Softice, and the calculator that
comes with Win95.
Rating
Easy
( X ) Medium ( ) Hard (
) Pro (
)
There
is a crack, a crack in everything. That's how the light gets
in.
Cruehead's Crackme
v1.0
Written by
Craftie
Introduction
This is a basic crackme written by
Cruehead that uses a basic XOR operation to generate the serial.
The
Essay
Alright, this is my first tutorial
ever, so don't be too hard on me,
yet if you have any questions email me at craftie@geocities.com and I'll
try my best to
answer you. Anyways first I'll give you a little background on this
program. It was
written by Cruehead, and uses an interesting little algorythm to
generate your serial from
your name. It uses the XOR function...What's that? You don't know what
that is? Well basically,
XOR (exclusive-or) is a logic operation with binary digits (bitwise
operation.) For more
information on bitwise operations, see CrackZ's page
(http://www.wco.com/~micuan) or the
Messing in Bytes page (www.messinginbytes.home.ml.org) Anyways, on with
this...The only tools
you will need for this is Soft-ICE, and that calculator that you should
have on your computer
if you have Win95/98. Alright, registration screen, name serial...no
problem...Enter some
dummy data into both boxes (Craftie and 123123 in my case), and then
press CTRL-D to pop
into Soft-ICE. Type 'bpx getdlgitemtexta' and enter to set a breakpoint
on the getdlgitemtexta
function, which is a common Win32 function for reading text entered.
Now press the 'OK' button.
You should be back in Soft-ICE...Now comes a part that may take a
while...Press F10 to step through
the code LOT, I'm not sure how many times, until you get to this code
section: (From here on
prepare to be bombarded with ASM codes :)
By the way, to make your life easier instead of F10ing so much, just
type 'g 00401228' in Soft-ICE to go here:
:00401228 688E214000 push 0040218E <------step over this
with F10, and type 'd 0040218E' to get a dump <--- of the location that
data is being pushed to---In the data window you should see your
name.
:0040122D E84C010000 call 0040137E <------This is the
call to do manipulations on your name---Enter this call by pressing F10
till its highlighted, and pressing F8.
:00401232 50 push eax
:00401233 687E214000 push 0040217E
:00401238 E89B010000 call 004013D8
:0040123D 83C404 add esp, 00000004
:00401240 58 pop eax
:00401241 3BC3 cmp eax, ebx
See that CALL at 0040122D???That looks interesting---Lets trace into it
by F10ing till its
highlighted, and then pressing F8.
You should be at this code segment now:
What you see from 00401383-0040139A is the upcasing loop...It converts
your name to UPPERCASE
:0040137E 8B742404 mov esi, dword ptr [esp+04] <---puts
your name in ESI
:00401382 56 push esi
<---pushes your name onto the stack
:00401383 8A06 mov al, byte ptr [esi] <---moves
the first byte of ESI (the first letter of your name) to AL
:00401385 84C0 test al, al
<---checks if AL is 0
:00401387 7413 je 0040139C <---if
yes, exit the loop
:00401389 3C41 cmp al, 41 <---Here
through 040138F checks if AL is a valid uppercase letter
:0040138B 721F jb 004013AC <---If
its hex value is less than the value of 'A' (41), jump to 'No luck'
message
:0040138D 3C5A cmp al, 5A
<---Checks if AL's value is greater than that of 'Z' (or in other words,
its lower case)
:0040138F 7303 jnb 00401394 <---If
yes, jump to the UPCASING routine at 00401394
:00401391 46 inc esi <---
*NOTE* YOU SHOULD ONLY BE HERE IF THE LETTER WAS CAPITAL Move ESI to
the next letter of your name
:00401392 EBEF jmp 00401383 <---Redo
loop for next letter
:00401394 E839000000 call 004013D2
<---Here's the call to UPCASE the letter
:00401399 46 inc esi <---move
ESI to the next letter of your name
:0040139A EBE7 jmp 00401383 <---redo
loop for next character of name
Alright, now keep pressing F10 until the jump at 00401387 jumps and you
get out of the loop.
Done? Alright we're ready to move on... You should now be here:
:0040139C 5E pop esi <---ESI now holds
UPCASED name
:0040139D E820000000 call 004013C2 <---Call to do more
manipulations on name---interesting...
:004013A2 81F778560000 xor edi, 00005678
Now trace into the call at 0040139D by pressing F10 tills its
highlighted, then pressing F8.
You should be here, in yet ANOTHER loop:
:004013C2 33FF xor edi, edi <---clear EDI
:004013C4 33DB xor ebx, ebx <---clear EBX
:004013C6 8A1E mov bl, byte ptr [esi] <----move the
first letter of your upcased name to bl
:004013C8 84DB test bl, bl <----does BL
equal 0??
:004013CA 7405 je 004013D1 <----if yes,
exit the loop, and the call
:004013CC 03FB add edi, ebx <----Add EDI to
EBX---In other words, add the hex value of the current letter of your
name to EDI, and keep adding.Note here: BL is the lower word of EBX
since its a 16 bit register, so in this case they are the same
:004013CE 46 inc esi <----Move onto
next letter
:004013CF EBF5 jmp 004013C6 <----repeat
loop.
:004013D1 C3 ret <----leave
call
Keep tracing till the jump at 004013CA jumps. Basically, this loop added
up all the hex values
of your name and moved the sum to EDI. Step over the RET instruction to
leave the call.
You should be here:
:004013A2 81F778560000 xor edi, 00005678
Hmm..Here the sum of the hex values of your name are being XORed with
5678h and then moved to EAX
by the next instruction. keep tracing till the ret instruction...
Reconize this place?? Yup---This is right outside the call at the
beginning that was for the
name manipulations...You should be here:
:0040122D E84C010000 call 0040137E <----This is where we
just came out of
:00401232 50 push eax <----Pushes the XORed
name's value onto the stack
:00401233 687E214000 push 0040217E <----Hmm...What's this?
:) Type 'd 0040217E' and you should see your dummy serial in the data
window!
:00401238 E89B010000 call 004013D8 <----You guessed it :)
The serial manipulation call
Alright, trace into the call at 00401238 which you should know how to do
by now ;)
You should be here:
:004013D8 33C0 xor eax, eax <---clears eax
:004013DA 33FF xor edi, edi <---- clears edi
:004013DC 33DB xor ebx, ebx <----clears ebx
:004013DE 8B742404 mov esi, dword ptr [esp+04]
:004013E2 B00A mov al, 0A
:004013E4 8A1E mov bl, byte ptr [esi] <---Start of
loop: Moves the first number of your serial to BL
:004013E6 84DB test bl, bl <---is BL
0?
:004013E8 740B je 004013F5 <---If so,
leave the loop
:004013EA 80EB30 sub bl, 30
:004013ED 0FAFF8 imul edi, eax
:004013F0 03FB add edi, ebx
:004013F2 46 inc esi <---Basicaly
all this stuff sums up the HEX values of your serial number
:004013F3 EBED jmp 004013E2 <---repeat loop
on next number in your serial (store final sum in EDI)
:004013F5 81F734120000 xor edi, 00001234 <---another XOR
function---XOR sum with 1234h
:004013FB 8BDF mov ebx, edi <---moves the
XORed value to EBX
:004013FD C3 ret
Whew this is shorter than the last one :) Alright so here's a sum up of
what just happened here:
It converts your decimal value to HEX and then XORs that with
1234.
:00401238 E89B010000 call 004013D8 <---we just got out
of here
:0040123D 83C404 add esp, 00000004
:00401240 58 pop eax <---remember how the
XORed name got pushed to the stack way back when? Well this retrieves
it.
:00401241 3BC3 cmp eax, ebx <---Compares the
XORed serial with the XORed name
:00401243 7407 je 0040124C <---Do they match?
Jump to good guy message
Alright! Here it is!!!So now we know the algo! So if you didn't get it
here it is.....
It takes all the letters of your name, upcases them,and converts them to
hex...For Craftie that would be:
C = 43h
R = 52h
A = 41h
F = 46h
T = 54h
I = 49h
E = 45h
Now it adds those all up...For Craftie that would total to 1FEh. Now it
XORs that with 5678.
That would be (again for Craftie) 5786h. It stores that away for later
use.
Now for the serial it converts the decimal value to HEX...For 123123 it
would be 1E0F3.
Then that is XORed with 1234, making 1F2C7...Now it compares 1F2C7 with
that value 5786 we
stored away earlier---If they are the same, its right, if not, the
serial is wrong...
So here's what we have (Where x is a value we don't know, not a
character)...
x XOR 1234 = 5786...How do we find x?? we XOR 5786h with 1234h, and
convert that value
to decimal....Voila, you have the correct serial for your name...Job
done.....
The 'Crack'
None is required.
Final
Notes
This was a great crack for newbies, and
I think there is a lot to be learned from it. If you've never looked at
a generation routine before, this is a good first one.
My
thanks goes to:-
The Sandman for all he's done for newbies like me and providing such a
great site.
Everyone who helped me on the Sandman's forum, all writers of tutorials
that helped me, and anyone who is reading this :).
Ob
Duh
Do I really have to remind you all
that by buying and NOT stealing the software you use will ensure that
these
software houses will continue to produce even *better* software for us
to use and more importantly, to continue offering even more challenges
to breaking their often weak protection systems.
If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching
elsewhere
on the Web under Warze, Cracks etc.