ok, this is pretty hard so study this algo/protection.
it was hard for me in the first place i admit it, thanx to CoDe_InSide him self for helping me figure some stuff, beacuse there is alot of stuff that can be confusing.
ok first open the crackme, you will see serial/name text boxes .
now we need to dissasmble the crackme with 32dasm to see data that's is very important.
then after dissasmbly save it as txt and close 32dasm.
now enter some name & serial in the crackme.
for me it was:
name: bengaly
serial: 123456789
open softice and bpx on getdlgitemtexta, press f5, click the Register Button, sICE pop-up, press f5 twice to read the serial text box, press f12 once and u will be land here:
* Reference To: USER32.GetDlgItemTextA, Ord:0000h
|
:00401163 FF155C1D4000 Call dword ptr [00401D5C] ;call serial text input
ok, so we see binary table for our serial,what does it mean??, that mean that our name is using a binary convertor, so our serial will be printed in binary (ie: 10010101101), hm..that sound like difficult, well for me it was very difficult cuz i never cracked any binary protection algo, but i got some help from Code_inSide so i got the picture once finding the serial.
ok now keep tracing with f10, u will stuff like that:
:004011D2 0FBE03 movsx eax, byte ptr [ebx] ; move word in ebx to eax
:004011D5 3C30 cmp al, 30 ; compare al with 0
:004011D7 7C32 jl 0040120B ; if lower then 0jump
:004011D9 3C39 cmp al, 39 ; compare al with 9
:004011DB 7F19 jg 004011F6 ; if greater then 9 jump
:004011DD 0FAFC8 imul ecx, eax ; ecx * eax
:004011E0 01C1 add ecx, eax ; eax+ecx
:004011E2 D1E1 shl ecx, 1 ; shift left 1 in ecx
:004011E4 83E830 sub eax, 00000030 ; eax-30
ok this just takes our name and print numbers between 0-9, now continue tracing with f10 u will see this:
:004011E7 668B1446 mov dx, word ptr [esi+2*eax] ;char*2+esi move to dx register
:004011EB 668917 mov word ptr [edi], dx ; dx move to edi (char)
:00401219 BF001C4000 mov edi, 00401C00 ; 00401C00 move to edi
:0040121E BE001B4000 mov esi, 00401B00 ; 00401B00 move to esi
:00401223 33C0 xor eax, eax ; eax = 0
:00401225 33C9 xor ecx, ecx ; ecx = 0
:00401227 33D2 xor edx, edx ; edx = 0
:00401229 B220 mov dl, 20 ; 20 move to dl
:0040122B 8B07 mov eax, dword ptr [edi] ; 4 bytes in edi move to eax
:0040122D 8B0E mov ecx, dword ptr [esi] ; 4 bytes in esi move to ecx
:0040122F 33C1 xor eax, ecx ; this is where our binary serial is generated
:00401231 750B jne 0040123E ; if eax != 0 then jump to badboy
:00401233 83C704 add edi, 00000004 ; edi + 4 (dword?)
:00401236 83C604 add esi, 00000004 ; esi + 4 (dword?)
:00401239 4A dec edx ; edx-1
:0040123A 75EF jne 0040122B ; not equal jump(0040122B mov eax,dword ptr[edi])
:0040123C EB18 jmp 00401256 ; good boy?
This part is a compare section to our serial and the place where the serial is generated.
ok beacuse it is supposed to be in binary ( 1/0 ), so in 0040122F xor eax, ecx
(eax/ecx = 0 )so if u will do: d edi u will see in the hex data window (the left window) the binary code (and it's very very long so write it down like i did).
so d edi for name: bengaly gives me this long binary code:
that was long, yeah i know, but it is easier to use a keygen (dont know if i can make one but maby i will try).
so we need to convert the binary code we got to ascii, how we do it??
1 way is to use "crackers tool", 2 way is to make it your self in this method:
u see 1100010011011011 ?, devide it to groups (4), like this: 1100/0100/1101/1011 , now take each group and make it ascii using an binary->ascii table.
ok so after conveting all the binary numbers we get this:
