Cracking Tutorial, (c) Lucifer48 / ID

Hellforge Crackme Delta
by Shadow / hf

Tutorial by Lucifer48 [Immortal Descendants]
(September 11th, 1999)

It's a consolemode crackme written in asm. As i expected, it is as easy as the pii crackme also written by Shadow.
The keyboard input is done with the function: KERNEL32!ReadFile.

Remark: In simple dos-asm, we would have seen:

mov  dx, offset buffer
mov  ah, 0Ah
int  21h

Let's come back to the crackme. The login is read, it must not exceed 8 characters.

XXXX:004010DC  MOV  BYTE PTR [EAX+0040222E], 00		;eax: length of the name (+ 0Dh, 0Ah)
XXXX:004010E3  PUSH 0040226E				;shadow (and after lamer and guest)
XXXX:004010E8  PUSH 00402230				;my login
XXXX:004010ED  CALL KERNEL32!lstrcmpi
XXXX:004010F2  OR   EAX,EAX				;if equal:
XXXX:004010F4  JZ   00401278				;login failed

So, the login mustn't be: shadow, lamer or guest. Then you are prompted for entering your password.

XXXX:0040119C  MOV  BYTE PTR [EAX+0040224C], 00		;eax: length of the password
...
XXXX:004011A8  PUSH 0040224E				;my password
XXXX:004011AD  PUSH 00402230				;my login
XXXX:004011B2  CALL KERNEL32!lstrcmpi
XXXX:004011B7  OR   EAX,EAX				;if equal:
XXXX:004011B9  JZ   0040124C				;Only guest access granted, try harder

And right after:

XXXX:004011C9  CALL 004012A6				;garbage code...
XXXX:004011CE  PUSH 00402230				;my login
XXXX:004011D3  PUSH 0040224E				;my password
XXXX:004011D8  CALL 0040131B				;check the password
XXXX:004011DD  ...					;garbage code...
...
XXXX:0040120A  JMP  00401217	
...
XXXX:00401217  MOV  AL,[0040226D]
XXXX:0040121C  CMP  AL,04				;if eax=4:
XXXX:0040121E  JZ   0040124C				;Only guest access granted, try harder
XXXX:00401220  4*NOP
XXXX:00401224  JG   004012F1				;we must jump !!!
...
if you are here: login failed

What's in the call 0040131B ? It's simple, if the password contains a "S" character (53h), then the crackme adds one to byte ptr [0040226D]. Your password must contains at least 5 "S" (there are no order) to have the root access !

Remark: For the password, 13 chars max (otherwise the password is cuted). A good password can be: 12345678SSSSS.

Root access. send solution to lazarus666@gnwmail.com

Greetings: All ID members (Volatility, Torn@do, ...), SiFLyiNG, Eternal Bliss, ACiD BuRN, Duelist, LaZaRuS, ... and Shadow (i am awaiting a harder crackme !!!)