

                     L                ZZZZZZ         RRRRR           SSSSS
                     L                    Z          R    R         S
                     L          aaa      Z      aaa  R    R  u   u  S
                     L            a     Z         a  RRRRR   u   u  SSSSS
               XX    L         aaaa    Z       aaaa  R    R  u   u       S
              XXXX   L        a   a   Z       a   a  R    R  u   u       S
             XXXXXX  LLLLLLL  aaaaa  ZZZZZZZ  aaaaa  R    R  uuuuu  SSSSSS
             XXXXXX       
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
       XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
             XXXXXX
             XXXXXX
              XXXX        proudly presents his 21.Cracking Tutorial (04.07.1999)
               XX                   	Cruehead's CrackMe 3.0

I.    Introduction
I.1   Tools you need for my tutorial
II.   The Crack
VI.   BTW
VII.  All Tutorials by LaZaRuS

I.   Welcome to my 21st cracking tutorial.
     This time I will describe my first Keyfile crack :) Though it was quite easy, I am still
     happy about it :)))

I.1  W32Dasm 8.9
     Cruehead's CrackMe 3.0
 
II.  The crack
     When you disassemble (Sorry, Crue - I still have no SICE here) you will easily see a
     string that looks like a filename for a keyfile: Crackme3.key - Luckily this is really the
     correct keyfile name.
     So let's start - You should see this:

     :00401021 6A03                    push 00000003
     :00401023 68000000C0              push C0000000

     * Possible StringData Ref from Data Obj ->"CRACKME3.KEY"
                                       |
     :00401028 68D7204000              push 004020D7

     * Reference To: KERNEL32.CreateFileA, Ord:0000h
                                       |
     :0040102D E876040000              Call 004014A8   ;; search for a file called "CRACKME3.KEY"
     :00401032 83F8FF                  cmp eax, FFFFFFFF ;; if file does exist
     :00401035 750C                    jne 00401043      ;; jump

     --- snip ---  ;; else show "Uncracked" message

     :00401052 6A00                    push 00000000
     :00401054 68A0214000              push 004021A0
     :00401059 50                      push eax
     :0040105A 53                      push ebx
     :0040105B FF35F5204000            push dword ptr [004020F5]

     * Reference To: KERNEL32.ReadFile, Ord:0000h
                                       |
     :00401061 E830040000              Call 00401496 ;; start reading from file
     :00401066 833DA021400012          cmp dword ptr [004021A0], 00000012 ;; size = 12h bytes?
     :0040106D 75C8                    jne 00401037  ;; if not, then jump to "Uncracked"
     :0040106F 6808204000              push 00402008 ;; save contents of file
     :00401074 E898020000              call 00401311 ;; calculate a value
     :00401079 8135F920400078563412    xor dword ptr [004020F9], 12345678 ;; XOR it with 12345678
     :00401083 83C404                  add esp, 00000004
     :00401086 6808204000              push 00402008
     :0040108B E8AC020000              call 0040133C
     :00401090 83C404                  add esp, 00000004
     :00401093 3B05F9204000            cmp eax, dword ptr [004020F9] ;; compare two values
     :00401099 0F94C0                  sete al  ;; if same, then set flag
     :0040109C 50                      push eax ;; save eax
     :0040109D 84C0                    test al, al  ;; flag set?
     :0040109F 7496                    je 00401037 ;; if not, then jump
     
     Don't wonder where I got this information. I found all this out during my cracking approach.
     Later you will get it, too.
     OK, create a file CrackMe3.key with a size of 18 bytes. I just wrote 666999666999666999 in
     a plain text file. Then let's have a look at the call at :00401311 which is taken when the
     file has the correct size.

     * Referenced by a CALL at Address:
     |:00401074   
     |
     :00401311 33C9                    xor ecx, ecx  ;; erase ecx
     :00401313 33C0                    xor eax, eax  ;; erase eax
     :00401315 8B742404                mov esi, dword ptr [esp+04]  ;; esi = contents of file
     :00401319 B341                    mov bl, 41 ;; bl =41h

     * Referenced by a (U)nconditional or (C)onditional Jump at Address:
     |:00401333(C)
     |
     :0040131B 8A06                    mov al, byte ptr [esi]  ;; al = 1st byte letter of file
     :0040131D 32C3                    xor al, bl              ;; XOR 1st byte with 41h
     :0040131F 8806                    mov byte ptr [esi], al  ;; replace 1st byte with XORed v.
     :00401321 46                      inc esi                 ;; point to next byte
     :00401322 FEC3                    inc bl                  ;; bl = bl + 1
     :00401324 0105F9204000            add dword ptr [004020F9], eax ;; add XORed value
     :0040132A 3C00                    cmp al, 00              ;; still bytes to go ?
     :0040132C 7407                    je 00401335             ;; if not, then jump
     :0040132E FEC1                    inc cl                  ;; cl = cl + 1
     :00401330 80FB4F                  cmp bl, 4F              ;; bl = 4F?
     :00401333 75E6                    jne 0040131B            ;; if bl < 4F, then loop

     * Referenced by a (U)nconditional or (C)onditional Jump at Address:
     |:0040132C(C)
     |
     :00401335 890D49214000            mov dword ptr [00402149], ecx ;; save ecx
     :0040133B C3                      ret  ;; return from call

     This passage does nothing but XORing the first 14 bytes of your file with 41 for the first
     byte to 4F for the last byte and adds all these XORed values. For 666999666999666999 this 
     would be:

     36 XOR 41 + 
     36 XOR 42 + 
     36 XOR 43 + 
     39 XOR 44 + 
     39 XOR 45 + 
     39 XOR 46 + 
     36 XOR 47 + 
     36 XOR 48 + 
     36 XOR 49 + 
     39 XOR 4A + 
     39 XOR 4B + 
     39 XOR 4C + 
     36 XOR 4D + 
     36 XOR 4E + 
     36 XOR 4F 
     = 693h

     This value is XORed with 12345678h at :00401079 when we leave the Call. This will be: 
     EB503412. This value is compared to the last 4 bytes of our keyfile at adress :00401093.
     If they are the same you have cracked it. When you start the CrackMe a messagebox will
     appear saying that you cracked it :) Sadly, your name is not yet displayed in this 
     messagebox, but only some crappy characters. The first 14 bytes that are not needed for
     the validation check of the keyfile are reserved for the name. You know that these 14 bytes
     are decrypted before they are displayed. So we have to save them encrypted in the keyfile.
     We do it in this way for the name LaZaRuS.

     L = 4Ch XOR 41h = 0D
     a = 61h XOR 42h = 23
     Z = 5Ah XOR 43h = 19
     a = 61h XOR 44h = 25
     R = 52h XOR 45h = 17
     u = 75h XOR 46h = 33
     S = 53h XOR 47h = 14

     These are the bytes you have to enter in the keyfile at the beginning. I added 
     00000000000000h to fill the space. Next time I started it, I saw nothing. Shit, the last 
     four bytes must have another value, now. So breakpoint on :00401093 and F7523412 was the   
     next value. When I started now, I saw: "Cracked by LaZaRuSHIJKLMN!" - Now we know that the 
     00 we entered were (obviously) wrong and the correct keyfile looks like this:

     0D23 1925 1733 1448 494A 4B4C 4D4E F752 3412

     btw: If you don't know how I came to the values 48494A4B4C4D4E, know a value XORed with
          itself is *always* 0. H XOR H = 0 / 48 XOR 48 = 0 (Hope you got it now)

     Actually this is not quiet the correct keyfile. We have to recalculate the last four bytes
     again. But this should be no problem.

     0D23 1925 1733 1448 494A 4B4C 4D4E FA54 3412 is the correct keyfile that will show the
     "Cracked by LaZaRuS!" message. (note: These are hex-values, no ASCII values; in ASCII it
     looks like this: 
#%3HIJKLMNT4).


I.  BTW
     
     Greets to: tKC, Ed!son, Moral Insanity, +Sandman, Fravia+ and everyone at #cracking4newbies,
     +Sandman's forum and Fravia+'s forum.

VII. All tutorials by LaZaRuS
      
