|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
"Ok, this is a new test
protection algorithm!! I wanna test and see if any
Crackers can crack my
protection scheme!! It came to me one night just
sitting doing nothing!!
Depending on how good it is I may use it in some of
my releases. Have
fun!! If you crack the program it will tell you what to do
to get credit for your
superb skills!! "
|
|
Name:
Reg Code:
This program has 'real time' checking the
reg code. That means
when you enter something char into Reg
Code textbox program will
automaticly check is your serial correct.(not
wait to press the button)!
"Register" button is grayed
until you enter correct registration
code! When you enter correct registration
code press "Register"
button, and you'll see message box with
following message:
"Congratulations, You failed at cracking the program!! No lie!! Keep working at it!!"
Strange messsage, isn't it?
First I thought that is some joke, but
after I discover that program has "Command
line registration"
Ok, that's enough about the protection,
let's now defeat this babe....
|
|
Now press "left arrow" button...registration
window
pops up!
Put your Name/Handle and any random serial
into
the textboxes!
I entered:
Borna Janes
99889
First I try to set my favorite breakpoints(GetDlgItemTextA,
GetWindowTextA...) but Sice doesn't break!
So we must
put the most common breakpoint, that's
Hmemcpy.
Now pop up Sice with "CTRL-D"
and type "bpx hmemcpy".
Press "CTRL-D" again to
leave Softice and add one character
more to the reg code(because program has
'real time checking'),
I add "9". Softice now breaks
and we're at the beginning of
hmemcpy code! Type "bd 0"
to disable breakpoint!
We must return to the programs code so
press:
"F11" - once
"F12" - nine times
"F10" - twenty-two times
You now landed at the beginning of the
programs code
witch called hmemcpy function.
You'll now see this part of code:
:0043192D E8DE8FFEFF
call 0041A910
:00431932 8B45F8
mov eax, dword ptr [ebp-08] ;EAX
= Fake serial <== You land here
:00431935 8B1558474300
mov edx, dword ptr [00434758] ;EDX
= Correct serial
Type "d eax" here and you'll
see your fake serial in data window.
Now type "d edx" and you'll
see your CORRECT serial, also in data window!!
:0043193B E8F820FDFF
call 00403A38
;Compare them
:00431940 750F
jne 00431951
;If serials aren't same jump to the 'bad guy'
code(1)
:00431942 B201
mov dl, 01
;DL = 1
:00431944 8B83E4010000
mov eax, dword ptr [ebx+000001E4]
:0043194A E845F3FFFF
call 00430C94
;Unlock(green) "Register" button
:0043194F EB0D
jmp 0043195E
;Jump to the end(2)
:00431951 33D2
xor edx, edx(1)
:00431953 8B83E4010000
mov eax, dword ptr [ebx+000001E4]
:00431959 E836F3FFFF
call 00430C94
;Lock(grey) "Register" button
:0043195E 33C0
xor eax, eax(2)
:00431960 5A
pop edx
:00431961 59
pop ecx
:00431962 59
pop ecx
You have your correct serial so press "CTRL-D"
to leave Sice.
Now cut your fake serial and put the correct
one!...you just unlock
"Register" button so press
it!
You'll see that message box appeared...we
defeated this proggie!
....OR NOT??.. Let's see what the message
says:
"Congratulations, You failed at cracking the program!! No lie!! Keep working at it!!"
Do you believe to the author?...Nevertheless
let's check is there something else!
Make dead list of the file with Win32dasm!
Search for some 'good guy' messages(or
whatever interesting)!
You probably find "Well Done. You
are an Elite Cracker!" message!
Let's now see from where the message is called:
* Referenced by a CALL
at Address:
|:00431FE1
<== MESSAGE IS CALLED FROM CALL AT 431FE1
|
:00431C68 53
push ebx
:00431C69 56
push esi
:00431C6A 57
push edi
:00431C6B 8B0D143A4300
mov ecx, dword ptr [00433A14]
:00431C71 8B09
mov ecx, dword ptr [ecx]
:00431C73 B201
mov dl, 01
:00431C75 A1A8234200
mov eax, dword ptr [004223A8]
:00431C7A E8ED24FFFF
call 0042416C
:00431C7F 8BF0
mov esi, eax
:00431C81 BADC000000
mov edx, 000000DC
:00431C86 8BC6
mov eax, esi
:00431C88 E80F87FEFF
call 0041A39C
:00431C8D BA0E010000
mov edx, 0000010E
:00431C92 8BC6
mov eax, esi
:00431C94 E8E386FEFF
call 0041A37C
:00431C99 B204
mov dl, 04
:00431C9B 8BC6
mov eax, esi
:00431C9D E8A638FFFF
call 00425548
* Possible StringData
Ref from Code Obj ->"Congradulations"
;Part of 'good guy' message
|
:00431CA2 BA181E4300
mov edx, 00431E18
:00431CA7 8BC6
mov eax, esi
:00431CA9 E8928CFEFF
call 0041A940
:00431CAE B203
mov dl, 03
:00431CB0 8BC6
mov eax, esi
:00431CB2 E8D533FFFF
call 0042508C
:00431CB7 8BCE
mov ecx, esi
:00431CB9 B201
mov dl, 01
:00431CBB A1C8B64200
mov eax, dword ptr [0042B6C8]
:00431CC0 E8D3B4FFFF
call 0042D198
:00431CC5 8BF8
mov edi, eax
:00431CC7 BA301E4300
mov edx, 00431E30
:00431CCC 8BC7
mov eax, edi
:00431CCE E86D8CFEFF
call 0041A940
:00431CD3 BA61000000
mov edx, 00000061
:00431CD8 8BC7
mov eax, edi
:00431CDA E85D86FEFF
call 0041A33C
:00431CDF BAA5000000
mov edx, 000000A5
:00431CE4 8BC7
mov eax, edi
:00431CE6 E87186FEFF
call 0041A35C
:00431CEB 8BD6
mov edx, esi
:00431CED 8BC7
mov eax, edi
:00431CEF 8B08
mov ecx, dword ptr [eax]
:00431CF1 FF513C
call [ecx+3C]
:00431CF4 C7872001000001000000
mov dword ptr [edi+00000120], 00000001
:00431CFE 8BCE
mov ecx, esi
:00431D00 B201
mov dl, 01
:00431D02 A1ACAE4200
mov eax, dword ptr [0042AEAC]
:00431D07 E804B2FFFF
call 0042CF10
:00431D0C 8BD8
mov ebx, eax
:00431D0E 8BD6
mov edx, esi
:00431D10 8BC3
mov eax, ebx
:00431D12 8B08
mov ecx, dword ptr [eax]
:00431D14 FF513C
call [ecx+3C]
:00431D17 BA0C000000
mov edx, 0000000C
:00431D1C 8B4350
mov eax, dword ptr [ebx+50]
:00431D1F E864FDFDFF
call 00411A88
:00431D24 B202
mov dl, 02
:00431D26 8BC3
mov eax, ebx
:00431D28 E853B3FFFF
call 0042D080
:00431D2D BA00000080
mov edx, 80000000
:00431D32 8BC3
mov eax, ebx
:00431D34 E82F8DFEFF
call 0041AA68
:00431D39 33D2
xor edx, edx
:00431D3B 8BC3
mov eax, ebx
:00431D3D E8B6A5FFFF
call 0042C2F8
:00431D42 B201
mov dl, 01
:00431D44 8BC3
mov eax, ebx
:00431D46 E831A7FFFF
call 0042C47C
:00431D4B BAA4000000
mov edx, 000000A4
:00431D50 8BC3
mov eax, ebx
:00431D52 E84586FEFF
call 0041A39C
:00431D57 BA0E010000
mov edx, 0000010E
:00431D5C 8BC3
mov eax, ebx
:00431D5E E81986FEFF
call 0041A37C
* Possible StringData
Ref from Code Obj ->"Shareware Protection Scheme"
;Part of 'good guy' message
|
:00431D63 BA3C1E4300
mov edx, 00431E3C
:00431D68 8B8330010000
mov eax, dword ptr [ebx+00000130]
:00431D6E 8B08
mov ecx, dword ptr [eax]
:00431D70 FF5134
call [ecx+34]
:00431D73 33D2
xor edx, edx
:00431D75 8B8330010000
mov eax, dword ptr [ebx+00000130]
:00431D7B 8B08
mov ecx, dword ptr [eax]
:00431D7D FF5134
call [ecx+34]
* Possible StringData
Ref from Code Obj ->"Well Done. You are an Elite Cracker!" ==>
WE FOUND STRING HERE
|
...BUT THAT'S ONLY PART OF MESSAGE,
:00431D80 BA601E4300
mov edx, 00431E60
ALL THIS ABOVE IS 'GOOD GUY' MESSAGE
:00431D85 8B8330010000
mov eax, dword ptr [ebx+00000130]
LET'S NOW BACKTRACE THE CODE TO SEE
:00431D8B 8B08
mov ecx, dword ptr [eax]
FROM WHERE IS THIS MESSAGE CALLED...
:00431D8D FF5134
call [ecx+34]
* Possible StringData
Ref from Code Obj ->"Email me your keygen"
;Part of 'good guy' message
|
:00431D90 BA901E4300
mov edx, 00431E90
:00431D95 8B8330010000
mov eax, dword ptr [ebx+00000130]
:00431D9B 8B08
mov ecx, dword ptr [eax]
:00431D9D FF5134
call [ecx+34]
* Possible StringData
Ref from Code Obj ->"and if no keygen then just the"
;Part of 'good guy' message
|
:00431DA0 BAB01E4300
mov edx, 00431EB0
:00431DA5 8B8330010000
mov eax, dword ptr [ebx+00000130]
:00431DAB 8B08
mov ecx, dword ptr [eax]
:00431DAD FF5134
call [ecx+34]
* Possible StringData
Ref from Code Obj ->"code you used to register to"
;Part of 'good guy' message
|
:00431DB0 BAD81E4300
mov edx, 00431ED8
:00431DB5 8B8330010000
mov eax, dword ptr [ebx+00000130]
:00431DBB 8B08
mov ecx, dword ptr [eax]
:00431DBD FF5134
call [ecx+34]
* Possible StringData
Ref from Code Obj ->"premed_9@hotmail.com"
;Part of 'good guy' message
|
:00431DC0 BA001F4300
mov edx, 00431F00
:00431DC5 8B8330010000
mov eax, dword ptr [ebx+00000130]
:00431DCB 8B08
mov ecx, dword ptr [eax]
:00431DCD FF5134
call [ecx+34]
* Possible StringData
Ref from Code Obj ->"I'll give you credit for it!!"
;Part of 'good guy' message
|
:00431DD0 BA201F4300
mov edx, 00431F20
:00431DD5 8B8330010000
mov eax, dword ptr [ebx+00000130]
:00431DDB 8B08
mov ecx, dword ptr [eax]
:00431DDD FF5134
call [ecx+34]
:00431DE0 8BC6
mov eax, esi
:00431DE2 E84154FFFF
call 00427228
:00431DE7 83BE5001000001
cmp dword ptr [esi+00000150], 00000001
:00431DEE 751B
jne 00431E0B
:00431DF0 B201
mov dl, 01
:00431DF2 8BC3
mov eax, ebx
:00431DF4 8B08
mov ecx, dword ptr [eax]
:00431DF6 FF51FC
call [ecx-04]
:00431DF9 B201
mov dl, 01
:00431DFB 8BC7
mov eax, edi
You can see that all this code serve to
display 'good guy' message!
If you backtrace the code you'll see that
message is called from 00431FE1!
Let's now see what's there at 431FE1....
:00431FD5 84C0
test al, al
:00431FD7 7402
je 00431FDB
:00431FD9 B301
mov bl, 01
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00431F7D(C), :00431F99(C),
:00431FD7(C)
|
:00431FDB 84DB
test bl, bl
;Are you good or bad?
:00431FDD 7418
je 00431FF7
;If bad than jump(1)
:00431FDF 8BC6
mov eax, esi
:00431FE1 E882FCFFFF
call 00431C68
;Call'good guy' message
* Possible StringData
Ref from Code Obj ->"Crack Test (Cracked)" <==
'Good guy'
|
:00431FE6 BA44204300
mov edx, 00432044
;"Crack Test (Cracked)"
:00431FEB A164474300
mov eax, dword ptr [00434764]
:00431FF0 E84B89FEFF
call 0041A940
:00431FF5 EB0F
jmp 00432006
;Jump to the end(2)
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00431FDD(C)
|
* Possible StringData
Ref from Code Obj ->"Crack Test (UnCracked)" <==
'Bad guy'
|
:00431FF7 BA64204300
mov edx, 00432064(1)
;"Crack Test (UnCracked)"
:00431FFC A164474300
mov eax, dword ptr [00434764]
:00432001 E83A89FEFF
call 0041A940
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00431FF5(U)
|
:00432006 33C0
xor eax, eax(2)
:00432008 5A
pop edx
:00432009 59
pop ecx
:0043200A 59
pop ecx
Let's now analyze the code....
There is 'good/bad guy' test at 431FDB
witch follows the conditional
jump line above! If your serial isn't
correct your program wil jump to
the 'bad' section of code(431FF7),
otherwise program will execute next
few lines. We can patch the program NOPing
the conditional jump at
431FDD, but we must find correct
serial!(we don't know how to register
program yet, with serial or somehow else!).
Now we must more backtrace the code too
see where the BL is set,
and where program check for serial!
WE ARE DOING ALL THIS ONLY LOOKING
AT DEAD LIST OF
THE PROGRAM CREATED WITH W32DASM!
Here is the programs code backtraced to the beginning...
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00431F3A(C)
|
We don't understand for what's this all
code so we must run Sice again!
Go to the registration and do all exactly
how I explain at the beginning
of the essay! When you return to the programs
and leave hmemcpy
code set breakpoint at the 431F5D("bpx
431F5D")!
Press "CTRL-D" to continue
execution and look where Sice will
break!...Hmmm Sice doesn't break?
That means that Sice doesn't step throught
this part of code!
Then where Sice call this part of code?
Lets' restart the program...
Close it and then run it again!...It breaks!!
But what does the program compare here??
Maybe it opens Key file??...after using
Filemon doesn't find anyfile
opened by crackme!
Let's see what this can be...
:00431F5D 6A00
push 00000000
:00431F5F 6A00
push 00000000
:00431F61 53
push ebx
:00431F62 56
push esi
:00431F63 8BF0
mov esi, eax
:00431F65 33C0
xor eax, eax
:00431F67 55
push ebp
:00431F68 6821204300
push 00432021
:00431F6D 64FF30
push dword ptr fs:[eax]
:00431F70 648920
mov dword ptr fs:[eax], esp
:00431F73 33DB
xor ebx, ebx
:00431F75 E8D607FDFF
call 00402750
;This call reads command line and puts number
of words(of command
line) separated with space into EAX
Inside this call at 431F75 program
reads command line and check
how many words(separated with space) it
has!
Number of words saves in EAX!
If you want you can trace the code inside
the call with "t" to see how the
program do that.
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00431F0B(C)
|
:00431F7A 83F804
cmp eax, 00000004
;Does command line have four words?
:00431F7D 755C
jne 00431FDB
;If not then jump to end with BL = 0(1)
:00431F7F 8D55FC
lea edx, dword ptr [ebp-04] ;EDX = Address
where location of next string will be stored
:00431F82 B801000000
mov eax, 00000001
;EAX = Ordinal number of the word to take
:00431F87 E82408FDFF
call 004027B0
;Get first word and put it into address saved
in EDX(EBP-04)
:00431F8C 8B45FC
mov eax, dword ptr [ebp-04] ;EAX = First word
of command line
:00431F8F BA38204300
mov edx, 00432038
;EDX = "-r"
:00431F94 E89F1AFDFF
call 00403A38
;Compare them
:00431F99 7540
jne 00431FDB
;If EAX isn't "-r" then jump to end with BL
= 0(1)
Here you can see that command line must
contain four words!
If it haven't four words then jump to
the end(BL=0)!
You can also see that first word of command
line must be "-r"!
If it isn't "-r" program will jump to
the end with BL = 0, that means
we lose!
:00431F9B 8D55FC
lea edx, dword ptr [ebp-04] ;EDX = Address
where location of next string will be stored
:00431F9E B804000000
mov eax, 00000004
;EAX = Ordinal number of the word to take
:00431FA3 E80808FDFF
call 004027B0
;Get last word and put it into address saved
in EDX(EBP-04)
:00431FA8 8B45FC
mov eax, dword ptr [ebp-04] ;EAX = Last word
of command line
:00431FAB 50
push eax
;Save EAX onto the stack
:00431FAC 8D55F8
lea edx, dword ptr [ebp-08] ;EDX = Address
where location of next string will be stored
:00431FAF B803000000
mov eax, 00000003
;EAX = Ordinal number of the word to take
:00431FB4 E8F707FDFF
call 004027B0
;Get third word and put it into address saved
in EDX(EBP-04)
:00431FB9 8B45F8
mov eax, dword ptr [ebp-08] ;EAX = Third word
of command line
:00431FBC 50
push eax
;Save EAX onto the stack
:00431FBD 8D55F4
lea edx, dword ptr [ebp-0C] ;EDX = Address
where location of next string will be stored
:00431FC0 B802000000
mov eax, 00000002
;EAX = Ordinal number of the word to take
:00431FC5 E8E607FDFF
call 004027B0
;Get second word and put it into address saved
in EDX(EBP-04)
:00431FCA 8B55F4
mov edx, dword ptr [ebp-0C] ;EDX = Second word
of command line
:00431FCD 8BC6
mov eax, esi
;EAX = ESI
:00431FCF 59
pop ecx
;Get third word from the stack and put it to
the ECX
I know that you're confused with this all
words of command line
so I'll explain it a little.
As you see first word of command line
must be "-r".
Second word of command line is our first
name("Borna")
Third word of command line is our second
name("Janes")
Fourth and last word of command line is
our serial("998899")!
So command line must look like this:
"PATH...\crackme.exe -r Borna Janes 998899"
If you type "d eax" at the
431FA8 you'll see your fake serial(fourth word),
typeing "d eax" at 431FB9
you'll see your second name(third word), and
finaly at 431FCA you'll see your
first name(second word) in EDX!
At address 431FCF program has our
first(EDX) and second(ECX) name
and generation routine can start...
:00431FD0 E893FBFFFF
call 00431B68
;Make correct and compare it with your 'fake'
serial
:00431FD5 84C0
test al, al
;Is EAX = 0?
:00431FD7 7402
je 00431FDB
;If yes then skip next line(jump(1))
:00431FD9 B301
mov bl, 01
;BL = 1, That indicates CORRECT serial; You're
good guy!
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00431F7D(C), :00431F99(C),
:00431FD7(C)
|
:00431FDB 84DB
test bl, bl(1)
;Is BL = 0?
:00431FDD 7418
je 00431FF7
;If yes then jump to 'bad' section of code
We can see that call at 431FD0 creates
correct serial and then compare it
with fake serial that you entered!
If your serial is good then AL = 1, otherwise
AL = 0!
Then program set BL according with AL(good
or bad serial)!
Program test BL the line above and jump
to the 'bad' section of code
if your serial is wrong; If your serial
is correct execute next line!
Now we must find where the program creates
correct serial so we must
trace code inside the call at 431FD0....so
when you step on 431FD0 type
"t" in Sice and you'll see
this piece of code:
* Referenced by a CALL
at Address:
|:00431FD0
|
:00431B68 55
push ebp
:00431B69 8BEC
mov ebp, esp
:00431B6B 83C4F0
add esp, FFFFFFF0
:00431B6E 53
push ebx
:00431B6F 33DB
xor ebx, ebx
;EBX = 0
:00431B71 895DF4
mov dword ptr [ebp-0C], ebx ;Clear
EBP-0C
:00431B74 895DF0
mov dword ptr [ebp-10], ebx ;Clear
EBP-10
:00431B77 894DF8
mov dword ptr [ebp-08], ecx ;Save
your first name onto the stack(EBP-08)
:00431B7A 8955FC
mov dword ptr [ebp-04], edx ;Save
your second name onto the stack(EBP-04)
:00431B7D 8B45FC
mov eax, dword ptr [ebp-04] ;EAX
= First Name
:00431B80 E8571FFDFF
call 00403ADC
:00431B85 8B45F8
mov eax, dword ptr [ebp-08] ;EAX
= Second Name
:00431B88 E84F1FFDFF
call 00403ADC
:00431B8D 8B4508
mov eax, dword ptr [ebp+08] ;EAX
= Your 'fake' serial
:00431B90 E8471FFDFF
call 00403ADC
:00431B95 33C0
xor eax, eax
;EAX = 0
:00431B97 55
push ebp
:00431B98 683F1C4300
push 00431C3F
:00431B9D 64FF30
push dword ptr fs:[eax]
:00431BA0 648920
mov dword ptr fs:[eax], esp
:00431BA3 FF75FC
push [ebp-04]
;Save address of first name onto the stack
:00431BA6 68581C4300
push 00431C58
:00431BAB FF75F8
push [ebp-08]
;Save address of second name onto the stack
:00431BAE 8D45F0
lea eax, dword ptr [ebp-10]
:00431BB1 BA03000000
mov edx, 00000003
:00431BB6 E82D1EFDFF
call 004039E8
;Get your full name(first+second name)
:00431BBB 8B45F0
mov eax, dword ptr [ebp-10] ;EAX
= Your full name
:00431BBE E8651DFDFF
call 00403928
;Get the lenght of full name(EAX)
:00431BC3 48
dec eax
;EAX = EAX - 1 (Lenght - 1)
:00431BC4 33DB
xor ebx, ebx
;EBX = 0
:00431BC6 85C0
test eax, eax
;Is lenght greater then 1?
:00431BC8 7E13
jle 00431BDD
;If not the jump(1)
:00431BCA BA01000000
mov edx, 00000001
;EDX = 1
Let's little analyze what program do here.
Program takes your first and second name
and makes from them
one string, that is your full name!
Then at 431BBE program takes lenght
of name and puts it to
the EAX. Then program 'cuts' one char
from full name(431BC3),
to generate serial from it! If lenght
of name is less then two the jump
to end of calc routine...
:00431BCF 8B4DF0
mov ecx, dword ptr [ebp-10](2)
;ECX = Your full name
:00431BD2 0FB64C11FF
movzx ecx, byte ptr [ecx+edx-01] ;Take char
of full name...
:00431BD7 03D9
add ebx, ecx
;...and add it to the EBX
:00431BD9 42
inc edx
;EDX = EDX + 1
:00431BDA 48
dec eax
;EAX = EAX - 1
:00431BDB 75F2
jne 00431BCF
;Loop this until EAX = 0(2)
:00431BDD 69C343730200
imul eax, ebx, 00027343(1)
;EAX = EBX * 27343
:00431BE3 8BD8
mov ebx, eax
;EBX = EAX
Here calculation routine almost ends, you'll
see why I said almost...:o)
This calc routine is very simple,
however I'll explain it much simpler...
1. Take char from name
2. Add it to EBX; EBX = EBX + [char
of name]
3. Loop this [lenght of name] times
Result of calculation is located in EBX,
and that's something very close
to your correct serial! Now conver this
hex value in EBX to decimal!
Ok, that's almost your correct serial,
now we must only make one change
at it, let's see...
:00431BE5 8D55F4
lea edx, dword ptr [ebp-0C] ;EDX = Address
where location of next string will be stored
:00431BE8 8BC3
mov eax, ebx
;EAX = EBX(correct serial in hex)
:00431BEA E8494CFDFF
call 00406838
;Convert serial to decimal
:00431BEF 8B45F4
mov eax, dword ptr [ebp-0C] ;EAX = 'Almost'
correct serial(hex value)
:00431BF2 E8311DFDFF
call 00403928
;Put the lenght of serial in EAX
:00431BF7 83E802
sub eax, 00000002
;EAX = EAX - 2(lenght - 2)
:00431BFA 8D55F4
lea edx, dword ptr [ebp-0C] ;EDX = Memory
location of serial
:00431BFD 8BC8
mov ecx, eax
;ECX = EAX
:00431BFF B8641C4300
mov eax, 00431C64
;EAX = Location of "-"!
:00431C04 E8AB1FFDFF
call 00403BB4
;Put "-" inside the serial!
Here is really end of calculation routine!
Now you see why I said almost. Program
adds "-" into your correct
serial in decimal value! That number separated
with "-" is correct serial!
Inside the call at 431BEA program
converts sum of all chars of name(in hex)
to the decimal value and puts it into
EAX(line above)!
Call at 431BF2 returns the lenght
of string located in EAX(decimal serial)
and puts it to the EAX! Then subtract
EAX(lenght) with 2. This number indicates
where to put "-" inside the serial!
EXAMPLE - My serial was "146448048", its
lenght is 9
- 9 - 2 = 7, that means that "-" must be seventh char of serial
- After adding "-", my correct serial was "146448-048"!
Very simple isn't it? :o)
All this code below is comparation routine,
and some other things, let's see...
:00431C09 8B4508
mov eax, dword ptr [ebp+08] ;EAX = Your 'fake'
serial
:00431C0C 8B55F4
mov edx, dword ptr [ebp-0C] ;EDX = CORRECT
SERIAL
:00431C0F E8241EFDFF
call 00403A38
;Compare them
:00431C14 7504
jne 00431C1A
;If serials aren't same then jump(3)
:00431C16 B301
mov bl, 01
;BL = 1(it indicates correct serial)
:00431C18 EB02
jmp 00431C1C
;Skip next few lines;jump few lines below(4)
:00431C1A 33DB
xor ebx, ebx(3)
;BL = 0(it indicates bad serial)
:00431C1C 33C0
xor eax, eax(4)
;EAX = 0
:00431C1E 5A
pop edx
;Get EDX from the stack
:00431C1F 59
pop ecx
;Get ECX from the stack
:00431C20 59
pop ecx
;Get ECX from the stack
:00431C21 648910
mov dword ptr fs:[eax], edx
:00431C24 68461C4300
push 00431C46
:00431C29 8D45F0
lea eax, dword ptr [ebp-10]
:00431C2C BA04000000
mov edx, 00000004
:00431C31 E89A1AFDFF
call 004036D0
;Get your 'fake' serial
:00431C36 8D4508
lea eax, dword ptr [ebp+08] ;EAX = Your 'fake'
serial
:00431C39 E86E1AFDFF
call 004036AC
:00431C3E C3
ret
;END of 'serial check' function
If you type "d eax" at 431C09
you'll see your fake serial.
Typeing "d edx" line above
you'll see your CORRECT serial!
Next line compare fake serial with correct
one!
If they are same program will set BL to
1, what means that you
succussfuly register the program; Otherwise
BL = 0!
To register to program you must type:
"...PATH\crackme.exe -r first_name
second_name correct_serial "
|
|
However program is great for newbyes for practicing thier skills!
My thanks and gratitude goes to:-
The Sandman
for his great site(the best site for newbies) full of knowledge and for
his cracking forum(also the best on the
net)!
Eternal Bliss,
my best 'virtual' friend, for all what he done for me!
|
|
Ripping off software through serials and cracks is for lamers..
If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.
| Return |