Hellforge General Crackme I
by LaZaRuS
Tutorial by Lucifer48 [Immortal Descendants]
(August 14h, 1999)
The right key-combination is: ALT GR + D
Go, go, go...
I fill, my name and a serial, i press on the button (bpx hmemcpy, as usual).
XXXX:00401759 CALL 0041F074 ;we exit from here
XXXX:0040175E LEA EAX,[EBP-04]
XXXX:00401761 CALL 00445784 ;length of name
XXXX:00401766 CMP EAX,04 ;5 characters minimum
XXXX:00401769 LEA EAX,[EBP-04]
XXXX:0040176C SETG DL
XXXX:0040176F AND EDX,01
XXXX:00401772 PUSH EDX
...
XXXX:00401780 POP ECX
XXXX:00401781 TEST CL,CL
XXXX:00401783 JZ 00401E90 ;no jump = size of name OK
Further:
XXXX:004017C4 LEA EDX,[EBP-0C] ;dword ptr [edx] = 0
XXXX:004017C7 POP EAX ;dword ptr [eax] = our serial
XXXX:004017C8 CALL 0044576C ;is a serial entered ?
XXXX:004017CD PUSH EAX ;eax=1 or eax=0
...
XXXX:004017EE POP ECX
XXXX:004017EF TEST CL,CL
XXXX:004017F1 JZ 00401E49 ;no jump = a serial is entered
Here begins the calculation:
XXXX:0040182B MOVSX ECX,BYTE PTR [EAX] ;read the first char of the name
XXXX:0040182E MOV EAX,ECX
XXXX:00401830 MOV EDX,00000002
XXXX:00401835 SHL EAX,04
XXXX:00401838 ADD EAX,ECX
XXXX:0040183A ADD EAX,0000004D2 ;+1234
XXXX:0040183F MOV [EBP-00A0],EAX
For my name, i get:
4Ch*10h + 4Ch + 4D2h = 4C0h + 4Ch + 4D2h = 9DEh
XXXX:00401884 MOVSX ECX,BYTE PTR [EAX] ;read the fourth character of the name
XXXX:00401887 MOV EAX,ECX
XXXX:00401889 SHL EAX,02
XXXX:0040188C LEA EAX,[EAX*2+EAX] ;3*eax
XXXX:0040188F ADD [EBP-00A0],EAX
For my name, i get:
69h*4*3 = 69h*Ch = 4ECh
[EBP-00A0] = 4ECh + 9DEh = ECAh
This is now the tricky moment:
XXXX:004018F0 MOV EDX,[EAX+000001FC]
XXXX:004018F6 CMP ECX,EDX
XXXX:004018F8 JZ 00401D4E ;jump = bad way
I asked myself why, i had all the times ecx=eax, i felt that jumping was the bad way to solve the
crackme. I had a idea, i modified my serial (i added a letter), and it worked, then i concluded:
to solve this crackme, we mustn't press/click on the button "Check Serial", it is a wrong way. We can
continue now; we arrive at a loop:
XXXX:004019F9 MOV ECX,[EBP-00A4]
XXXX:004019FF CMP ECX,000003E8 ;1000
XXXX:00401A05 JL 00401966
This (big) loop is useless... This the true calculus.
XXXX:00401A3F MOVSX ECX,BYTE PTR [EAX] ;read the first character of the name
XXXX:00401A42 MOV EAX,ECX
XXXX:00401A44 MOV EDX,00000002
XXXX:00401A49 SHL EAX,02
XXXX:00401A4C LEA EAX,[EAX*2+EAX] ;3*eax
XXXX:00401A4F ADD EAX,00003039 ;12345
XXXX:00401A54 MOV [EBP-00A0],EAX ;MOV and not ADD (then our previous calculus are useless)
...
XXXX:00401A99 MOVSX ECX,BYTE PTR [EAX] ;read the fourth character of the name
XXXX:00401A9C MOV EAX,ECX
XXXX:00401A9E SHL EAX,03
XXXX:00401AA1 SUB EAX,ECX
XXXX:00401AA3 LEA EAX,[EAX*2+EAX] ;3*eax
XXXX:00401AA6 ADD [EBP-00A0],EAX
...
XXXX:00401ABC MOV ECX,[EBP-00A0]
XXXX:00401AC2 IMUL ECX,[EBP-00A0]
XXXX:00401AC9 MOV [EBP-00A0],ECX
...
XXXX:00401AFE IMUL EAX,[EBP-00A0] ;eax: length of name
XXXX:00401B05 MOV [EBP-00A0],EAX
Let's note X1 and X4 the first and the fourth character of the name, this is the
magic formula:
( ( ( 0Ch*X1 + 3039h ) + (15h*X4) )^2 )* length-of-name
For my name, i get (X1=4C et X4=69):
0Ch * 4Ch + 3039h = 33C9h
15h * 69h = 89Dh
and (33C9h + 89Dh)^2 * 9 = 3C66h^2 * 9 = 803FBDC4h
The end is near:
XXXX:00401B3E MOV EDX,[EBP-00A0]
XXXX:00401B44 CALL 00445614 ;signed conversion like wsprintf
...
XXXX:00401B7E LEA EAX,[EBP-38] ;our serial...
XXXX:00401B81 POP EDX ;the right serial
XXXX:00401B82 CALL 00445754 ;comparison
XXXX:00401B87 PUSH EAX
...
XXXX:00401BC8 POP ECX
XXXX:00401BC9 TEST CL,CL ;if cl=0: bad serial
XXXX:00401BCB JZ 00445684
And finaly:
Name/ Lucifer48
Serial/ -2143306300-LaZaRuS
Name/ Lucifer48/ID
Serial/ -1426085968-LaZaRuS
Mission successful sir !
Greetings: All ID members (Volatility, Torn@do, ...), Eternal Bliss, ACiD BuRN,
Duelist, LaZaRuS, people on #cracking4newbies, french crackers, and other crackme makers.
(c) Lucifer48. All rights reversed