Target: Crackme V0.5 by oxcart^CookieCrk

Goal  : Find a serial for your name

Tutor : Miele

Level : Newbie/beginner

Tools : SI, WDasm, Hex Calulator(the one in windows will do :)

Well, I'm back with a new tutorial for newbies/beginners...
The crackme is fairly easy if u want to patch it, but the goal is that you can find the correct serial for your name.

First of all, we start WDasm32 and open the crackme. Like always, we check the string References. Two strings catch our attention: "Thank you for support :)" and "You have entered invalid registration"
Let's go for the second one (-> double-click it)

Here's what we see:


* Reference To: USER32.SendDlgItemMessageA, Ord:0000h
                                  |
:004011B3 E81A010000              Call 004012D2
:004011B8 8B15E0224000            mov edx, dword ptr [004022E0]
:004011BE FFD2                    call edx                         
:004011C0 E89F000000              call 00401264
:004011C5 85C0                    test eax, eax
:004011C7 7407                    je 004011D0                   //jump to bad guy-code if eax!=0

* Possible StringData Ref from Data Obj ->"Thank you for support :)"
                                  |
:004011C9 BB50204000              mov ebx, 00402050
:004011CE EB05                    jmp 004011D5

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004011C7(C)
|

* Possible StringData Ref from Data Obj ->"You have entered invalid registration "
                                        ->"number."
                                  |
:004011D0 BB04204000              mov ebx, 00402004



Well, we can see the conditional jump at address 4011C7. We could patch this jump, and we get the 'well done'-message every time, no matter what serial you type! But that would be too easy huh?!?
We want to find the serial that matches our name, without patching the program.

To find this serial, we have to launch SI, to see what's in the call at address 4011C0.
We launch SI, and we put a breakpoint on SendDlgItemMessageA (we saw this in WDasm32)

**comment: putting a breakpoint on GetDlgItemTextA would work fine too, but we would have to step   some more until we get to the call at address 4011C0**

Now enter a name and serial in the crackme.
I entered: Name   -> Miele
           Serial -> 123456

Now, press OK. SI breaks on our breakpoint... Now press F11 and we're in the crackme.
Now step until you are at the call at address 4011C0 and enter it.
This is what we see:


:00401264 33DB                    xor ebx, ebx                   //ebx=0
:00401266 8B0DD7224000            mov ecx, dword ptr [004022D7]  //move length of serial to ecx
:0040126C BE6B224000              mov esi, 0040226B              //move pointer to serial in esi
:00401271 83E000                  and eax, 00000000              
:00401274 51                      push ecx                       
:00401275 8A06                    mov al, byte ptr [esi]         //move 1st char. of serial to al 
:00401277 3C39                    cmp al, 39                     //compare it with 39
:00401279 7E04                    jle 0040127F                   //if lower or equal->jump
:0040127B 2C27                    sub al, 27                     //else subtract 27
:0040127D 0C20                    or al, 20                      

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401279(C)
|
:0040127F 2C30                    sub al, 30                    //subtract 30 from al
:00401281 46                      inc esi                       //esi+1            
:00401282 83E901                  sub ecx, 00000001             //ecx-1 
:00401285 6BC904                  imul ecx, 00000004            //ecx*4
:00401288 D3E0                    shl eax, cl                   //eax*2^20
:0040128A 03D8                    add ebx, eax                  //ebx=ebx+eax
:0040128C 59                      pop ecx
:0040128D E0E2                    loopnz 00401271               
:0040128F 33C0                    xor eax, eax              
:00401291 33D3                    xor edx, ebx
:00401293 81FAAB0CAD0D            cmp edx, 0DAD0CAB             //compare edx with 0DAD0CAB
:00401299 7501                    jne 0040129C                  //jump if not equal
:0040129B 40                      inc eax     

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401299(C)
|
:0040129C C3                      ret


The length of the serial we entered is put in ecx.(in my case 6 characters) 
The serial itself can be found in esi (we can see this by typing: d esi)
A little further, at address 401275, we can see the first letter of our serial if moved to al. Then there are a few operations to convert it from ascii to decimal.

At address 401282 we see that 1 is subtracted from ecx, followed by multiplying ecx by 4.
After that, eax is shifted left with cl. (In my case, there was 14h in cl, which is 20 in decimal.)
Shifting left with 20 is the same as multiplying with 2^20. Then, eax is added to ebx.

Now, here is the important part!!

At address 401291 we see that edx is XOR'ed with ebx, and is then compared with 0DAD0CAB.
In EDX is a hash-key which is calculated from our name in the call at address 4011BE.
In my case (with the name Miele) the value in edx is 56C80061. This is then XOR'ed with ebx in which our serial is (in my case 123456) To jump to the good-guy code, the serial XOR'ed with 56C80061 (calc. from our name) should be 0DAD0CAB (his is the hash-code). But it's not because we entered the wrong serial...

In schematic form:

		serial XOR hash-key = hash-code
		123456 XOR 56C80061 should be 0DAD0CAB
                   ?   XOR 56C80061 = 0DAD0CAB

In order to find the '?' (= correct serial) we have to reverse the hash-code.
We can do this by XOR'ing the hash-key with the hash-code

		In my example: 056C80061 XOR 0DAD0CAB = 5B650CCA

This 5B650CCA is our correct serial for MY name (=Miele)! Try it!!

If you want to write a keygen, you can do this. The call where the hash-code is calculated is at address 4011BE

I hope everything is clear, else mail me @ miele@biw-reversing.cjb.net

Bye for now!

Miele

Visit our site: www.biw-reversing.cjb.net



