home *** CD-ROM | disk | FTP | other *** search
/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / E_bliss / brad_crackme2.txt < prev    next >
Text File  |  2000-05-25  |  6KB  |  122 lines
  1. Brad Soblesky's Crack Me 2
  2. --------------------------
  3. Tools Used:
  4. Softice
  5.  
  6. ---
  7. Protection:
  8. Name/serial prot
  9.  
  10. ---
  11. Ok, start the crackme, enter a name and a junk serial, set a breakpoint on hmemcpy and press the Ok button
  12. now proceed until you come here:
  13.  
  14. :0040156A  8D4DEC              LEA     ECX,[EBP-14]
  15. :0040156D  E8DE020000          CALL    00401850              ; eax = len of name
  16. :00401572  8945E4              MOV     [EBP-1C],EAX          ; ebp-1c = eax
  17. :00401575  837DE405            CMP     DWORD PTR [EBP-1C],05 ; check if name < 5
  18. :00401579  7D43                JGE     004015BE              ; jump if greater or equal
  19. :0040157B  6A40                PUSH    40
  20. :0040157D  6820404000          PUSH    00404020              ; push the label of the msg box
  21. :00401582  6828404000          PUSH    00404028              ; and the 'at least 5 chars' text
  22. :00401587  8B8D40FEFFFF        MOV     ECX,[EBP-01C0]
  23. :0040158D  E8F2070000          CALL    00401D84              ; print it out
  24. :00401592  C645FC01            MOV     BYTE PTR [EBP-04],01
  25. :00401596  8D4DDC              LEA     ECX,[EBP-24]
  26. :00401599  E8C2070000          CALL    00401D60
  27. :0040159E  C645FC00            MOV     BYTE PTR [EBP-04],00
  28. :004015A2  8D4DE8              LEA     ECX,[EBP-18]
  29. :004015A5  E8B6070000          CALL    00401D60
  30. :004015AA  C745FCFFFFFFFF      MOV     DWORD PTR [EBP-04],FFFFFFFF
  31. :004015B1  8D4DEC              LEA     ECX,[EBP-14]
  32. :004015B4  E8A7070000          CALL    00401D60
  33. :004015B9  E9F9010000          JMP     004017B7
  34. :004015BE  C745E000000000      MOV     DWORD PTR [EBP-20],00000000 ; ebp-20 = 0
  35. :004015C5  EB09                JMP     004015D0
  36. :004015C7  8B55E0              MOV     EDX,[EBP-20]           ; edx = ebp-20 (counter)
  37. :004015CA  83C201              ADD     EDX,01                 ; edx = edx + 1
  38. :004015CD  8955E0              MOV     [EBP-20],EDX           ; counter = edx
  39. :004015D0  8B45E0              MOV     EAX,[EBP-20]           ; eax = counter
  40. :004015D3  3B45E4              CMP     EAX,[EBP-1C]           ; is eax < len of name
  41. :004015D6  7D42                JGE     0040161A               ; jump if greater or equal
  42. :004015D8  8B4DE0              MOV     ECX,[EBP-20]           ; ecx = counter
  43. :004015DB  51                  PUSH    ECX
  44. :004015DC  8D4DEC              LEA     ECX,[EBP-14]
  45. :004015DF  E81C030000          CALL    00401900
  46. :004015E4  0FBED0              MOVSX   EDX,AL                 ; edx = char[counter]
  47. :004015E7  8B45F0              MOV     EAX,[EBP-10]           ; eax = ebp-10 (which from the beginning is 81276345h)
  48. :004015EA  03C2                ADD     EAX,EDX                ; eax = eax + edx
  49. :004015EC  8945F0              MOV     [EBP-10],EAX           ; ebp-10 = eax
  50. :004015EF  8B4DE0              MOV     ECX,[EBP-20]           ; ecx = counter
  51. :004015F2  C1E108              SHL     ECX,08                 ; ecx = ecx shl 8
  52. :004015F5  8B55F0              MOV     EDX,[EBP-10]           ; edx = ebp-10
  53. :004015F8  33D1                XOR     EDX,ECX                ; edx = edx xor ecx
  54. :004015FA  8955F0              MOV     [EBP-10],EDX           ; ebp-10 = edx
  55. :004015FD  8B45E0              MOV     EAX,[EBP-20]           ; eax = counter
  56. :00401600  83C001              ADD     EAX,01                 ; eax = eax + 1
  57. :00401603  8B4DE4              MOV     ECX,[EBP-1C]           ; ecx = length of name
  58. :00401606  0FAF4DE0            IMUL    ECX,[EBP-20]           ; ecx = ecx * counter
  59. :0040160A  F7D1                NOT     ECX                    ; not ecx
  60. :0040160C  0FAFC1              IMUL    EAX,ECX                ; eax = eax * ecx
  61. :0040160F  8B55F0              MOV     EDX,[EBP-10]           ; edx = ebp-10
  62. :00401612  0FAFD0              IMUL    EDX,EAX                ; edx = edx * eax
  63. :00401615  8955F0              MOV     [EBP-10],EDX           ; edp-10 = edx
  64. :00401618  EBAD                JMP     004016C7               ; jump to beginning of routine
  65. :0040161A  8B45F0              MOV     EAX,[EBP-10]           ; eax = the REAL serial
  66. :0040161D  50                  PUSH    EAX
  67. :0040161E  6854404000          PUSH    00404054
  68. :00401623  8D4DDC              LEA     ECX,[EBP-24]
  69. :00401626  51                  PUSH    ECX
  70. :00401627  E852070000          CALL    00401D7E
  71. :0040162C  83C40C              ADD     ESP,0C
  72. :0040162F  8D4DDC              LEA     ECX,[EBP-24]
  73. :00401632  E879020000          CALL    004018B0
  74. :00401637  50                  PUSH    EAX
  75. :00401638  8D4DE8              LEA     ECX,[EBP-18]
  76. :0040163B  E880020000          CALL    004018C0
  77. :00401640  85C0                TEST    EAX,EAX                ; test if the entered serial = the real serial
  78. :00401642  0F85FF000000        JNZ     00401747
  79.  
  80. so the routine starts at 4015BE and is pretty simple.. here follows a sample c source for a keygen
  81.  
  82.  
  83. //Keygen source by Klefz
  84. int main(){
  85. unsigned char name[500]={0};
  86. int i,len=0;
  87. unsigned long ebp10=0x81276345,ecx,counter=0,length=0;
  88.  
  89. tryagain:
  90. length=0;
  91. clrscr();
  92. printf("Brad Soblesky's Crack Me2 Keygen by Klefz\n");
  93. printf("Enter your name: ");
  94. gets(name);
  95.  
  96. /* work out length (tnx prophecy ;) */
  97. while (name[length] != '\0'){      length++;  }
  98. if(length==0){
  99.     printf("\nYou must enter a name!");      getch();
  100. goto tryagain;  }
  101.  
  102. if(length<5){
  103.     printf("\nYour name must contain at least 5 chars!");      getch();
  104. goto tryagain;  }
  105.  
  106. for(i=0;i<length;i++){
  107.   ebp10=ebp10+name[i]; // movsx edx,al   mov eax,[ebp10]   add eax,edx    mov [ebp10],eax
  108.   ecx=i<<8;            // mov ecx,[counter]   shl ecx,8
  109.   ebp10=ebp10^ecx;     // mov edx,[ebp10]   xor edx,ecx   mov [ebp10],edx
  110.   counter=i+1;         // mov eax,[counter]   add eax,1
  111.   len=i*length;        // mov ecx,[length]   imul ecx,[counter]
  112.   asm { not [len] }    // not ecx
  113.   counter=counter*len; // imul eax,ecx
  114.   ebp10=ebp10*counter; // mov edx,[ebp10]   imul edx,eax   mov [ebp10],edx
  115. }
  116.  
  117. printf("\nYour reigistration code is: %lu",ebp10);
  118. getch();
  119. return 0;  }
  120.  
  121. ---
  122. /Klefz - http://klefz.cjb.net