Okay now it moves the serials offset into edx, and moves [edx+eax-01] into
eax - [offset of serial+2-1]. and that gives us [offset of serial+1] so that
would be the next char in our serial. and 2nd char is 2, and 2 in hex is 32,
so eax is now 32. Then it says eax - 30, so now eax is 2. Now it checks if
eax is 0 and it will jump if it's greater. And since 2 is higher than 0, it
will jump to 441bbb.
:00441BBB 8B55FC mov edx, dword ptr [ebp-04]
:00441BBE 0FB67402FF movzx esi, byte ptr [edx+eax-01]
:00441BC3 83EE30 sub esi, 00000030
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00441B4F(C), :00441BB9(C)
|
:00441BC6 8B55FC mov edx, dword ptr [ebp-04]
:00441BC9 0FB65432FF movzx edx, byte ptr [edx+esi-01]
:00441BCE 8B4DFC mov ecx, dword ptr [ebp-04]
:00441BD1 0FB64401FF movzx eax, byte ptr [ecx+eax-01]
:00441BD6 03F0 add esi, eax
:00441BD8 3BD6 cmp edx, esi
:00441BDA 751B jne 00441BF7
Okay now it will mov the offset of the serial into edx. Then it will move
[edx+eax-01] into esi. [offset of serial + 2 - 1] the same as before, esi
will have the 2nd char (32). Then esi - 30, so now esi is 2. Once again
it will mov the offset of the serial into edx, Then it will move the 2nd
char into edx (32). Then it will move the offset of the serial into ecx,
and move the 2nd char into eax (32). Now eax is 32, edx is 32 and esi is 2.
At line 441bd6 it will add esi to eax - esi = esi + eax (esi = 2 + 32). So
now esi is 34. Then it will compare edx to esi (cmp 32 to 34) and jump if
it's not equal .. it will jump to the nasty messagebox.
This might seem pretty confusing, but it's really not. if the serial was
23456 then eax=2, esi=(offset+eax-1)-30, edx=offset+esi-1, eax=offset+eax-1.
esi+eax. This would be:
eax=first char
eax=char number[eax]
esi=char number[eax]
esi-30
edx=char number[esi]
eax=char number[eax]
esi+eax
check if edx is equal to esi
With the serial 23456
eax=2
eax=3
esi=4
edx=5
eax=4
esi+eax=8
check if edx is equal to esi+eax - 5 = 8 ?
So now we know that edx has to be 8, and edx is the 4th char. So the
right serial could be 23486, the last number we really don't use, so it would
be 2348. Try the serial out, it works :) Next protection
The next protection is a name and serial, and again a name and serial has
already been entered. Crudd[TeX] and 12345666. So we just press the check it
button, "sorry, you suck" ... okay break on messageboxa and you will land here:
:00441D20 6A00 push 00000000
* Possible StringData Ref from Code Obj ->"Crudd Me 1. 0"
|
:00441D22 68941D4400 push 00441D94
* Possible StringData Ref from Code Obj ->"Sorry, you suck"
|
:00441D27 68A41D4400 push 00441DA4
:00441D2C 8BC3 mov eax, ebx
:00441D2E E8D165FEFF call 00428304
:00441D33 50 push eax
* Reference To: user32.MessageBoxA, Ord:0000h
|
:00441D34 E89B48FCFF Call 004065D4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00441D1E(U)
|
:00441D39 33C0 xor eax, eax <--- ** you land here **
So just scroll up a bit to this:
:00441CDD 8B45F8 mov eax, dword ptr [ebp-08]
:00441CE0 E8631EFCFF call 00403B48
:00441CE5 8B55F8 mov edx, dword ptr [ebp-08]
:00441CE8 0FB632 movzx esi, byte ptr [edx]
:00441CEB 8B55F8 mov edx, dword ptr [ebp-08]
:00441CEE 0FB65402FF movzx edx, byte ptr [edx+eax-01]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00441C8C(C)
|
:00441CF3 0FAFF2 imul esi, edx
:00441CF6 0FAFF0 imul esi, eax
:00441CF9 8B45FC mov eax, dword ptr [ebp-04]
:00441CFC E8375DFCFF call 00407A38
:00441D01 3BF0 cmp esi, eax
:00441D03 751B jne 00441D20
Okay .. first it moves the offset of the name into eax. After the call at
441ce0 it will return the length of the name into eax. Now it moves the
offset of the name into edx. moves the byte at edx into esi - moves the first
char into esi. The first char is C (67 in decimal). Then it moves the offset
of the name into edx again .. hmmm waste ;) then moves the byte at [edx+eax-1]
into edx. [offset of name+length of name-1] and that would be the last char
of the name which is ']' (93 in decimal). Now it multiplies esi with edx,
67*93 = 6231. and then multiply esi with eax. 6231*10 = 62310.
This means ((first char * last char) * length of name). After this it moves
the offset of the serial into eax, and calls a routine that moves the hex
of the serial into eax. Then it compares esi to eax, and jumps to the nasty
messagebox if it's not equal.
So this is pretty easy, esi has the real serial and eax has
our fake serial. So what you can do here is type '? esi' in sice, and it
will display esi as a decimal (62310), type '? eax' will display our fake
serial. k .. so now all we have to do is write 62310 as the serial. press the
check it button, did it work ? cewl. The name woody, w=119, y=121, 119*121=14399
, 14399*lenght = 71995. The serial for woody is 71995. The serial for wkvsy
is 71995 too, so it's a bad way to calculate serials. Next protection:
This next protection is the Patch me one. This is the place where we're allowed
to patch .. well it's pretty obvious how to crack it, press the
patch me menuitem, and a messagebox will appear saying "nop, try again", so we
set a breakpoint a messageboxa. and you will land here:
:0044171B 6A00 push 00000000
* Possible StringData Ref from Code Obj ->"Sorry. You Suck"
|
:0044171D 6854174400 push 00441754
* Possible StringData Ref from Code Obj ->"Nope. Try Again."
|
:00441722 6868174400 push 00441768
:00441727 8BC3 mov eax, ebx
:00441729 E8D66BFEFF call 00428304
:0044172E 50 push eax
* Reference To: user32.MessageBoxA, Ord:0000h
|
:0044172F E8A04EFCFF Call 004065D4
:00441734 5B pop ebx <--- ** you land here **
:00441735 C3 ret
So we scroll up a bit ..:
:00441711 8BD8 mov ebx, eax
:00441713 B801000000 mov eax, 00000001
:00441718 48 dec eax
:00441719 751B jne 00441736
That was pretty easy! patch line 441719 751B to EB1B so it will always jump
no matter what. did it work ? sure it did :) Next...
Okay for menuitems that needs to be enabled, it's pretty easy to patch this,
this way: First open the .exe file and search for the string 'Enable me',
first it finds the 'Enable me completed, good head job" which is the messagebox
it will show when completing this easy crackme. The next will be this:
43 61 70 74-69 6F 6E 06-0A 26 45 6E-61 62 6C 65 ..........Enable
20 4D 65 07-45 6E 61 62-6C 65 64 08-07 4F 6E 43 me.enabled.....
Something like this ... just after the enabled text the hex is 08. Change that
to 09, and the Enable me menuitem is enabled. very easy and quick.
There you go ... one crackme down ;)
-wOODY^dRN