Ok, again i have decided to crack another Great CrackMe by the Insane Opcode's Coder : "CoDe_InSide"..;D..so let's rock.
ok, open crackme, there is 2 textA fields..enter name + serial.
i enter:
name: bengaly
serial: 123456789
now Popup SoftIce..we will use Bpx GetDlgItemTextA breakpint.
now after bpx press f5/ctrl+d..to go back to our crackme..press "REGISTER" button, softice will pop up..press f5 to read the "fake serial" textA field. then press 12.
we will land here:
* Reference To: USER32.GetDlgItemTextA, Ord:0000h ; fake serial textA field
|
:0040109C FF155C1D4000 Call dword ptr [00401D5C] ; get input for user
:004010A2 5D pop ebp ; load ebp from memory
:004010A3 A3D81E4000 mov dword ptr [00401ED8], eax ; eax = lengh of fake serial
:004010A8 33C0 xor eax, eax ; eax = 0
:004010AA 33C9 xor ecx, ecx ; ecx = 0
:004010AC 33D2 xor edx, edx ; edx = 0
:004010AE 33DB xor ebx, ebx ; ebx = 0
:004010B0 BF001F4000 mov edi, 00401F00 ; fake name move to edi
:004010B5 BE00184000 mov esi, 00401800 ; esi holds 401800
ok so this part of not hard ;D
now..we need to know where is our serial is generated...so let's find the algo scheme and then we can find the adress of real serial.
Open up W32ASM dissasmble the crackme..and save it as txt file.
Open up the txt file in txr-editor (notepad)..not look for the code i have pasted u above..found it?? good..now..we scrool alottle little down untill here:
ok from this code (above) this is the actual Algo schem wich used to create our real serial and to compare it to our fake one.
in order to know where is real serial is generated..i will explain the algo and i will show u where is the actual generating adress ;D
but before we can get to the algo adresses (where the real serial is generated), we cross loops, a long loops..so either u can bpx on adress after loops, or keep pressing 10 (trace) to be on the correct adress...took like 2-5min of tracing :/ .
*note: the algo is very long so keep and eye of what's going on.
[ALGO SCHEME]:
--------------
* Reference To: USER32.GetDlgItemTextA, Ord:0000h <= api of textA field
:0040123C 254F4F4F4F and eax, 4F4F4F4F ; eax AND 4F4F4F4F
:00401241 0D41414141 or eax, 41414141 ; eax OR 41414141
:00401246 8906 mov dword ptr [esi], eax ; eax move to esi (4 bytes?)
:00401248 83C604 add esi, 00000004 ; esi + 4
:0040124B 8BC2 mov eax, edx ; edx move to eax
:0040124D 803F00 cmp byte ptr [edi], 00 ; compare edi (byte) with " "
:00401250 75DC jne 0040122E ; not equal..jump
:00401252 33C0 xor eax, eax ; eax = 0
:00401254 33D2 xor edx, edx ; edx = 0
:00401256 BF00154000 mov edi, 00401500 ; 00401500 move to edi
:0040125B BE001C4000 mov esi, 00401C00 ; 00401C00 move to esi
:00401260 A1D01E4000 mov eax, dword ptr [00401ED0] ; 4 bytes of 401ED0 move to eax
:00401265 93 xchg eax,ebx ; exchange ebx with eax
:00401266 33C9 xor ecx, ecx ; ecx = 0
:00401268 8B045F mov eax, dword ptr [edi+2*ebx]; 4 bytes of (edi+2*ebx) move to eax
:0040126B 0FC8 bswap eax ; byte swap eax
:0040126D 8BD0 mov edx, eax ; eax move to edx
:0040126F 8BC8 mov ecx, eax ; eax move to ecx
:00401271 81E100FF0000 and ecx, 0000FF00 ; 0000FF00 AND eax
:00401277 81E2000000FF and edx, FF000000 ; FF000000 AND edx
:0040127D 81E0FF000000 and eax, 000000FF ; 000000FF AND eax
:00401283 C1E008 shl eax, 08 ; shift left 08 in eax
:00401286 C1E908 shr ecx, 08 ; shift right 08 in ecx
:00401289 C1EA18 shr edx, 18 ; shift right 18 in edx
:0040128C 01C8 add eax, ecx ; ecx + eax
:0040128E 01D0 add eax, edx ; edx + eax
:00401290 C1E808 shr eax, 08 ; shift right 08 in eax
:00401293 244F and al, 4F ; 4F (O) AND al
:00401295 0C41 or al, 41 ; 41 (A) OR al
:00401297 83C704 add edi, 00000004 ; edi + 4
:0040129A 0FB006 cmpxchg byte ptr [esi], al ; comapre and exchange al with byte of esi <= serial?
:0040129D 7408 je 004012A7 ; is it ok?? jump to good boy
:0040129F 6A01 push 00000001 ; save 1 (true??..nope)
:004012A1 46 inc esi ; esi + 1 (next char)
:004012A2 4B dec ebx ; ebx - 1
:004012A3 75C3 jne 00401268 ; mov eax, dword ptr [edi+2*ebx]
:004012A5 EB06 jmp 004012AD ; call api
Long eh??..yes it is long and somehow can be confusing...well it is..first time i tried it i didn't find the adress and the right cmopare..but good old CoDe_InSide gave me some good directions.
ok..u noticed that the algo uses alot of xchg command..to change registers values...
but close look at the end of our algo will show us this part:
this code is a Loop..how did i knew it's a loop look at adress 004012A3..there is a jump to 401268 which is the begginig of the loop (real serial creation loop).
ok..so we got alot of xchng in our algo..so if u loop at the serial creation loop (see above) we can see a little instrucion: cmpxchg (compare any changes), this is very good..a cmp instruction..and a je/jne instructions after it..that means we are at the right place ;D
now be at adress 0040129A (cmpxchg byte ptr [esi], al) in softice (after 3-5 min of tracing),
now if u will look closely at the algo u will notice a 2 hex numbers wich are repeated: 41/4F
This means that the program will print the serial in ascii of A-O (41-4F).
ok now to the magic part:
on cmpxchg press ? EAX u will get this:
0000004F 0000000079 "A"
now because we are dealing with an cmpxchg nistruction, that means that every time u will be at this adress again..eax will get a diff value (loop remember).
so keep trace f10..u will find your self landing on the same adress again..but if u will do ? EAX again..eax will have a diff value..keep doing it and write the value (ascii) of the eax untill the loop continue to other code..if it's continues then it means that the program has finished creating the right serial and push 00000001 will be 00000000 ;D
well it seems that the algo serial cmpxchng is keep looping untill read the name we enter (err name lenght ;D ).
so the serial will be exactly as the name lenght u entered ;D (loops also)
name: bengaly
serial: AAEKKIC
Have Fun ;D
*Question: how do i SnapShot from Sice??
*A: use symbol loader..after closing sICE..open syLoader..file->save Sice history ;D
