

 .---.        .---.                                                                 .----------.
 |    \      /    |    .-.                                                          |          |
 |  |\ \    / /|  |    | |    .--------.   .-----------.  .---------.  ..-------.    |  .-------'
 |  | \ \  / / |  |    `-'    | .------'   `----. .----'  | .-------'  | ,---. |    |  | 
 |  |  \ \/ /  |  |    .-.    | |               | |       | |          | |   | |    |  `----.
 |  |   \__/   |  |    | |    \ \               | |       | `----.     | `---' |    |  ,----'
 |  |          |  |    | |     \ `-----.        | |       | ,----'     |  .---'     |  |
 |  |          |  |    | |      `----. |        | |       | |          | , \        |  |
 |  |          |  |    | |           | |        | |       | |          | |\ \       |  |
 |  |          |  |    | |           | |        | |       | |          | | \ \      |  '-------.
 |  |          |  |    | |    .------' |        | |       | '------.   | |  \ \     |          |
 `--'          `--'    `-'    `--------'        `-'       `--------'   `-'   `-'    `----------'


                                  .----------------------. 
                      .-----------|   Proudly Presents   |-----------.
       ..--------------+----------------------------------------------+--------------.
       |                            A cracking tutor for:                           |                                                                           |
       |            MexElite's Crackme V1.0 (228.864 bytes) coded by nIabI          |
       `----------------------------------------------------------------------------'




This Crackme is very easy to crack, so prepare yourself a nice hot cup of tea.


Programs I have used:

- SoftIce V3.2
- W32dasm V8.9
- MexElite's Crackme (http://crackme.home.ml.org)


..-----------------------------------------------------------------------------------------------.
`-----------------------------------------------------------------------------------------------'


OK, let's start:

1st method:
fire w32dasm and open crack1.exe

Look for strings. Hmm "Thanks you made it" looks promising, doubleclick on this string and
you will be transproted to 42d555h

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D541(C)
|

* Possible StringData Ref from Code Obj ->"Thanks you made it"
                                  |
:0042D555 BABCD54200              mov edx, 0042D5BC
:0042D55A 8B83E8010000            mov eax, dword ptr [ebx+000001E8]
:0042D560 E853CCFEFF              call 0041A1B8


As you can see, there is a conditional jump to 42d555 (could that be the check if your s/n is
right or wrong?) at 42d541h.
Lets check out this jump. You'll end up here:



* Possible StringData Ref from Code Obj ->"Benadryl"
                                  |
:0042D537 BA90D54200              mov edx, 0042D590
:0042D53C E88F63FDFF              call 004038D0                       ; check if s/n is correct
:0042D541 7412                    je 0042D555                         ; if so, jump to 42d555


* Possible StringData Ref from Code Obj ->"Wrong Code DUDE"           ; if not print "Wrong code"
                                  |
:0042D543 BAA4D54200              mov edx, 0042D5A4
:0042D548 8B83E8010000            mov eax, dword ptr [ebx+000001E8]
:0042D54E E865CCFEFF              call 0041A1B8
:0042D553 EB10                    jmp 0042D565

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D541(C)
|

* Possible StringData Ref from Code Obj ->"Thanks you made it"
                                  |
:0042D555 BABCD54200              mov edx, 0042D5BC
:0042D55A 8B83E8010000            mov eax, dword ptr [ebx+000001E8]
:0042D560 E853CCFEFF              call 0041A1B8

It is obvious that "Benadryl" is your s/n. Even though this is a really easy protection, you can
find it in some (expensive) shareware programs, like Cumberland Family Tree v2.29x



..-----------------------------------------------------------------------------------------------.
`-----------------------------------------------------------------------------------------------'


2nd method:
We will be using SoftIce.
First thing to do when you want to crack with softice (when dealing with s/n):

To place a breakpoint on an API, type: BPX "API"
Place a breakpoint on the following APIs:
getwindowtexta     <= 32 bit
getwindowtext      <= 16 bit
getdlgitemtexta    <= 32 bit
getdlgitemtext     <= 16 bit

the "a" on the end means that the API is 32 bit.

Enter a code,I used "123454"
When you press the "Check it" button, nothing happens. None of these functions is called.

No problem, we just place a BPX on hmemcpy. Most times this will work, if the other APIs fail.
note: place the breakpoint when you have typed the password, you will know why   ;)

Press F12 a few times, till you get in protected mode 32bit code (prot32). 
OK, let's search for our code, we do this by typing:

s 0 l ffffffff "123454"      or
s ds:0 l fffffffff "123454"

Press "s" to continue to search.

These memory addresses contained my string:
"795df4"  and    "80e9db32"

You are likely to find other addresses, just continue my tutor using your addresses instead.

OK, we know (or if we didn't, we could guess) that the crackme compares our s/n (123454) and
the real s/n. If we only could stop the crackme when it compares the s/ns......well, you CAN

Lets place a breakpoint on the memory locations, we do this by typing:
BPM 795df4 
BPM 80e9db32

OK, lets continue running the program (Control D)

We get kicked back to Softice, right at the place where the two s/ns are compared.
type "d esi" to see our s/n (123454)
type "d edi" to see the REAL s/n (Benadryl)


..-----------------------------------------------------------------------------------------------.
`-----------------------------------------------------------------------------------------------'


Well, I hope you learned SOMETHING from this tutor.

If you have any comments, questions, or whatever, mail me at MisterE@freemail.nl

OR

look for me at EFNET => #cracking4newbies or #cracking


..-----------------------------------------------------------------------------------------------.
`-----------------------------------------------------------------------------------------------'
