Well this CrackMe is very easy to crack. Also
Newbees will find out, that it's easy. I recommen to read my "Cracker's Notes",
because I think the basics were therein. So get them, read them and then let's start with
Step 1
Run the target and look at the screen! Two edit controls. One asking for your name
and one asking for your serial. Let's enter "Tutorial" in the Name field (without
the quotes) and "99999" in the serial field (without the quotes).
Press the check button and you get "Bad Name or Serial Number !!!!!". Now we
start W32DASM and disassemble the target.
Step 2
We want to find something like "Thanks for trying", so look in the String
Reference for interesting strings. I found the following:
"Bad Name Or Serial
Number !!!!!"
"Good Serial, Thanks For trying " |
We want to find out a valid serial # for our
name, so double click on "Good Serial, Thanks For trying". And then have a look
at this location:
| :0042DCB2 |
mov dword ptr [0042F760], eax |
| :0042DCB7 |
mov eax, dword ptr [0042F758] |
| :0042DCBC |
cmp eax, dword ptr [0042F760] |
| :0042DCC2 |
jne 0042DCDB |
| :0042DCC4 |
push 00000000 |
| :0042DCC6 |
mov cx, word ptr [0042DD1C] |
| :0042DCCD |
mov dl, 02 |
| |
| * Possible
StringData Ref from Code Obj ->"Good Serial, Thanks For trying " |
Wow! You see that our serial number, which is stored in eax, is moved into 42F760
(42DCB2) and our serial #, which is stored in 42F760, is moved into eax (42DCB7).
Then our serial # and the right serial # get compared. If they are not equal we'll get to
| * Referenced by a
(U)nconditional or (C)onditional Jump at Address: |
| |:0042DCC2(C) |
| | |
| :0042DCDB |
push 00000000 |
| :0042DCDD |
mov cx, word ptr [0042DD1C] |
| :0042DCE4 |
mov dl, 02 |
| |
| * Possible
StringData Ref from Code Obj ->"Bad Name Or Serial Number !!!!!" |
So we know where we have to break on, so let's go on with
Step 3
Run NuMega SoftICE Symbol Loader. Open the CrackMe-Modul and load the target.
You'll get an error message "An error occured during ..." - this is so, because
no debug information was found (which programmer is so stupid and put it in his/her
programms?). Press "Yes" and go on.
Now you break at 42DF88. The code window says INVALID, so press F10. Now add this
breakpoint to the compare function (BPX 42DCBC) and press CTRL-D to get out of
WinICE. Now enter "Tutorial" in the name field (without the quotes) and
"99999" in the serial field (without the quotes). You get kicked back
to WinICE just at the location I explained in Step 2. So let's dump 42F758 (D 42F758)
and 42F760 (D 42F760) ... they look strange ... just hex-values. EAX is FC 0B 4E
9F 07 and a few unimportant values. And 42F760 is 9F 86 01 and a few unimportant values.
Now type "? 9F8601" and ... strange ... this should be 99999, but it isn't. Why
isn't it so? Well, values get pushed in REVERSE order, so that 9F8601 should be
01869F. So type "? 01869F" and you get "0000099999". So we know, that
this is our bogus serial #. So let's do the same with EAX (07 9F 4E 0B FC). You
get that an error mesage, that this value is "too large". So let's use nearly
the same - without that unimportant 07. So type "? 9F4E0BFC". You'll get
"2672692220" and "-1622275076". Write these values down on a piece of
paper.
Step 4
Disable your breakpoint to 42DCBC (BD 42DCBC). If you enter the first
value (2672692220), you get the error message "'2672692220' is not a valid
integer value.", so enter the second value (-1622275076) and you'll get the
"Good Serial, Thanks For trying this CrackMe bY nIabI !". So our work is done
... |