TORN@DO's Cracking Tutorial for
MexElite's CrackMe 4.0
 
 
Before we start, please read the Disclaimer section of this essay! 
 
Date: 25/07/1998
Target Program: MexElite's CrackMe 4.0
Protection: Name/Serial
Solution: (Remember the rules!)
Cracked by: TORN@DO
Location: http://crackme.home.ml.org
Tools needed: - SoftICE 3.2 (Win 95)
  - W32DASM 8.9
Level: (x) Beginner     ( ) Intermediate     ( ) Expert
 
Well this CrackMe is very easy to crack. Also Newbees will find out, that it's easy. I recommen to read my "Cracker's Notes", because I think the basics were therein. So get them, read them and then let's start with

Step 1
Run the target and look at the screen! Two edit controls. One asking for your name and one asking for your serial. Let's enter "Tutorial" in the Name field (without the quotes) and "99999" in the serial field (without the quotes). Press the check button and you get "Bad Name or Serial Number !!!!!". Now we start W32DASM and disassemble the target.

 
Step 2
We want to find something like "Thanks for trying", so look in the String Reference for interesting strings. I found the following:
  

"Bad Name Or Serial Number !!!!!"
"Good Serial, Thanks For trying "
 We want to find out a valid serial # for our name, so double click on "Good Serial, Thanks For trying". And then have a look at this location:
  
:0042DCB2 mov dword ptr [0042F760], eax
:0042DCB7 mov eax, dword ptr [0042F758]
:0042DCBC cmp eax, dword ptr [0042F760]
:0042DCC2 jne 0042DCDB
:0042DCC4 push 00000000
:0042DCC6 mov cx, word ptr [0042DD1C]
:0042DCCD mov dl, 02
 
* Possible StringData Ref from Code Obj ->"Good Serial, Thanks For trying "
  
Wow! You see that our serial number, which is stored in eax, is moved into 42F760 (42DCB2) and our serial #, which is stored in 42F760, is moved into eax (42DCB7). Then our serial # and the right serial # get compared. If they are not equal we'll get to
  
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DCC2(C)
|
:0042DCDB push 00000000
:0042DCDD mov cx, word ptr [0042DD1C]
:0042DCE4 mov dl, 02
 
* Possible StringData Ref from Code Obj ->"Bad Name Or Serial Number !!!!!"
  
So we know where we have to break on, so let's go on with
 
 
Step 3
Run NuMega SoftICE Symbol Loader. Open the CrackMe-Modul and load the target. You'll get an error message "An error occured during ..." - this is so, because no debug information was found (which programmer is so stupid and put it in his/her programms?). Press "Yes" and go on.
Now you break at 42DF88. The code window says INVALID, so press F10. Now add this breakpoint to the compare function (BPX 42DCBC) and press CTRL-D to get out of WinICE. Now enter "Tutorial" in the name field (without the quotes) and "99999" in the serial field (without the quotes). You get kicked back to WinICE just at the location I explained in Step 2. So let's dump 42F758 (D 42F758) and 42F760 (D 42F760) ... they look strange ... just hex-values. EAX is FC 0B 4E 9F 07 and a few unimportant values. And 42F760 is 9F 86 01 and a few unimportant values. Now type "? 9F8601" and ... strange ... this should be 99999, but it isn't. Why isn't it so? Well, values get pushed in REVERSE order, so that 9F8601 should be 01869F. So type "? 01869F" and you get "0000099999". So we know, that this is our bogus serial #. So let's do the same with EAX (07 9F 4E 0B FC). You get that an error mesage, that this value is "too large". So let's use nearly the same - without that unimportant 07. So type "? 9F4E0BFC". You'll get "2672692220" and "-1622275076". Write these values down on a piece of paper.
 
 
Step 4
Disable your breakpoint to 42DCBC (BD 42DCBC). If you enter the first value (2672692220), you get the error message "'2672692220' is not a valid integer value.", so enter the second value (-1622275076) and you'll get the "Good Serial, Thanks For trying this CrackMe bY nIabI !". So our work is done ...
Disclaimer: This essay is for educational purposes only. Any use, mis-use or illegal activity is the sole responsibility of the reader!
 
TORN@DO,1998
 
 
 
 Back to Students Essay's