Cracking Tutorial [Tuberculosis CrackMe 3.0]

Cracking Tutorial for Tuberculosis CrackMe 3.0
Act like a Cracker

Target Program:	Tuberculosis CrackMe 3.0
Rules:	this is my first crackme try to find a working code... you have to take SoftIce you can't patch it... if you got it or you need help... mail me : v1ny@gmx.net
Location:	http://crackmes.cjb.net
Protection:	Serial
Tools needed:	- SoftICE 3.24
Ob duh:	Do I really have to remind you all that by BUYING and NOT stealing the software you use will ensure that these software houses will continue to produce even better software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems. BTW, It's illegal to use cracked Software! If you're looking for cracks or serial numbers from these pages then your wasting your time, try to search elsewhere on the Web under Warez, Cracks, etc.
Info:	Brand and product names are trademarks or registered trademarks of their respective holders.
Level:	(X)Beginner ( )Intermediate ( )Advanced ( )Expert

This tutorial is very briefly ... since I don't have the time for writing a long tutorial. Since the CrackMe is very, very easy (possible rating: 1/100) I think everyone should be able to solve it. If you need a good tutorial on getting a serial number for a not so easy target, I highly recommend reading my essays 18, 23, 31, and 33, which can all be found at THE LEARN TO CRACK Site.

Enter your favourite fake serial, press CHECK IT and trace some code:

       :00403D95    CALL    USER32!GetWindowTextA    ; get serial
       :00403D9A    CMP     EBX,0B                   ; 0Bh chars long?
       :00403D9D    JNZ     00403E15                 ; if not => invalid

So as you can find out yourself, our serial needs to be 11 chars long. Now go on with the tracing ... you will come accross the following:

       :00403DAF    CALL    00403BB4                 ; check first 3 cahrs
       :00403DB4    CMP     BYTE PTR [EBP-01],00     ; aren't they ok?
       :00403DB8    JZ      00403DCC                 ; if so => JMP

Ok. Now you have to enter the CALL at 403DAF to find out, that the first 3 chars have to be ... VN-. Now enter this and press the CHECK IT button again ... after some tracing you will come accross the following:

       :00403DDC    CALL    00403CB4                ; check last 4 chars
       :00403DE1    CMP     BYTE PTR [EBP-01],00    ; aren't they ok?
       :00403DE5    JZ      00403E15                ; if so => JMP

Ok. Now you have to enter the CALL at 403DDC to find out, what the last 4 chars have to be ... -TbC. Now enter this and press the CHECK IT button ... now go on and you will find the following code snippet:

       :00403DE7    CMP     DWORD PTR [00406528],0000012C
       :00403DF1    JNZ     00403E15

Now I checked what address 406528 contained ... it was CAh. Now we have to think a very little bit ... is this kind of a checksum?? Well let's remember what has been checked till now ... first 3 chars and last 4 chars - and what's with the 4 chars between these checked chars? Are they left unchecked? No. As you can find out with a very little tracing, 406528 contains the sum of those 4 chars. And this sum has to be 12Ch ... you could of course think now, ok just use 12Ch / 4 for these chars ... but that's not what I want ... I prefer a little bit my group here to be ... ID_! So for that the serial should be VN-ID_@-TbC ... and what do you get?

Code accepted

Yeah, you did it !

CrackMe solved ... now do you know why viny has called this "easy crackme"?

Another target has been Reverse Engineerd. Any questions (no crack requests)?

"There's always one way to crack a target - just think a bit!" - TORN@DO ------------------------------------------------------- Forum: http://disc.server.com/discussion.cgi?id=42877 Website: http://learn2crk.cjb.net -------------------------------------------------------