Rith CrackMe #1Tutorial
Target: Rith CrackMe #1
Author: czDrillard
The author doesn't tell us what he wants done here so we can either find a valid serial or patch the exe. Its a very easy program to crack and very easy to write keygen but its probably quicker to figure out the serial than write a keygen. Also very easy to patch. Here's the entire protection scheme disassemmbled:
:004015BC E8E3020000 Call 004018A4
:004015C1 8B7E60 mov edi, dword ptr [esi+60]
;Name
:004015C4 8B5FF8 mov ebx, dword ptr [edi-08]
;NameLength
:004015C7 83FB05 cmp ebx, 00000005 ;If
it's less than 5 you make
:004015CA 7C7E jl 0040164A ;the
bad jump
:004015CC 8B4664 mov eax, dword ptr [esi+64]
;Serial #
:004015CF 89442414 mov dword ptr [esp+14], eax
:004015D3 3958F8 cmp dword ptr [eax-08], ebx
;Compare NameLength, SerialLength
:004015D6 7572 jne 0040164A ;If
not same make the bad jump
:004015D8 83FB14 cmp ebx, 00000014 ;If
more than 14 characters
:004015DB 7F6D jg 0040164A ;do
the bad jump
:004015DD 33C9 xor ecx, ecx
:004015DF 85DB test ebx, ebx
:004015E1 7E54 jle 00401637 ;You
could patch here
:004015E3 8B742410 mov esi, dword ptr [esp+10]
;Pi to 20 digit precision
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401631(C)
|
:004015E7 8A040F mov al, byte ptr [edi+ecx] ;Get
bytes of Name
:004015EA 0FBE2C31 movsx ebp, byte ptr [ecx+esi]
:004015EE 0FBEC0 movsx eax, al
:004015F1 99 cdq
:004015F2 F7FD idiv ebp ;Divide
first byte by first digit of 'Pi'
:004015F4 8BC2 mov eax, edx
:004015F6 D1E0 shl eax, 1 ;Multiply
the remainder by two
;The rest is a bunch of comparisons that are self explaining and so is the rest of the code..
:004015F8 83F87B cmp eax, 0000007B
:004015FB 7E03 jle 00401600
:004015FD 83E81A sub eax, 0000001A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015FB(C)
|
:00401600 83F841 cmp eax, 00000041
:00401603 7D09 jge 0040160E
:00401605 BA82000000 mov edx, 00000082
:0040160A 2BD0 sub edx, eax
:0040160C 8BC2 mov eax, edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401603(C)
|
:0040160E 83F85B cmp eax, 0000005B
:00401611 7E12 jle 00401625
:00401613 83F861 cmp eax, 00000061
:00401616 7D0D jge 00401625
:00401618 99 cdq
:00401619 BD0A000000 mov ebp, 0000000A
:0040161E F7FD idiv ebp
:00401620 83C230 add edx, 00000030
:00401623 8BC2 mov eax, edx
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
| :00401611(C), :00401616(C)
|
:00401625 8B542414 mov edx, dword ptr [esp+14]
:00401629 38040A cmp byte ptr [edx+ecx], al
:0040162C 751C jne 0040164A
:0040162E 41 inc ecx
:0040162F 3BCB cmp ecx, ebx
:00401631 7CB4 jl 004015E7
:00401633 8B742418 mov esi, dword ptr [esp+18]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015E1(C)
|
:00401637 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"Congratulations!"
|
:00401639 6834304000 push 00403034
* Possible StringData Ref from Data Obj ->"Well done cracker!"
|
:0040163E 6820304000 push 00403020
:00401643 8BCE mov ecx, esi
* Reference To: MFC42.Ordinal:1080, Ord:1080h
|
:00401645 E854020000 Call 0040189E
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004015CA(C), :004015D6(C), :004015DB(C), :0040162C(C)
|
:0040164A 8D4C2410 lea ecx, dword ptr [esp+10]
Name: czDrillard
Serial #: 6RbbhfrVrb
Thanx Rith, nice clean coding but the algo is very simple