First i thought that this crackme
was hard.So i download it and cracked.Then i decided to write a
tut for it because i think that newbies like should start learn and
more tuts avaliable better for us.
I noticed that it's packed with ASpack 1.08.03 so i unpacked it!I used Procdump.
File name after unpacking was new.exe.
******************************************************************************************************************************************************************************
1: Task to disable
the NaG
2: Task to find
Password
3: Task to
find SErial
4: Task to find the right buttons
for CheckBox
5: Task to find TrackBar
******************************************************************************************************************************************************************************
:: Solution FOr Task One : | |
Open unpacked crackme and you will see the annoying Nag appearing
before the real crackme starts. Then i open a softice and put a
break on Bpx hmemcpy.Then i started the crackme again.Softice breaks . I
DISABLED ALL BREAKS BY " DB * " I pressed F11(return to a call) once
and F12* 7 times until i saw NEw!Code+... at the bottom of the
WIndow! The i pressed F10 to trace until here:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0167:0044D03E 55 PUSH EBP 0167:0044D03F 68F1D04400 PUSH 0044D0F1
0167:0044D044 64FF30 PUSH DWORD PTR FS:[EAX] 0167:0044D047 648920
MOV FS:[EAX],ESP 0167:0044D04A B898F84400 MOV EAX,0044F898
0167:0044D04F BA08D14400 MOV EDX,0044D108 0167:0044D054 E8F367FBFF
CALL 0040384C 0167:0044D059 B898F84400 MOV EAX,0044F898
0167:0044D05E E809FEFFFF CALL 0044CE6C 0167:0044D063
B894F84400 MOV EAX,0044F894 0167:0044D068 BA38D14400 MOV EDX,0044D138
0167:0044D06D E8DA67FBFF CALL 0040384C 0167:0044D072 B894F84400
MOV EAX,0044F894 0167:0044D077 E8F0FDFFFF CALL 0044CE6C
0167:0044D07C 6A00 PUSH 00 0167:0044D07E A194F84400 MOV
EAX,[0044F894] 0167:0044D083 E8B06BFBFF CALL 00403C38 0167:0044D088
50 PUSH EAX
0167:0044D089 A198F84400 MOV
EAX,[0044F898] 0167:0044D08E E8A56BFBFF CALL 00403C38
0167:0044D093 8BD0 MOV EDX,EAX 0167:0044D095 A1A0ED4400 MOV
EAX,[0044EDA0] 0167:0044D09A 8B00 MOV EAX,[EAX] 0167:0044D09C 59 POP ECX 0167:0044D09D
E8724BFFFF CALL
00441C14
/**Important**/ 0167:0044D0A2 A1A0ED4400 MOV
EAX,[0044EDA0] 0167:0044D0A7 8B00 MOV EAX,[EAX] 0167:0044D0A9
E87649FFFF CALL 00441A24 0167:0044D0AE A1A0ED4400 MOV EAX,[0044EDA0]
0167:0044D0B3 8B00 MOV EAX,[EAX] 0167:0044D0B5 BA4CD14400 MOV
EDX,0044D14C 0167:0044D0BA E8A145FFFF CALL 00441660
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
On a Call press F8 and press F10 until you come to here:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0167:00441CD2 7406 JZ
00441CDA
/**Important**/ 0167:00441CD4 81CB00001000 OR EBX,00100000
0167:00441CDA 33C9 XOR ECX,ECX 0167:00441CDA 33C9 XOR ECX,ECX
0167:00441CDC 55 PUSH EBP 0167:00441CDD 68591D4400 PUSH 00441D59
0167:00441CE2 64FF31 PUSH DWORD PTR FS:[ECX] 0167:00441CE5 648921
MOV FS:[ECX],ESP 0167:00441CE8 53 PUSH EBX 0167:00441CE9 57 PUSH
EDI 0167:00441CEA 56 PUSH ESI 0167:00441CEB 8B45FC MOV
EAX,[EBP-04] 0167:00441CEE 8B4024 MOV EAX,[EAX+24] 0167:00441CF1
50 PUSH EAX 0167:00441CF2 E85946FCFF CALL
USER32!MessageBoxA
/**Important**/ 0167:00441CF7 8945F8 MOV [EBP-08],EAX 0167:00441CFA
33C0 XOR EAX,EAX 0167:00441CFC 5A POP EDX 0167:00441CFD 59 POP ECX
0167:00441CFE 59 POP ECX 0167:00441CFF 648910 MOV
FS:[EAX],EDX
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
So there is a NAg so if you want the get rid off it you need to NOP
it.When you are with curson in Softice on a 00441CF2 Write "A"+ Enter the
write NOP 5 times and press Enter Twice and the Call is
Gone
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
:a 0167:00441CF2 nop 0167:00441CF3 nop 0167:00441CF4 nop
0167:00441CF5 nop 0167:00441CF6 nop 0167:00441CF7
After Noping is should look like this:
0167:00441CEB
8B45FC MOV EAX,[EBP-04] 0167:00441CEE 8B4024 MOV EAX,[EAX+24]
0167:00441CF1 50 PUSH EAX 0167:00441CF2 90 NOP 0167:00441CF3
90 NOP 0167:00441CF4 90 NOP 0167:00441CF5 90 NOP 0167:00441CF6
90 NOP 0167:00441CF7 8945F8 MOV [EBP-08],EAX 0167:00441CFA 33C0
XOR EAX,EAX 0167:00441CFC 5A POP EDX 0167:00441CFD 59 POP ECX
0167:00441CFE 59 POP ECX 0167:00441CFF 648910 MOV
FS:[EAX],EDX
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Now
Start Hexworkshop open crackme new.exe USe Goto offset 412F2.Write
9090909090 .Save the file .Start the crackme and Nag is
gone.Easy.
:: Solution FOr Task Two : | |
Open crackme Press Password . Write
you serial in edit box ! I wrote for
serial : 123123 Why
?? Because i always do heh.Then i open a softice and put a
break on Bpx hmemcpy.Then
i pressed Check on crackme and softice breaks.I DISABLED ALL BREAKS BY " DB * " I pressed F11 (go to return address) once and F12*11 times.You Should see something like this.PRESS F10 to go down in Softice:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0044C3D5
E89A76FBFF
call 00403A74 0044C3DA 83F80C cmp eax,
+$0C
/** Compares our leght of serial with hex( C ) which
is dec 12 **/ 0044C3DD 0F8553010000 jnz
0044C536
/** If our lenght of serial isn't 12 letters long jmp
to Bad msg **/ 0044C3E3 8D55FC
lea edx, [ebp-$04]
* Reference to control TForm1.Edit1 : TEdit |
0044C3E6 8B83E8020000 mov eax, [ebx+$02E8]
* Reference to:
Controls.TControl.GetText() |
0044C3EC E83394FDFF call 00425824
0044C3F1 8B45FC mov eax, [ebp-$04] 0044C3F4 803843 cmp byte ptr [eax],
$43
/** Compares our 1 letter with hex( 43 ) which
is dec " C " **/ 0044C3F7 0F8527010000 jnz
0044C524
/** If our 1 letter of serial isn't " C
" jmp to Bad msg **/ 0044C3FD
8D55F8 lea edx, [ebp-$08]
* Reference to control TForm1.Edit1 :
TEdit |
0044C400 8B83E8020000 mov eax, [ebx+$02E8]
*
Reference to: Controls.TControl.GetText() |
0044C406 E81994FDFF
call 00425824 0044C40B 8B45F8 mov eax, [ebp-$08]
* Reference
to field TEdit.OFFS_0003 |
0044C40E 8078036F cmp byte ptr [eax+$03],
$6F
/** Compares our 4 letter with hex( 6F ) which
is dec " o " **/ 0044C412 0F850C010000 jnz
0044C524
/** If our 4 letter of serial isn't " o
" jmp to Bad msg **/ 0044C418
8D55F4 lea edx, [ebp-$0C]
* Reference to control TForm1.Edit1 :
TEdit |
0044C41B 8B83E8020000 mov eax, [ebx+$02E8]
*
Reference to: Controls.TControl.GetText() |
0044C421 E8FE93FDFF
call 00425824 0044C426 8B45F4 mov eax, [ebp-$0C]
* Reference
to field TEdit.OFFS_0008 |
0044C429 8078086F cmp byte ptr [eax+$08],
$6F
/** Compares our 9 letter with hex( 6F ) which
is dec " o " **/ 0044C42D 0F85F1000000 jnz
0044C524
/** If our 9 letter of serial isn't " o
" jmp to Bad msg **/ 0044C433
8D55F0 lea edx, [ebp-$10]
* Reference to control TForm1.Edit1 :
TEdit |
0044C436 8B83E8020000 mov eax, [ebx+$02E8]
*
Reference to: Controls.TControl.GetText() |
0044C43C E8E393FDFF
call 00425824 0044C441 8B45F0 mov eax, [ebp-$10]
* Reference
to field TEdit.OFFS_0001 |
0044C444 8078016C cmp byte ptr [eax+$01],
$6C
/** Compares our 2 letter with hex( 6C ) which
is dec " l " **/ 0044C448 0F85D6000000 jnz
0044C524
/** If our 2 letter of serial
isn't " l " jmp to Bad msg **/ 0044C44E 8D55EC lea edx, [ebp-$14]
* Reference to control TForm1.Edit1 : TEdit |
0044C451
8B83E8020000 mov eax, [ebx+$02E8]
* Reference to:
Controls.TControl.GetText() |
0044C457 E8C893FDFF call 00425824
0044C45C 8B45EC mov eax, [ebp-$14]
* Reference to field
TEdit.OFFS_0004 |
0044C45F 80780420 cmp byte ptr [eax+$04],
$20
/** Compares our 5 letter with hex( 20 )
which is dec " " **/ 0044C463 0F85BB000000 jnz
0044C524
/** If our 5 letter of serial isn't "
" jmp to Bad msg **/ 0044C469
8D55E8 lea edx, [ebp-$18]
* Reference to control TForm1.Edit1 :
TEdit |
0044C46C 8B83E8020000 mov eax, [ebx+$02E8]
*
Reference to: Controls.TControl.GetText() |
0044C472 E8AD93FDFF
call 00425824 0044C477 8B45E8 mov eax, [ebp-$18]
* Reference
to field TEdit.OFFS_000A |
0044C47A 80780A52 cmp byte ptr [eax+$0A], $52
/** Compares our 11 letter with hex( 52 )
which is dec " R " **/ 0044C47E
0F85A0000000 jnz 0044C524
/** If our 11 letter of serial
isn't " R " jmp to Bad msg **/
0044C484 8D55E4 lea edx, [ebp-$1C]
*
Reference to control TForm1.Edit1 : TEdit |
0044C487 8B83E8020000
mov eax, [ebx+$02E8]
* Reference to: Controls.TControl.GetText() |
0044C48D E89293FDFF call 00425824 0044C492 8B45E4 mov eax,
[ebp-$1C]
* Reference to field TEdit.OFFS_0007 |
0044C495
80780775 cmp byte ptr [eax+$07],
$75
/** Compares our 8 letter with hex( 75 )
which is dec " u " **/ 0044C499 0F8585000000 jnz
0044C524
/** If our 8 letter of serial
isn't " u " jmp to Bad msg **/ 0044C49F 8D55E0 lea edx, [ebp-$20]
* Reference to control TForm1.Edit1 : TEdit |
0044C4A2
8B83E8020000 mov eax, [ebx+$02E8]
* Reference to:
Controls.TControl.GetText() |
0044C4A8 E87793FDFF call 00425824
0044C4AD 8B45E0 mov eax, [ebp-$20]
* Reference to field
TEdit.OFFS_0009 |
0044C4B0 8078096E cmp byte ptr [eax+$09],
$6E
/** Compares our 10 letter with hex( 6E )
which is dec " n " **/ 0044C4B4
756E jnz
0044C524
/** If our 10 letter of serial
isn't " n " jmp to Bad msg **/ 0044C4B6 8D55DC lea edx, [ebp-$24]
* Reference to control TForm1.Edit1 : TEdit |
0044C4B9
8B83E8020000 mov eax, [ebx+$02E8]
* Reference to:
Controls.TControl.GetText() |
0044C4BF E86093FDFF call 00425824
0044C4C4 8B45DC mov eax, [ebp-$24]
* Reference to field
TEdit.OFFS_0002 |
0044C4C7 8078026E cmp byte ptr [eax+$02],
$6E
/** Compares our 3 letter with hex( 6E )
which is dec " n " **/ 0044C4CB
7557 jnz
0044C524
/** If our 3 letter of serial
isn't " n " jmp to Bad msg **/ 0044C4CD 8D55D8 lea edx, [ebp-$28]
* Reference to control TForm1.Edit1 : TEdit |
0044C4D0
8B83E8020000 mov eax, [ebx+$02E8]
* Reference to:
Controls.TControl.GetText() |
0044C4D6 E84993FDFF call 00425824
0044C4DB 8B45D8 mov eax, [ebp-$28]
* Reference to field
TEdit.OFFS_0005 |
0044C4DE 80780569 cmp byte ptr [eax+$05],
$69
/** Compares our 6 letter with hex( 69 )
which is dec " i " **/ 0044C4E2
7540 jnz
0044C524
/** If our 6 letter of serial
isn't " i " jmp to Bad msg **/ 0044C4E4 8D55D4 lea edx, [ebp-$2C]
* Reference to control TForm1.Edit1 : TEdit |
0044C4E7
8B83E8020000 mov eax, [ebx+$02E8]
* Reference to:
Controls.TControl.GetText() |
0044C4ED E83293FDFF call
00425824 0044C4F2 8B45D4 mov eax, [ebp-$2C]
* Reference to
field TEdit.OFFS_000B |
0044C4F5 80780B6E cmp byte ptr [eax+$0B],
$6E
/** Compares our 12 letter with hex( 6E )
which is dec " n " **/ 0044C4F9
7529 jnz
0044C524
/** If our 12 letter of serial
isn't " n " jmp to Bad msg **/
0044C4FB 8D55D0 lea edx, [ebp-$30]
* Reference to control TForm1.Edit1 : TEdit |
0044C4FE
8B83E8020000 mov eax, [ebx+$02E8]
* Reference to:
Controls.TControl.GetText() |
0044C504 E81B93FDFF call 00425824
0044C509 8B45D0 mov eax, [ebp-$30]
* Reference to field
TEdit.OFFS_0006 |
0044C50C 80780667 cmp byte ptr [eax+$06],
$67
/** Compares our 7 letter with hex( 67 )
which is dec " g " **/
0044C510 7512 jnz
0044C524
/** If our 7 letter of serial
isn't " g " jmp to Bad msg **/
* Possible String Reference
to: 'Right Password' |
0044C512 BA78C54400 mov edx, $0044C578
* Reference to control TForm1.Edit1 : TEdit |
0044C517
8B83E8020000 mov eax, [ebx+$02E8]
* Reference to:
Controls.TControl.SetText(System.AnsiString) |
0044C51D E83293FDFF
call 00425854 0044C522 EB22 jmp 0044C546
* Possible String
Reference to: 'Wrong Password' |
0044C524 BA90C54400 mov edx,
$0044C590
* Reference to control TForm1.Edit1 : TEdit |
0044C529 8B83E8020000 mov eax, [ebx+$02E8]
* Reference to:
Controls.TControl.SetText(System.AnsiString) | 0044C52F E82093FDFF
call 00425854 0044C534 EB10 jmp 0044C546
* Possible String
Reference to: 'Wrong Password' | 0044C536 BA90C54400 mov edx, $0044C590
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
So now you have just to put together
all letters and you will get the valid serial! The serial is : "Clno
iguonRn" write it in Right password heh!
:: Solution FOr Task Three : | |
Open
crackme Press Serial you should see in serial box "SoftIce
detected. Use some tricks :-)" Ok now use frogice and you should
see empty box : NOw i wrote for Name :NeO'X'QuiCk for Company:TnT/TCA
and for serial : 123123 Then I Start Dede In themenu
Options-->Symbol-->Load all symbols! I opened the new.exe in DEde
and pressed Process! Then click on Procedures and click on Unit1(or
Form1)!Click on Events and on FormCreate! Choice SpeedButton2Click and You
should see this :
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0044C66F
E80074FBFF call 00403A74 0044C674 83F806 cmp eax,
+$06
/** Compares our leght of the Name is
more then ( 6 )**/ 0044C677
0F8EF0000000 jle
0044C76D
/** If our lenght of Name isn't more then 6
letters long jmp to nothing **/ 0044C67D A180F84400
mov eax, dword ptr [$44F880]
* Reference to:
System..DynArrayLength() | or: System..LStrLen() |
0044C682
E8ED73FBFF call 00403A74
0044C687 83F814
cmp eax,
+$14
/** Compares our leght of the Name is more then hex( 14
) is 20 dec**/ 0044C68A 0F8DDD000000 jnl
0044C76D
/** If our lenght of Name is more then 20
letters long jmp to nothing **/ 0044C690 A180F84400
mov eax, dword ptr [$44F880]
* Reference to:
System..DynArrayLength() | or: System..LStrLen() |
0044C695
E8DA73FBFF call 00403A74 0044C69A 85C0 test eax, eax 0044C69C 7E17
jle 0044C6B5 0044C69E BA01000000 mov edx, $00000001 0044C6A3
8B0D80F84400 mov ecx, [$44F880] 0044C6A9 0FB64C11FF movzx ecx, byte
ptr [ecx+edx-$01] 0044C6AE 014DFC add [ebp-$04], ecx 0044C6B1 42
inc edx 0044C6B2 48 dec eax 0044C6B3 75EE jnz 0044C6A3
0044C6B5 A184F84400 mov eax, dword ptr [$44F884]
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
GO A little
down!In DEDE!!
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
* Possible String Reference to: 'I Love Cracking
and ' |
0044C6DC 6898C74400 push $0044C798 0044C6E1 8D55F8 lea
edx, [ebp-$08] 0044C6E4 8B45FC mov eax, [ebp-$04]
* Reference
to: Sysutils.IntToStr(Integer) |
0044C6E7 E868B0FBFF call 00407754
0044C6EC FF75F8 push dword ptr [ebp-$08]
* Possible String
Reference to: ' Girls ;)' |
0044C6EF 68B8C74400 push $0044C7B8
0044C6F4 B88CF84400 mov eax, $0044F88C 0044C6F9 BA03000000 mov
edx, $00000003
* Reference to: System..LStrCatN() |
0044C6FE E83174FBFF call 00403B34 0044C703 33C0 xor eax, eax
0044C705 8945FC mov [ebp-$04], eax 0044C708 A188F84400 mov eax,
dword ptr [$44F888]
* Reference to: System..DynArrayLength() | or:
System..LStrLen() |
0044C70D E86273FBFF call 00403A74 0044C712
8BD8 mov ebx, eax 0044C714 A18CF84400 mov eax, dword ptr [$44F88C]
* Reference to: System..DynArrayLength() | or: System..LStrLen() |
0044C719 E85673FBFF call
00403A74
/** Important
**/ 0044C71E 3BD8 cmp ebx, eax 0044C720 754B jnz
0044C76D
/** Important
**/
0044C722 A188F84400 mov eax, dword ptr [$44F888]
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
On a Call
write D EAX and you will see the "I Love Cracking and 1802 Girls ;)" write
this in the serial and you get You have found the correct Serial
:) her easy!
:: Solution FOr Task Four : | |
Choice SpeedButton3Click and You should see this
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
* Reference to control TForm1.cb3 :
TCheckBox
|
/** Important
**/
0044C80A 8B8324030000 mov eax, [ebx+$0324] 0044C810 8B10 mov
edx, [eax]
* Reference to method TCheckBox.GetChecked() |
0044C812 FF92B8000000 call dword ptr [edx+$00B8] 0044C818 84C0
test al, al 0044C81A 0F84CD000000 jz 0044C8ED
* Reference to control TForm1.cb5 :
TCheckBox
|
/** Important
**/
0044C820 8B8328030000 mov
eax, [ebx+$0328] 0044C826 8B10 mov edx, [eax]
* Reference to
method TCheckBox.GetChecked() |
0044C828 FF92B8000000 call dword
ptr [edx+$00B8] 0044C82E 84C0 test al, al 0044C830 0F84B7000000 jz
0044C8ED
* Reference to control TForm1.cb6 :
TCheckBox
|
/** Important
**/
0044C836 8B832C030000 mov eax, [ebx+$032C] 0044C83C 8B10 mov
edx, [eax]
* Reference to method TCheckBox.GetChecked() |
0044C83E FF92B8000000 call dword ptr [edx+$00B8] 0044C844 84C0
test al, al 0044C846 0F84A1000000 jz 0044C8ED
* Reference to control TForm1.cb12
:
TCheckBox
| /** Important
**/
0044C84C 8B8358030000 mov eax,
[ebx+$0358] 0044C852 8B10 mov edx, [eax]
* Reference to method
TCheckBox.GetChecked() |
0044C854 FF92B8000000 call dword ptr
[edx+$00B8] 0044C85A 84C0 test al, al 0044C85C 0F848B000000 jz
0044C8ED
* Reference to control TForm1.cb15
:
TCheckBox
| /** Important
**/
0044C862 8B8364030000 mov eax, [ebx+$0364] 0044C868 8B10 mov
edx, [eax]
* Reference to method TCheckBox.GetChecked() |
0044C86A FF92B8000000 call dword ptr [edx+$00B8] 0044C870 84C0
test al, al 0044C872 7479 jz 0044C8ED *
Reference to control TForm1.cb20 :
TCheckBox
|
/** Important
**/
0044C874 8B8330030000 mov eax,
[ebx+$0330] 0044C87A 8B10 mov edx, [eax]
* Reference to method
TCheckBox.GetChecked() |
0044C87C FF92B8000000 call dword ptr
[edx+$00B8] 0044C882 84C0 test al, al 0044C884 7467 jz 0044C8ED
* Reference to control TForm1.cb9 :
TCheckBox
|
/** Important
**/
0044C886 8B834C030000 mov eax, [ebx+$034C] 0044C88C 8B10
mov edx, [eax]
* Reference to method TCheckBox.GetChecked() |
0044C88E FF92B8000000 call dword ptr [edx+$00B8] 0044C894 84C0
test al, al 0044C896 7455 jz 0044C8ED
* Reference to control TForm1.cb11 :
TCheckBox
|
/** Important
**/
0044C898 8B8354030000 mov eax,
[ebx+$0354] 0044C89E 8B10 mov edx, [eax]
* Reference to method
TCheckBox.GetChecked() | 0044C8A0 FF92B8000000 call dword ptr
[edx+$00B8] 0044C8A6 84C0 test al, al 0044C8A8 7443 jz 0044C8ED
* Reference to control TForm1.cb13 :
TCheckBox
|
/** Important
**/
0044C8AA 8B835C030000 mov eax, [ebx+$035C] 0044C8B0
8B10 mov edx, [eax]
* Reference to method TCheckBox.GetChecked()
|
0044C8B2 FF92B8000000 call dword ptr [edx+$00B8] 0044C8B8
84C0 test al, al 0044C8BA 7431 jz 0044C8ED
* Reference to control TForm1.cb19 :
TCheckBox
|
/** Important
**/
0044C8BC 8B833C030000 mov eax,
[ebx+$033C] 0044C8C2 8B10 mov edx, [eax]
* Reference to method
TCheckBox.GetChecked() | 0044C8C4 FF92B8000000 call dword ptr
[edx+$00B8] 0044C8CA 84C0 test al, al 0044C8CC 741F jz 0044C8ED
0044C8CE 8D45FC lea eax, [ebp-$04]
* Possible String Reference
to: GOOD MESSAGE
0044C8D1 BA34C94400 mov edx,
$0044C934
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Now do you see the number After
Tform1.ch?? this mean the number of button .SO you can see number
3,5,6,12,15,20,9,11,13,19::SO the number got like
this:
2
3 9
10
1 4 8 11 20 5
7 12
19 6
13 18 14 17
15 16
Hope
i you get which numbers to press SO DO heh !And you crack
it.
:: Solution FOr Task Five : | |
Ok the last one .First move trackbars !As you
noticed you have fife of then so i will say like A,B,C,D,E :A is for
first number... In DEde press SpeedButton4Click and you should see
this:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| 0044C168 64FF30 push dword ptr
fs:[eax] 0044C16B 648920 mov fs:[eax], esp 0044C16E 8D55C4 lea
edx, [ebp-$3C]
* Reference to control TForm1.sN1 : TLabel |
0044C171 8B8380030000 mov eax, [ebx+$0380]
* Reference to:
Controls.TControl.GetText() |
0044C177 E8A896FDFF call 00425824
0044C17C 8B45C4 mov eax, [ebp-$3C]
* Reference to:
Sysutils.StrToFloat(System.AnsiString) |
0044C17F E8B0C0FBFF call
00408234
/**Takes the first number puts it into
Float**/ 0044C184 DD5DE8 fstp qword ptr [ebp-$18] 0044C187
9B wait 0044C188 8D55C4 lea edx, [ebp-$3C]
* Reference to
control TForm1.sN2 : TLabel |
0044C18B 8B8398030000 mov eax,
[ebx+$0398]
* Reference to: Controls.TControl.GetText() |
0044C191 E88E96FDFF call 00425824 0044C196 8B45C4 mov eax,
[ebp-$3C]
* Reference to: Sysutils.StrToFloat(System.AnsiString) |
0044C199 E896C0FBFF call
00408234
/**Takes the second number puts it into
Float**/ 0044C19E DD5DE0 fstp qword ptr [ebp-$20] 0044C1A1
9B wait 0044C1A2 8D55C4 lea edx, [ebp-$3C]
* Reference to
control TForm1.sN3 : TLabel |
0044C1A5 8B839C030000 mov eax,
[ebx+$039C]
* Reference to: Controls.TControl.GetText() |
0044C1AB E87496FDFF call 00425824 0044C1B0 8B45C4 mov eax,
[ebp-$3C]
* Reference to: Sysutils.StrToFloat(System.AnsiString)
|
0044C1B3 E87CC0FBFF call
00408234
/**Takes the third number puts it into
Float**/ 0044C1B8 DD5DD8 fstp qword ptr [ebp-$28] 0044C1BB
9B wait 0044C1BC 8D55C4 lea edx, [ebp-$3C]
* Reference to
control TForm1.sN4 : TLabel |
0044C1BF 8B83A0030000 mov eax,
[ebx+$03A0]
* Reference to: Controls.TControl.GetText() |
0044C1C5 E85A96FDFF call 00425824 0044C1CA 8B45C4 mov eax, [ebp-$3C]
* Reference to: Sysutils.StrToFloat(System.AnsiString) |
0044C1CD E862C0FBFF call
00408234 /**Takes the fourth number puts it into
Float**/ 0044C1D2 DD5DD0 fstp qword ptr [ebp-$30] 0044C1D5
9B wait 0044C1D6 8D55C4 lea edx, [ebp-$3C]
* Reference to control
TForm1.sN5 : TLabel |
0044C1D9 8B83A4030000 mov eax, [ebx+$03A4]
* Reference to: Controls.TControl.GetText() |
0044C1DF
E84096FDFF call 00425824 0044C1E4 8B45C4 mov eax, [ebp-$3C]
*
Reference to: Sysutils.StrToFloat(System.AnsiString) |
0044C1E7
E848C0FBFF call
00408234
/**Takes the fifth number puts it into
Float**/ 0044C1EC DD5DC8 fstp qword ptr [ebp-$38] 0044C1EF
9B wait 0044C1F0 DD45E0 fld qword ptr [ebp-$20] 0044C1F3 83C4F4
add esp, -$0C 0044C1F6 DB3C24 fstp tbyte ptr [esp] 0044C1F9 9B
wait 0044C1FA B803000000 mov eax, $00000003 | 0044C1FF E8ECF6FCFF
call
0041B8F0
/**Gets Second number (B) and do (B)^3 if your track
has number 3 you get out 27**/ 0044C204 D80550C34400 fadd dword
ptr [$44C350] /**the add 5 to that
and sguare all**/ 0044C20A D9FA fsqrt
* Reference to:
System..COS() |
0044C20C E8F365FBFF call
00402804
/**and that number you get out of you have to COs, so
algo is Cos(sqr(b^3)+5)**/ 0044C211 DB7DB8 fstp tbyte ptr
[ebp-$48] 0044C214 9B wait 0044C215 D90554C34400 fld dword ptr
[$44C354] /**Gets First number
(A) **/ 0044C21B DC45E8 fadd qword ptr
[ebp-$18]
/**Add one **/ 0044C21E D9FA fsqrt 0044C220
D9E0
fchs
/** Square all and puts to - infront the number so B
becames -B and add the number you got from above**/ 0044C222
DB6DB8 fld tbyte ptr [ebp-$48] 0044C225 DEC1 faddp st(1), st(0)
0044C227 DB7DAC fstp tbyte ptr [ebp-$54] 0044C22A 9B wait
0044C22B D90558C34400 fld dword ptr
[$44C358] /**Gets number
3 ( C ) **/ 0044C231 DC4DD8 fmul qword ptr
[ebp-$28] /** multiplay that with 3 **/ 0044C234
D80554C34400 fadd dword ptr [$44C354] /**add 1 and Ln all **/ 0044C23A D9ED
fldln2 /**And add that ( C ) to the number you get put from A and
B**/ 0044C23C D9C9 fxch st(0), st(1) 0044C23E D9F1 fyl2x
0044C240 DB6DAC fld tbyte ptr
[ebp-$54]
0044C243 DEC1 faddp st(1),
st(0)
0044C245 DB7DA0 fstp tbyte ptr
[ebp-$60]
0044C248 9B wait 0044C249 D9055CC34400 fld dword ptr
[$44C35C] /**Gets
Number 4 ( D )**/ 0044C24F DC45D0 fadd qword ptr
[ebp-$30]
/** add 2 **/ 0044C252 D9FA
fsqrt
/**square all and add TO A,B,C**/
0044C254 DB6DA0 fld tbyte ptr [ebp-$60] 0044C257 DEE1 fsubrp
st(1), st(0) 0044C259 D90558C34400 fld dword ptr [$44C358]
/**Get number 5 ( E ) multiplay that with 3 and
divide all with 2**/ 0044C25F DC4DC8 fmul qword ptr
[ebp-$38]
/**And add E to A+B+C+D**/ 0044C262
D8355CC34400 fdiv dword ptr [$44C35C] 0044C268 DEC1 faddp st(1), st(0)
0044C26A DB2D60C34400 fld tbyte ptr [$44C360] 0044C270 DEC1 faddp
st(1),
st(0)
/**And add to A+B+C+D+E+0.37**/
0044C272 D80D6CC34400 fmul dword ptr [$44C36C] 0044C278
DD5DF0 fstp qword ptr [ebp-$10] 0044C27B 9B wait 0044C27C DD45F0
fld qword ptr [ebp-$10]
* Reference to: System..ROUND() |
0044C27F E89065FBFF call 00402814 0044C284 894598 mov
[ebp-$68],
eax
/** Here you can see our number from algo Do ? eax you
get 5415 for tackbar 12345**/ 0044C287 89559C mov [ebp-$64], edx
0044C28A DF6D98 fild qword ptr [ebp-$68] 0044C28D 83C4F4
add esp, -$0C 0044C290 DB3C24 fstp tbyte ptr [esp] 0044C293 9B
wait 0044C294 8D45FC lea eax, [ebp-$04]
* Reference to:
Sysutils.FloatToStr(Extended) |
0044C297 E868BFFBFF call
00408204 0044C29C 8D45FC lea eax, [ebp-$04] | 0044C29F E85CFCFFFF
call
0044BF00 /**Important compares our serial with his serial**/
0044C2A4 8B45FC mov eax, [ebp-$04]
* Possible String
Reference to: 'µ؛²؛' |
0044C2A7 BA78C34400 mov edx, $0044C378
* Reference to: System..LStrCmp() |
0044C2AC E8D378FBFF
call
00403B84
/**Important compares our serial with his serial**/
0044C2B1 7538 jnz 0044C2EB 0044C2B3 8D45F8 lea eax,
[ebp-$08]
* Possible String Reference to: 'إُّلنوٍ' |
0044C2B6 BA88C34400 mov edx, $0044C388
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Ok now go on a call 44C2AC do D EAX you get the
number out of the algo and D Edx is the number it has to be : So On
tracbar i set 12345 : and my eax is : B8 B7 BD B6 and Edx is BA B2 BA B5
NOw look at the call at 44C29F you will see this
:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0044BF1E 7638 jbe 0044BF58 0044BF20 880424 mov
[esp], al 0044BF23 B301 mov bl, $01 0044BF25 B81C000000 mov eax,
$0000001C | 0044BF2A E8516AFBFF call 00402980 0044BF2F 0D80000000
or eax, $00000080 0044BF34 8BFB mov edi, ebx 0044BF36 81E7FF000000
and edi, $000000FF 0044BF3C 8B16 mov edx, [esi] 0044BF3E
0FB6543AFF movzx edx, byte ptr [edx+edi-$01] 0044BF43 33C2 xor eax,
edx 0044BF45 50 push eax 0044BF46 8BC6 mov eax, esi *
Reference to: System.UniqueString(System.AnsiString) |
0044BF48
E8F77CFBFF call 00403C44 0044BF4D 5A pop edx 0044BF4E 885438FF mov
[eax+edi-$01], dl 0044BF52 43 inc ebx 0044BF53 FE0C24 dec byte ptr
[esp] 0044BF56 75CD jnz 0044BF25 0044BF58 5A pop edx
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
So
if you look at the algo you will he how its works! Our number from algo is
5415 so see it:and B6 BD B7 B8 is eax:
83 XOr 35 = B6
89 XOr 34 =
BD
86 XOr 31 = B7
8D XOr 35 =B8
So instead of Eax use EDx which
is B5 BA B2 BA :and you get out the number
:How?
B5 XOr 83 =
36
BA XOr 89 = 33
B2 XOr 86 = 34
BA
XOr 8D = 37
So our nuber out of first also should be 6347::heh
Now i will write the whole algo again (the first one):
A B
C D E ::
(cos((B)^3+5)sqr))+(-(sqr
(1+A))+(Ln(3*C+1))+(-(sqr(2+D))+(3*E/2)+0.37=6,347
So this would eb
crazy to calculate by hand so i made a bruteforce in java::
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
import java.util.*; import java.io.*;
public class
klemen {
static void main(String[] s) throws
Exception0 {
double a,b,c,d,e;
double az,bz,cz,dz,ez;
PrintStream lojze = new PrintStream(new FileOutputStream("klemen.txt",
false));
for(az=0;az<10;az++){ for(bz=0;bz<10;bz++){
for(cz=0;cz<10;cz++){ for(dz=0;dz<10;dz++){
for(ez=0;ez<10;ez++){
a=Math.cos(Math.sqrt(Math.pow(bz,3.0)+5.0)); b=-Math.sqrt(az+1.0);
c=Math.log(3.0*cz+1.0); d=-Math.sqrt(dz+2.0); e=1.5*ez;
if(Math.abs((a+b+c+d+e+0.37)-6.347)<0.001)
{
System.out.println("resitev: "+az+" "+bz+" "+cz+" "+dz+" "+ez);
lojze.println(+az+" "+bz+" "+cz+" "+dz+" "+ez);
System.out.println(a+b+c+d+e+0.37); /*System.out.println("");*/
} } } } } } lojze.close(); } }
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
So i got solutions in the file :here is some and try it
:
1.0 4.0 4.0 3.0 5.0 1.0 5.0 2.0 4.0 5.0 4.0 4.0 4.0 0.0
5.0
Finally the crakme is done ..Its got and i like more taks so
i can solve one i do the other but in this case i did all heh ..Bye until
next time
Special and biggest Thanks goes to Corbio who made my cracking skill become better ! To Nukem for helping to make a html and To Chordless for helping to learn about it.ANd to VATi who likes to pay with color and like to make good gfx !
Greetings:
XasX,Santmat,,Noodle,Q+,SEvando2000,Wishmaker,Acid_Cool_178, am4,Woody,SV,Bratch,Batilog,Code_Inside, to all members of TNT and TCA...and to all that i have forgotten!!
And of course to all crackme's writes and to all people that have helped me!
SOrry about grammer mistakes!!
NeO'X'QuiCK
© 2001 by
NeO'X'Quick |