home *** CD-ROM | disk | FTP | other *** search
- Reversing Genocide Crew Crackme14
- By CeyCey
- Hi again,
-
- I hope u wrote my first tut which was for crackme4 coz I gave lots of extra
- infos about SI and in this tut I wont repeat the same things...
- If u havent read it plz read it first then turn this one.(For your benefit
- :) )
-
- Ok Lets burn!!
-
- When u open the programme first impression is, its easy to crack it.( if u r
- an advanced cracker then its easy of course).But in this crackme there is no
- serial which the programme calculates the right one and compares it with our
- serial! So read carefully!!
-
- Now open the programme ,open SI and set a breakpoint on hmemcpy! Quit,
- press check button,yes we r in SI again! Press F12 till u r in 32 mode and
- trace by F10 till u see this!
-
- 004286E6 MOV EAX,[EBP-04]
- 004286E9 CALL 004037A8 -----> type d eax u get 12345 (our serial)
- 004286EE CMP EAX, 04
- 004286F1 JL 004287D6 -------> if we write less then 4 number it
- goes to nowhere
- 004286F7 MOV EAX,[EBP-04]
- 004286FA MOV EDX,0042880C
- 004286FF CALL 004038B8 ------> type d eax (12345)
- type d edx u get
- 2147483647..Good
- job.....Wow!..You got
- it...Oouuhh!!...Not yet..
- in data window!
- First I thought its crackme 14 and what Gandalf wanted to do by coding this
- kind of easy crack.(there is a certain serial [2147483647] and I thought if
- I wrote it I will crack it)
- Nope I was wrong it was only a trap!
-
- Anyway , after I relaxed (that I learned its not so easy which I thought to
- be) I traced more
- and again lots of dec,inc,add starts and after all these calculations u come
- here!
- 00428771 JNZ 00428728 JUMP ^ (jumps upward)
- 00428783 SUB EDI,[EBP-0C]
- 00428776 JNZ 004287C3 ---> bad message
-
- At this point programme jumped 4 times to upward (to 00428728 adress) then
- no jump..
- at adress 00428776 we will do the same trick again.."r fl z"
- Now the elementary math starts (which the words Gandalf wrote in info of
- this crackme)
-
- 00428782 MOV EAX,ECX
- 00428784 MOV ECX,000000B
- 00428789 CDQ -------> ? eax=12345(our serial) ? 000000B=11(whats
- that 11??)
- 0042878A IDIV ECX -----> divide eax (12345) by ecx(11)
- 0042878C MOV ECX,EAX ---->now ecx is 1122 (the result of 12345/11)
- 0042878E INC EBX ---->how many times we divide our serial to 11 is
- loaded onto ebx
- 0042878F CMP ECX,01 compares ecx (in first time 1122 with 1)
- 00428792 JNZ 00428782 if not jump upward to 00428782 then do the
- same calculation again
- 00428794 CMP EBX,08 -----> after for a few times if our serial can be
- divided by 11 check if it was divided to 11(eleven) 8 times
- 00428797 JNZ 004287AE if its divided for 8 times go to good
- message!
-
- what does all these codes ?
- what number we must write to serial?
- yes it must be divided by 11 and it must be divided to 11 - 8 times!!!
- that means 11x11x11x11x11x11x11x11=214358881 (11*8)
-
- Ok lets check it!
- Wow we got it!!!
-
- But there is problem, if it works then what does first part do that we wrote
- r fl z on jnz?????
- I turned back to that place and tried to understand whats happening!
- At
- 00428765 MOV EAX,[EBP-10]
- 00428768 CALL 00406444 -----> type d eax
- when u write d eax ,(as I said for "12345" program jumps to upward 4 times
- and if u write d eax at this adress u can see 1,nothing (for the first time)
- then after a turn 2,3and last time 4,5 (it checks the sum of odd numbers
- with the sum of even numbers and try to divide the difference to 11.(open
- your primary school books and look for the 11 dividing rule :D ) If its ok
- it tries the second part which must be 214358881
-
- Enough for now!
-
- Wait for new tuts
-
- Greetz to Gandalf and fALCON and other crackers!!
-
- CeyCey
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
