#Cracking4Newbies Crackme #3
Cracker : [Kwai_Lo]
Date Written : 26/8/99
Target : #Cracking4Newbies Crackme #3
Tools : The One And Only SoftIce
Protection : Name/Serial ;)
Introduction:
This Here Is My 4th Tutor, In This Tutor I Will Teach You How To
KeyGen This CrackMe And Recode It In Console C. I Would Like To
Congratulate T0RNAD0 On His Efforts And His Kewl Website. Enuff
Of The Intro, Lets Start Cracking Now ;)
Cracking:
Before We Do Any Thing, We Must Study The Target First. 4 Ur Info
I Ripped The Template Of My 3rd Tut :P. So Some Parts May Be The Same.
Now We See A Place For The Name And Serial Input. Now We Enter A Name
And A Fake Serial. Before We Click OK We Set 2 Common BPX's That Is
GetDlgItemTextA And GetWindowTextA. Now We Click OK And Should Be In
SoftIce. Press F11 Once To Go Back To The Program Code. You Should
See Something Like The Code Below
:00401084 FF15A0404000 Call dword ptr [004040A0]
:0040108A 85C0 test eax, eax
:0040108C 751C jne 004010AA <- Jump Cos We Got Text
:0040108E 50 push eax
* Possible StringData Ref from Data Obj ->"No name!" <- Show Error
|
:0040108F 68A4504000 push 004050A4
* Possible StringData Ref from Data Obj ->"Don't you have a name?!"
|
:00401094 688C504000 push 0040508C
:00401099 53 push ebx
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:0040109A FF1598404000 Call dword ptr [00404098]
:004010A0 5E pop esi
:004010A1 33C0 xor eax, eax
:004010A3 5B pop ebx
:004010A4 8BE5 mov esp, ebp
:004010A6 5D pop ebp
:004010A7 C21000 ret 0010 <- Ret Cos Got No Text
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040108C(C)
|
:004010AA 33F6 xor esi, esi <- We Land Here
:004010AC 57 push edi <- Seems To Clear And Push Registers
:004010AD 33D2 xor edx, edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004010C6(C)
|
:004010AF 0FBE4415C0 movsx eax, byte ptr [ebp+edx-40] }
:004010B4 03F0 add esi, eax }
:004010B6 8D7DC0 lea edi, dword ptr [ebp-40] }
:004010B9 83C9FF or ecx, FFFFFFFF }
:004010BC 33C0 xor eax, eax }
:004010BE 42 inc edx }
:004010BF F2 repnz }
:004010C0 AE scasb } Algo ! Algo !
:004010C1 F7D1 not ecx }
:004010C3 49 dec ecx }
:004010C4 3BD1 cmp edx, ecx }
:004010C6 76E7 jbe 004010AF }
:004010C8 897508 mov dword ptr [ebp+08], esi }
:004010CB C1650807 shl dword ptr [ebp+08], 07 }
:004010CF 8D4DF4 lea ecx, dword ptr [ebp-0C]
:004010D2 6A0A push 0000000A
:004010D4 51 push ecx
* Possible Reference to Dialog: DialogID_0065, CONTROL_ID:03E9, ""
|
:004010D5 68E9030000 push 000003E9
:004010DA 53 push ebx
* Reference To: USER32.GetDlgItemTextA, Ord:0104h <- Get Serial Field
|
:004010DB FF15A0404000 Call dword ptr [004040A0]
:004010E1 85C0 test eax, eax
:004010E3 5F pop edi
:004010E4 751C jne 00401102 <- We Got Text
:004010E6 50 push eax
* Possible StringData Ref from Data Obj ->"No serial!" <- No Text Entered
|
:004010E7 6880504000 push 00405080
* Possible StringData Ref from Data Obj ->"No serial number entered!"
|
:004010EC 6864504000 push 00405064
:004010F1 53 push ebx
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:004010F2 FF1598404000 Call dword ptr [00404098]
:004010F8 5E pop esi
:004010F9 33C0 xor eax, eax
:004010FB 5B pop ebx
:004010FC 8BE5 mov esp, ebp
:004010FE 5D pop ebp
:004010FF C21000 ret 0010 <- Return
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004010E4(C)
|
:00401102 8D55F4 lea edx, dword ptr [ebp-0C]
:00401105 52 push edx
:00401106 E840010000 call 0040124B
:0040110B 8B4D08 mov ecx, dword ptr [ebp+08] <- We Not Done Yet
:0040110E 83C404 add esp, 00000004
:00401111 03CE add ecx, esi <- More code :)
:00401113 3BC8 cmp ecx, eax <- Is Our Serial Correct ?
:00401115 6A00 push 00000000
:00401117 751B jne 00401134 <- Nah We Fucked Up
* Possible StringData Ref from Data Obj ->"Good!" <- Ok We Passed
|
:00401119 685C504000 push 0040505C
* Possible StringData Ref from Data Obj ->"Congratulations!!"
|
:0040111E 6848504000 push 00405048
:00401123 53 push ebx
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:00401124 FF1598404000 Call dword ptr [00404098]
:0040112A 5E pop esi
:0040112B 33C0 xor eax, eax
:0040112D 5B pop ebx
:0040112E 8BE5 mov esp, ebp
:00401130 5D pop ebp
:00401131 C21000 ret 0010 <- Ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401117(C)
|
* Possible StringData Ref from Data Obj ->"Bad!" <- We Didnt Get The Correct Serial
|
:00401134 6840504000 push 00405040
* Possible StringData Ref from Data Obj ->"Wrong number!!"
|
:00401139 6830504000 push 00405030
:0040113E 53 push ebx
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:0040113F FF1598404000 Call dword ptr [00404098]
:00401145 5E pop esi
:00401146 33C0 xor eax, eax
:00401148 5B pop ebx
:00401149 8BE5 mov esp, ebp
:0040114B 5D pop ebp
:0040114C C21000 ret 0010 <- Ret
Look At The Comments I Have Made On The Code Above. Now I Will Rip The Algo
Used To Generate The Serial.
movsx eax, byte ptr [ebp+edx-40] <- Moves Each Char Of Name
add esi, eax <- Adds It To esi Which Is 0 At The Begginin
lea edi, dword ptr [ebp-40] <- Moves Name In To edi
or ecx, FFFFFFFF }
xor eax, eax }
inc edx <- Increase Counter Which Is 0 At The Start
repnz }
scasb } Gets Lenth Of String
not ecx }
dec ecx }
cmp edx, ecx <- Compare Both Int
jbe 004010AF <- Have We Reached The End ? If Not, Loop
mov dword ptr [ebp+08], esi <- Move The added Up Values Into ebp+08
shl dword ptr [ebp+08], 07 <- shl It By 7
We Go On And We See
mov ecx, dword ptr [ebp+08] <- Mov The Shl Value Into ecx
add ecx, esi <- Add It With Esi That Is The Checksum Value
The Serial Is The DEC Of ecx. Now We go Back to The Crackme And Enter
The Serial And Volla Itz Registered.Now We Code A Keygen For It.
This Is A Very Very Simple Algo. Now I Know How The Serial Is Generated
I'm Goin To Code A Keygen Now, In C :P
/********************************
*Compile With BCC 5.02 And Above*
********************************/
#include <stdio.h>
#include <string.h>
#include <conio.h>
int main(){
unsigned char name[101]={0};
int i,len;
unsigned long esi,temp;
printf("Keygen For #Cracking4Newbies Crackme #3 By [Kwai_Lo]\n");
printf("\nGimmi A Name : ");
gets(name);
len=strlen(name);
if(len==0){
printf("You Didnt Enter A Name\n");
getch();
return 0;
}
if(len>100){
printf("You Entered Too Much\n");
getch();
return 0;
}
for(i=0, esi=0 ; i < len ; i++){
esi+=name[i];
}
temp=esi;
asm{
pusha
mov eax,temp
shl eax,7
mov temp,eax
popa
}
temp+=esi;
printf("Your Serial Is : %lu\n",temp);
getch();
return 0;
}
Greets:
I'd Like To Greet All The People At #cracking4newbies , #cracks And All
My Personal Friends (You Know Who You Are ;P) And All The Newbies Wanting
To Learn. You Can Contact Me At kwai_lo@hotmail.com
[Kwai_Lo]