home *** CD-ROM | disk | FTP | other *** search
/ KeyGen Studio 2002 / KeyGen_Studio_2002.iso / Tutorials / CrackMesCbjNet / nh-ovlcm.ZIP / nh-olvcm.txt < prev    next >
Encoding:
Text File  |  2001-04-12  |  5.3 KB  |  148 lines
  1. Olivers Crackme keygenning tutor by nh.
  2.  
  3. E-Mail: nh666@mail.ru
  4.  
  5. Need tools: SoftIce v4.xx, IDA v3.xx-4.xx, Tasm v5.0
  6.  
  7. this crackme is rather easy & i describe only algo of keys generating.
  8. crackme was written in Delphi, so we set breakpoint to hmemcpy, after some F12 
  9. key pressing, (or u can find it in IDA by string references) 
  10. we see such piece of code: (commented in IDA)
  11.   
  12.   
  13. CODE:00430CC0              mov     eax, [ebp-4]
  14. CODE:00430CC3 
  15. CODE:00430CC3 ShortName:                  ;    CODE XREF: CODE:00430C50j
  16. CODE:00430CC3              call    sub_0_403938
  17. CODE:00430CC8              cmp     eax, 6
  18. CODE:00430CCB              jge     short NameIsGood
  19. CODE:00430CCD              mov     eax, offset aNameMustBeAtLe
  20. CODE:00430CD2              call    sub_0_42EB3C
  21. CODE:00430CD7              jmp     Bad
  22. CODE:00430CDC ;    ───────────────────────────────────────────────────────────────────────────
  23. CODE:00430CDC 
  24. CODE:00430CDC NameIsGood:                  ;    CODE XREF: CODE:00430CCBj
  25. CODE:00430CDC              cmp     dword ptr    [ebp-8], 0
  26. CODE:00430CE0              jnz     short loc_0_430D16
  27. CODE:00430CE2              mov     eax, offset aEnterASerial
  28. CODE:00430CE7              call    sub_0_42EB3C
  29. CODE:00430CEC              jmp     Bad
  30. CODE:00430CF1 ;    ───────────────────────────────────────────────────────────────────────────
  31. CODE:00430CF1 
  32. CODE:00430CF1 FirstCycle:                  ;    CODE XREF: CODE:00430D20j
  33. CODE:00430CF1              mov     eax, [ebp-4]
  34. CODE:00430CF4              call    sub_0_403938
  35. [...skipped...]
  36. CODE:00430D16              mov     eax, [ebp-4]
  37. CODE:00430D19              call    sub_0_403938
  38. CODE:00430D1E              cmp     ebx, eax
  39. CODE:00430D20              jl      short FirstCycle
  40. CODE:00430D22              mov     ebx, 1
  41. CODE:00430D27              jmp     short loc_0_430D5F
  42. CODE:00430D29 ;    ───────────────────────────────────────────────────────────────────────────
  43. CODE:00430D29 
  44. CODE:00430D29 SecondCycle:                  ;    CODE XREF: CODE:00430D69j
  45. CODE:00430D29              push    dword ptr    [ebp-14h]
  46. [...skipped...]
  47. CODE:00430D67              cmp     ebx, eax
  48. CODE:00430D69              jl      short SecondCycle
  49. CODE:00430D6B              mov     ebx, 1
  50. CODE:00430D70              lea     eax, [ebp-0Ch]
  51. CODE:00430D73              call    sub_0_4036BC
  52. CODE:00430D78              jmp     short loc_0_430DC7
  53. CODE:00430D7A ;    ───────────────────────────────────────────────────────────────────────────
  54. CODE:00430D7A 
  55. CODE:00430D7A ThirdCycle:                  ;    CODE XREF: CODE:00430DD2j
  56. CODE:00430D7A              lea     eax, [ebp-24h]
  57. CODE:00430D7D              mov     edx, [ebp-14h]
  58. [...skipped...]
  59. CODE:00430DCF              dec     eax
  60. CODE:00430DD0              cmp     ebx, eax
  61. CODE:00430DD2              jl      short ThirdCycle
  62. CODE:00430DD4              mov     ebx, 1
  63. CODE:00430DD9              lea     eax, [ebp-14h]
  64. CODE:00430DDC              call    sub_0_4036BC
  65. CODE:00430DE1              jmp     short loc_0_430DFF
  66. CODE:00430DE3 ;    ───────────────────────────────────────────────────────────────────────────
  67. CODE:00430DE3 
  68. CODE:00430DE3 FourthCycle:                  ;    CODE XREF: CODE:00430E09j
  69. CODE:00430DE3              lea     edx, [ebp-1Ch]
  70. [...skipped...]
  71. CODE:00430E02              call    sub_0_403938
  72. CODE:00430E07              cmp     ebx, eax
  73. CODE:00430E09              jl      short FourthCycle
  74.  
  75. after these 4 cycles, we can see generating string.
  76. algo is easy. Let's name is 'abcdefg'
  77.  
  78. so, first, we'll have 110033b110022c... etc. where 103,102,... char codes of
  79. 'g', 'f', etc...
  80.  
  81. then we convert each char to dec:
  82.  
  83. 4949484851519849...etc
  84.  
  85. CODE:00430E0B              mov     ebx, 3
  86. CODE:00430E10              lea     eax, [ebp-0Ch]
  87. CODE:00430E13              call    sub_0_4036BC
  88. CODE:00430E18              cmp     ebx, 30h
  89. CODE:00430E1B              jge     short ExitFifthCycle
  90. CODE:00430E1D 
  91. CODE:00430E1D FifthCycle:                  ;    CODE XREF: CODE:00430E3Dj
  92. CODE:00430E1D              lea     eax, [ebp-1Ch]
  93. CODE:00430E20              mov     edx, [ebp-14h]
  94. CODE:00430E23              mov     dl, [edx+ebx-1]
  95. CODE:00430E27              call    sub_0_403860
  96. CODE:00430E2C              mov     edx, [ebp-1Ch]
  97. CODE:00430E2F              lea     eax, [ebp-0Ch]
  98. CODE:00430E32              call    sub_0_403940
  99. CODE:00430E37              add     ebx, 3
  100. CODE:00430E3A              cmp     ebx, 30h
  101. CODE:00430E3D              jl      short FifthCycle
  102. CODE:00430E3F 
  103. CODE:00430E3F ExitFifthCycle:                  ;    CODE XREF: CODE:00430E1Bj
  104. CODE:00430E3F              mov     ebx, 1
  105. CODE:00430E44              jmp     short loc_0_430EA1
  106. CODE:00430E46 ;    ───────────────────────────────────────────────────────────────────────────
  107.  
  108. in 5th cycle executing, we take each 3rd char:
  109.  
  110. 4ex: we have: s1=4949484851515555..
  111.      we get : s2=4851...
  112.  
  113.  
  114. CODE:00430E46 
  115. CODE:00430E46 LastCycle:                  ;    CODE XREF: CODE:00430EABj
  116. CODE:00430E46              mov     eax, [ebp-4]
  117. [...skipped...]
  118. CODE:00430EA4              call    sub_0_403938
  119. CODE:00430EA9              cmp     ebx, eax
  120. CODE:00430EAB              jle     short LastCycle
  121.  
  122. in last cycle:
  123. let's:
  124. name='abcdefg',so length of name is 7
  125. s1='4949484851519849...'
  126.     |
  127. s2='4851...'
  128. we do next:
  129. subtract from first char of s2 (length_of_name-2) char of s1:
  130.  
  131. s3='0017...' - this is our key
  132.  
  133. compare...
  134.  
  135. CODE:00430EAD              mov     eax, [ebp-0Ch]
  136. CODE:00430EB0              mov     edx, [ebp-8]
  137. CODE:00430EB3              call    Comparing
  138. CODE:00430EB8              jnz     short Bad
  139. CODE:00430EBA              mov     eax, offset aYouGotIt
  140. CODE:00430EBF              call    sub_0_42EB3C
  141. CODE:00430EC4 
  142. CODE:00430EC4 Bad:                      ;    CODE XREF: CODE:00430CD7j
  143.  
  144. i'm sorry for bad english & very ugly tutor & keygen sources...=)))
  145. but it works....%))
  146.  
  147. c'ya
  148.