Protection : ID Number/registration code, it is written in DOS C Level : easy Tools needed : *Soft Ice 3.2x or better *A C/C++ compiler for the keygen (i used VC++ 6.0)
This crackme is a little different from the others u may already have cracked because it
is written in DOS C, so there are no pretty windows, no message boxes, and NO WORKING WIN32 APIS.
We would have to find a function able to make SIce break in the keygen routine. Let's dsasm the
prog and look at the imported functions. We see that gets is imported.
We saw that the algo of the routine is :
4)Final words
I greet my groups : DQF,
digital Factory, HellForge
and my friends (no specific
order) : ACiD BuRN, BoomBox, BlndAngl, Lucifer48, Volatility, Tscube, Visionz,
amante4, alpine, FatBoyJoe, Warez Pup, Eternal_bliss, r!sc, [mega], Sushi,
MagicRaphoun, TaMaMbolo, Kahel,V-Rom, Ep-180, morrinth, Tres`ni, Dawai, DXF,
CiniMod, xor, Air2k, grAnix, LordOfLa, karlitoXZ, [ManKind], Falcon^,
Dazzler.... and all I've forgotten ;-)
gets is a C function which enables the coder to get some parameters from the user. Put a
bpx on gets (bpx gets under SIce) and type F5.
Launch the crackme. Enter an ID number (whatever u want). SIce comes back, but it is not
the moment for tracing, so press F12. Type enter in the crackme and now give a fake registration
code. Sice comes back again. This time we will trace. We arrive at :
* Reference To: crtdll.gets, Ord:0180h
|
:004013DE E8A5010000 Call 00401588 ;we land here
:004013E3 83C410 add esp, 00000010
:004013E6 83C4F4 add esp, FFFFFFF4
:004013E9 8D45E0 lea eax, dword ptr [ebp-20] ;eax contains the fake serial
:004013EC 50 push eax
* Reference To: crtdll.atoi, Ord:0154h
|
:004013ED E88E010000 Call 00401580 ;calls _atoi
:004013F2 83C410 add esp, 00000010
:004013F5 8945D4 mov dword ptr [ebp-2C], eax ;moves the fake serial in [ebp-2C]
:004013F8 8B45D8 mov eax, dword ptr [ebp-28] ;moves the ID number we entered
:004013FB 89C2 mov edx, eax ;edx = eax
:004013FD C1E202 shl edx, 02 ;edx << 02
:00401400 8D0C10 lea ecx, dword ptr [eax+edx] ;ecx = eax + edx
:00401403 894DDC mov dword ptr [ebp-24], ecx ;moves ecx in [ebp-24]
:00401406 8345DCF7 add dword ptr [ebp-24], -09 ;[ebp-24] -= 09
:0040140A 8B45DC mov eax, dword ptr [ebp-24] ;eax = [ebp-24]
:0040140D 89C2 mov edx, eax ;edx = eax
:0040140F 8D0412 lea eax, dword ptr [edx+edx] ;eax = 2 * edx
:00401412 8945DC mov dword ptr [ebp-24], eax ;moves eax in [ebp-24]
:00401415 8145DCFA000000 add dword ptr [ebp-24], FA ;[ebp-24] += 250
:0040141C 8B45DC mov eax, dword ptr [ebp-24] ;eax = [ebp-24]
:0040141F 89C2 mov edx, eax ;edx = eax
:00401421 01D2 add edx, edx ;edx *= 2
:00401423 8D0C10 lea ecx, dword ptr [eax+edx] ;ecx = eax + edx = 3 * eax
:00401426 894DDC mov dword ptr [ebp-24], ecx ;moves ecx in [ebp - 24]
:00401429 8345DCE3 add dword ptr [ebp-24], -1D ;[ebp-24] -= 29
:0040142D 8B45DC mov eax, dword ptr [ebp-24] ;moves calculated serial in eax
:00401430 3B45D4 cmp eax, dword ptr [ebp-2C] ;compares calculated serial to fake one
:00401433 7512 jne 00401447 ;jump to bad msg if not equal
:00401435 83C4F4 add esp, FFFFFFF4 ;else, goto good msg
:00401438 6890124000 push 00401290
So if u wanna see the good serial for the ID number you entered, just type :
d eax at line 401430.
3)The keygen
*Takes the ID number (it has to be strictly greater than 0)
*shl it from 2 bits
*add the number and the shl
*sub 9
*multiply by 2
*add 250
*multiply by 3
*sub 29
Now, we can translate this in DOS C too :
/************************************************************************************************
#include < stdio.h >
#include < conio.h >
int main()
{
unsigned long number, shlnumber, temp, code = 0;
printf("KeyGenerator for Fl0restan C Crackme1 by seifer666\n");
printf("\nType any integer number as ID code : ");
scanf("%lu", &number);
shlnumber = number << 2;
temp = ((number + shlnumber) - 9) * 2 + 250;
code = 3 * temp - 29;
printf("Your registration code is : %lu", code);
getch();
return 0;
}
************************************************************************************************/
We did it !