                         Phox Crackme #2 Tuturial 

                                 
                                                         ܲ
                                         ۲  
                                              
                               
         ۲    ۲      ۲    ۲
            ۲   ۲           ۲
 ܲ           ۲      
                    
    ޲  ݲ   ޲      
      ޲    ޲     ޲  ޲      ޲    
  ޲   ޲    ޲    ޲      ޲      
        ߲ ܲ  ޲  ߲ ܲ     ߲  
   ߲     ܲ          ܲ                   js
                   iNSiDE    
                            
                       

Tutor      : duelist
Data Wrote : April 6, 1999
Who        : Intermediate
Target     : CrackMe #2 by Phox
Size       : 4kb (!)
Tools Used : SoftIce
Method     : Code Sniffing


			    -=* Protection *=-

This crackme is simple, you've to insert a correct password... (ehe this one is a bit
tricky and almost fooled my at first sight)


			   -=* Our Aproach *=-

Using softice, this SHOULD be an EASY work!

1) Switch to softice (Control + D) and:

   bpx getwindowtexta
   bpx dlgitemtexta
   bpx hmemcpy

2) We do this because any program should use one of these to retrieve the text
   from an edit box (there are others but hmemcpy usually triggers)

3) Enter any code and hit Ok, let's see what happens!
   Humm, you get a message saying that you entered an incorrect password...

4) Here you will have to do a little of 'zen cracking' to undestand this one:
   In softice do a "bpx GetWindowTextLengthA"

5) Press Ok to check it and blam, you're into it:

   .000011A7: E89B000000                   call      USER32!GetWindowTextLengthA
   .000011AC: A3E9204000                   mov       [0004020E9],eax
   .000011B1: 8BF0                         mov       esi,eax                ; esi holds fake pass lenght
   .000011B3: 83FE0C                       cmp       esi,00C                ; is it equal to Ch (12)?
/- .000011B6: 751E                         jne      .0000011D6              ; no? then, bad cracker!
|  .000011B8: 6A30                         push      030
|  .000011BA: 6891204000                   push      000402091
|  .000011BF: 6897204000                   push      000402097
|  .000011C4: FF3548204000                 push      d,[000402048]
|  .000011CA: E88A000000                   call     .000001259              ; GOOD cracker messagebox
|  .000011CF: 5E                           pop       esi
|  .000011D0: 5F                           pop       edi
|  .000011D1: 5B                           pop       ebx
|  .000011D2: C9                           leave
|  .000011D3: C21000                       retn      00010
\- .000011D6: 6A30                         push      030
   .000011D8: 68ED204000                   push      0004020ED
   .000011DD: 68FB204000                   push      0004020FB
   .000011E2: FF3548204000                 push      d,[000402048]
   .000011E8: E86C000000                   call     .000001259   	    ; BAD cracker messagebox

6) We can see that there are no checks other than the length one so go to the app, 
   insert any 12 digits serial and Bingo!!! It says password correct.


  			    -=* Final Notes *=-
 
With this tuturial i try to show you that some programs may even not read the
text you enter as a serial, but only retrieve it's length and do things from
there! You'll need some 'zen cracking' sometimes or you won't get where you
want...