Cracking Tutorial, (c) Lucifer48 / ID

Hellforge General Crackme IV
by LaZaRuS

Tutorial by Lucifer48 [Immortal Descendants]
(16 july 1999)

This crackme was compiled with a unknow compiler (RHG-Profan). I think, it looks like delphi; few api calls, calls are used few times at few different places. Let's go ! This is two way to enter the code: bpx MessageBoxA or bpx Hmemcpy.

XXXX:00421582  PUSH EBP
XXXX:00421583  CALL 0041D35C             ;read the name, and later the serial (*)
XXXX:00421588  POP  ECX
XXXX:00421589  JMP  00421907
...
XXXX:0042159A  PUSH EBP
XXXX:0042159B  CALL 0041E3C4             ;bad serial (display the MessageBoxA)

(*) This call is used two times, the first time for reading the name (SendMessageA is used, because it is not a dialog box), the second time for reading the serial.

In the call 0041D35C:

...
XXXX:0041D3C7  MOV  EDX,[EBP-0104]       ;null-terminated string containing the name
XXXX:0041D3CD  MOV  EAX,00430518         ;target (see remark)
XXXX:0041D3D2  MOV  ECX,000000FF         ;255 chars maximun
XXXX:0041D3D7  CALL 00403AC8

Remark: In 00430518, the name will have this 'format' (length of name, followed by the name):

-----CRACKME!BSS+1518------------------------------byte--------------PROT---(0)--
XXXX:004305018 09 4C 75 63 69 66 65 72-34 38                    .Lucifer48......
---------------------------------------------------------------------------------

Later, at this same place (00430518), the serial will have the same 'format'. I decided to put a little breakpoint (BPM 004305018 W) to see what is happening.
This is the partial result (each string which are copied):

Lucifer48
name$
Lucifer48
serial2%
1234
serial2%
SERIAL
5678
serial2%
SERIAL
16784                      ;<------ the right serial !!
serial%
36157800                   ;comparison with my serial (done after making the right serial)
That was wrong

How is computed this serial?? We will look, just before the right serial is copied. That's here:

XXXX:00402D7A  MOV  AL,[EBX+ESP-01]      ;ebx=5
XXXX:00402D7E  MOV  [EDI],AL             ;edi=0043051x
XXXX:00402D80  INC  EDI
XXXX:00402D81  DEC  EBX
XXXX:00402D82  JNZ  00402D7A

(be careful this "routine" is used many times...)
And just above:

XXXX:00402D3C  MOV  ECX,0000000A
XXXX:00402D41  XOR  EBX,EBX
XXXX:00402D43  XOR  EDX,EDX
XXXX:00402D45  DIV  ECX                  ;hexadecimal -> decimal conversion
XXXX:00402D47  ADD  EDX,30
XXXX:00402D4A  MOV  [EBX+ESP],DL
XXXX:00402D4D  INC  EBX
XXXX:00402D4E  TEST EAX,EAX

For my name, i have 16784 = 4190h. What's this 4190h ???
I discover that, only the length of name is used !

* 1 char, (1B00h), serial/ 6912
* 2 chars, (1FD2h), serial/ 8146
* 3 chars, (24A4h), serial/ 9380
...
* 9 chars, (4190h), serial/ 16784

And so..... serial = 5678 + 1234*(length-of-name)

239ko for this !!!!!!

Greetings: All ID members (Volatility, Torn@do, ...), Eternal Bliss, ACiD BuRN, Duelist, LaZaRuS, people on #cracking4newbies, french crackers, and other crackme makers.