CoDe_InSiDe's PassMe Crackme Tutorial...

E-Mail: nh666@mail.ru

Need tools: SoftIce v4.xx

Set breakpoint to GetDlgItemTextA and trace:

.00401049: 6800134000                   push      000401300 ;" @ "
.0040104E: 68E8030000                   push      0000003E8 ;"  "
.00401053: FF7508                       push      d,[ebp][00008]
.00401056: FF15701D4000                 call      GetDlgItemTextA ;USER32.DLL
.0040105C: 3C08                         cmp       al,008 ;""
.0040105E: 7590                         jne       000000FF0   -------- (1)
.00401060: BFC2114000                   mov       edi,0004011C2 ;" @-"
.00401065: 33C9                         xor       ecx,ecx
.00401067: 33D2                         xor       edx,edx
.00401069: 33F6                         xor       esi,esi
.0040106B: 8A0F                         mov       cl,[edi]
.0040106D: 8A5701                       mov       dl,[edi][00001]
.00401070: 80FA00                       cmp       dl,000 ;" "
.00401073: 7409                         je       .00040107E   -------- (2)
.00401075: 01D1                         add       ecx,edx
.00401077: 01CE                         add       esi,ecx
.00401079: 83C702                       add       edi,002 ;""
.0040107C: EBED                         jmps     .00040106B   -------- (3)
.0040107E: 01CE                         add       esi,ecx
.00401080: 0FAFF0                       imul      esi,eax
.00401083: F7FE                         idiv      esi
.00401085: 01F6                         add       esi,esi
.00401087: 01D6                         add       esi,edx
.00401089: 8BD6                         mov       edx,esi
.0040108B: C1C210                       rol       edx,010 ;""
.0040108E: 01D6                         add       esi,edx
.00401090: 33D2                         xor       edx,edx
.00401092: BF00134000                   mov       edi,000401300 ;" @ "
.00401097: 33C0                         xor       eax,eax

; in esi we have 455b455bh

.00401099: 8B07                         mov       eax,[edi] ; 4 chars of code
.0040109B: 8B4F04                       mov       ecx,[edi][00004] ; other 4 chars of code
.0040109E: 01C8                         add       eax,ecx ; summ them 
.004010A0: 3BC6                         cmp       eax,esi ; and compare with 455b455bh

so, for example, valid password is '!!!!:$:$'.

this is brute-forcer for keys in Pascal:


const chrs=[$21..$7a];
var l:LongInt;
    x1,x2,x3,x4,x5,x6,x7,x8:Byte;
begin
 asm mov ax,03h; int 10h; end;
 for x1:=$21 to $41 do
  for x2:=$22 to $41 do
   for x3:=$23 to $41 do
    for x4:=$24 to $41 do begin
     l:=$455b455b-(x1+$100*x2+$10000*x3+$1000000*x4);
     x5:=l and $ff;
     x6:=(l shr $8) and $ff;
     x7:=(l shr 16) and $ff;
     x8:=(l shr 24) and $ff;
     if (x5 in chrs) and (x6 in chrs) and (x7 in chrs) and (x8 in chrs) then begin
      writeln(chr(x1)+chr(x2)+chr(x3)+chr(x4)+chr(x5)+chr(x6)+chr(x7)+chr(x8)); halt; end
    end;
end.

that's all

/nh
