuLLeT's Crackme V4.75"
Win '95 PROGRAM
Win Code Reversing
 
by  Borna Janes
  
 
Code Reversing For Beginners 
Program Details
Program Name: cia475..zip
Program Type: Crackme program
Program Location: Here
Program Size: 163 K 
 
Tools Used:
Softice 3.2 - Debugger
W32Dasm V8.9 - Disassembler
Rating
Very Easy ( X )  Medium (   )  Hard (    )  Pro (    )
 There is a crack, a crack in everything. That's how the light gets in.

BuLLeT's Crackme V4.75

Written by Borna Janes


Introduction

The author says about crackme:

"Well here it is...CrackMe v4.75 by me ;)
First i'd like to say that if you're an average cracker don't even unZIP this.
This crackme is made for newbies (hardcoded serial), so if you have other
things to do, do them first :P Anyway...to everyone who want's to give this
a try: DON'T EDIT/HIEW/READ the B-CRK475.EXE, this will be considered as
CHEATING since the serial is hardcoded in the file. If you can't resists and
do it anyway always keep in mind: "I'M A CHEATER - I'M A CHEATER....and so on"
I want you to think that every time you even just SEE the file. OK ??
Hehehe...just kidding...but plz try to do it without EDIT or similar appz."
 
 
 
About this protection system

When you run the program you'll see small window with some
text about the program and one text box to enter the serial.
To check the serial you must press "UNLOCK" button.

If you enter bad serial, error message will appear instaed
textbox, otherwise correct serial message will appear!

GOOD MESSAGE = "Unlock succesfull, read rulez above !"
BAD MESSAGE = "Wrong serial.....try again ;)"


 
The Essay

Just how author says unlock code is hardcoded into file!
But after making dead list of program with W32dasm
and unsucessfuly searching for string that could be a serial,
I decide to find correct unlock key with Softice.

After some unsucessful trying to break Sice with
my *favourite* breakpoints (GetWindowTextA and
GetDlgItemTextA), I set a breakpoint to system function
Hmemcpy and Sice breaks!!

Ok, first run the program.
Enter any random unlock key.
Now fire up Sice with "CTRL-D" type "BPX HMEMCPY" and
leave softice, again "CTRL-D".
Press "UNLOCK" button to verify is our key correct.

Softice now breaks at the beginning of Hmemcoy function.
To return to the programs code press...

"F11" - once,
"F12" - six times,
"F10" - twenty-three times

Congratulation, you just landed at comparation routine code!
Now you can see this part of code:

:004408DA 8D55FC                  lea edx, dword ptr [ebp-04]
:004408DD 8B83D0020000            mov eax, dword ptr [ebx+000002D0]
:004408E3 E8BC14FEFF              call 00421DA4
:004408E8 8B45FC                  mov eax, dword ptr [ebp-04]  ;Our fake unlock key
:004408EB BA3C094400              mov edx, 0044093C            ;"This program must be run under Win32"
:004408F0 E83732FCFF              call 00403B2C                ;Comparation routine???
:004408F5 750F                    jne 00440906                 ;If password is wrong display error????
:004408F7 B201                    mov dl, 01

Press "F10" until you get to 4408EB.
Now type "D EAX" to see what is EAX containing.
It's our *fake* unlock code!

Press "F10" once.
Type "D EDX" to see what is EDX containing.
Hmmm....something strange here!
EDX is containing this text  "This program must be run under Win32"!
We run program under Windows, didn't we??...of course we did  ;-)

Here is also one call at 4408F0  and (C)onditional jump at 4408F5!
Hmm...all that looks like comparation routine, let's check it!
Press "F10" until you step on 4408F5 JNE 440906!
If this is comparation routine then this jump takes us
to part of code that displays error message!

Now type "R FL Z" to set zero flag and program will not jump!

Press "CTRL-D" and you'll see message witch indicates
that our password is correct!
Let's now see what we have.
We have our *fake* code located in EAX, we have
"This program must be run under Win32" message located
in EDX! Program then compares EAX and EDX and jump if not same!

Message in EDX is correct password???
There is only one way to find out!
Type "This program must be run under Win32" into programs
text box and press "UNLOCK" button!
Message "Unlock succesfull, read rulez above!" appeared.
We were right, that was correct serial!

Author of this crackme wants to fool us into the thing that
program has hardcoded unlock key!
It actually has, but searching for some string that can be
correct key in W32dasm we'll never say that string
"This program must be run under Win32" is correct serial!
However we still need Softice help to crack this babe!
 

Great thanks to Eternal Bliss for best resource of crackme programs!
 
Ob Duh

Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will encourage them to produce even *better* software for us to use and enjoy.

Ripping off software through serials and cracks is for lamers..

If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.
 


 

Essay by: Borna Janes
Page Created: 4th January 1999