

                     L                ZZZZZZ         RRRRR           SSSSS
                     L                    Z          R    R         S
                     L          aaa      Z      aaa  R    R  u   u  S
                     L            a     Z         a  RRRRR   u   u  SSSSS
               XX    L         aaaa    Z       aaaa  R    R  u   u       S
              XXXX   L        a   a   Z       a   a  R    R  u   u       S
             XXXXXX  LLLLLLL  aaaaa  ZZZZZZZ  aaaaa  R    R  uuuuu  SSSSSS
             XXXXXX       
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
       XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
             XXXXXX
             XXXXXX
              XXXX        proudly presents his 10.Cracking Tutorial (25.04.1999)
               XX                          eKH CrackMe 1.0

I.   Tools you need for my tutorial
II.  Cracking with W32Dasm
III. BTW

I.   Tools you need for my tutorial
     Win32Dasm 8.9  (get at http://Qserve.8m.com)
     
II.  Cracking with Win32Dasm:
     At first we have a look at the target (Meanwhile we disassemble it, that saves time): A name
     and a serial must be entered. When we enter a serial, a messagebox appears saying that we
     entered an invalid serial (Did you expect that? ;). OK, let's search for the string in our
     dead listing. We see

     :00427B7E E80DE2FEFF              call 00415D90
     :00427B83 8B45FC                  mov eax, dword ptr [ebp-04]
     :00427B86 50                      push eax
     :00427B87 8D55F8                  lea edx, dword ptr [ebp-08]
     :00427B8A 8B83DC010000            mov eax, dword ptr [ebx+000001DC]
     :00427B90 E8FBE1FEFF              call 00415D90
     :00427B95 8B45F8                  mov eax, dword ptr [ebp-08]
     :00427B98 5A                      pop edx
     :00427B99 E882FEFFFF              call 00427A20       ;; compares serial and sets flag
     :00427B9E 3D4E61BC00              cmp eax, 00BC614E   ;; compares something with BC614E
     :00427BA3 7D1E                    jge 00427BC3        ;; if greater or equal then "Correct"

     * Referenced by a (U)nconditional or (C)onditional Jump at Address:
     |:00427B73(C)
     |
     :00427BA5 6A00                    push 00000000       ;; else Messagebox("Wrong")

     * Possible StringData Ref from Code Obj ->"ERROR"
                                       |
     :00427BA7 68087C4200              push 00427C08

     * Possible StringData Ref from Code Obj ->"Wrong Serial Number !"

     Now we could try to enter the decimal value of BC614E as serial. But that would be too easy.
     BC614E must be a flag or the serial we entered with a little calculation on it. So let's
     hope it is a flag. Search for MOV EAX, 00BC614E. No occurence found :( So let's start 
     tracing through the code (I do it with the W32Dasm Debugger, but you can SICE as well). 
     Enter the CALL at :00427B99 and trace through the code. Don't enter any call. It's our first
     try, and we don't want to get lost in the "deep codewoods". It's better to hope that we can
     read the serial somewhere in the "main" call. Look everytime at the registers that have 
     changed. Sometimes you see values stored in registers that look damn like serials. But these
     do only want to fool you. (Who of you wouldn't have tried values like: 5104CE97, 385532209
     or some more). The interesting part starts here:

     :00427AF6 8B45F4                  mov eax, dword ptr [ebp-0C]  ;; correct serial
     :00427AF9 8B55F8                  mov edx, dword ptr [ebp-08]  ;; entered serial
     :00427AFC E8BFBDFDFF              call 004038C0                ;; compare them
     :00427B01 7507                    jne 00427B0A                 ;; if they are not equal,jump
     :00427B03 BB4E61BC00              mov ebx, 00BC614E            ;; the flag
     :00427B08 EB05                    jmp 00427B0F                 ;; Jump to: Return one call

     So we can see the correct serial in EAX. And now we know why we didn't find the flag. It's
     moved to EBX and not to EAX. Somewhere later you find MOV EAX, EBX or something like that.
     Bad Luck :(.

III. BTW
     Hope my tutorial was helpful for you and see you again in my next tutorial. 
     
     Greets to: Fravia+, tKC, ED!SON, Moral Insanity, The Sandman, Eternal Bliss, DaVinci and 
     all [hf] members


All Tutorials by LaZaRuS [hf]

 #|  date  |   name           |version|W32Dasm|Soft-Ice|kind of crack            |
--|--------|------------------|-------|-------|--------|-------------------------|
01|20.01.99|Jaylock           |1,0,0,1|  (X)  |   (X)  |serial#                  |
02|31.01.99|Goldwave          |4.02   |  (X)  |   (X)  |serial#,nag-screens      |
03|28.03.99|AxMan             |3.00   |  (X)  |   (X)  |serial#,remove date-limit|
  |        |                  |       |       |        |nag-screen, key generator|
04|29.03.99|C++Builder Strings|       |  (X)  |   (X)  |how to find strings in   |
  |        |                  |       |       |        |C++ Builder that are not |
  |        |                  |       |       |        |hardcoded                |
05|29.03.99|Better Protection |       |       |        |How to protect shareware |
  |        |                  |       |       |        |better against crackers  |
06|04.04.99|Start Clean       |1.2    |  (X)  |   (X)  |nag-screen/serial/keygen |
07|06.04.99|MP3 TO EXE        |1.02   |  (X)  |   (X)  |nag-screen/serial        |
08|06.04.99|HexDecCharEditor  |1.02   |  (X)  |        |make it registered       |
09|20.04.99|PowerZip          |4.51   |  (X)  |        |serial/time-check/...    |
10|24.04.99|eKH CrackMe       |1.0    |  (X)  |        |serial                   |

     
LaZaRuS [hf]
Visit Hellforge at http://come.to/hellforge for more tutorials and high quality cracking links.
If you want to mail me: lazarus666@gnwmail.com