Archive for the ‘Solution for KeyGenMe_by_ZeroTen_#1’ Category


Easy Crackme//KeyGenme.
=======================
Try to find a valid Key for your name.
NO PATCHING!

ZeroTen

Difficulty: 1 – Very easy, for newbies
Platform: Windows
Language: C/C++

Download crackme here: http://www.crackmes.de/users/zeroten/crackme_keygenme_by_zeroten_1
—————————-
Solution :

///////////////////////////////////////////////////////////////////////////////////////////
Program : CrackMe_KeyGenMe_by_ZeroTen_#1.exe
Description : Easy Crackme//KeyGenme.Try to find a valid Key for your name.NO PATCHING!
Tools : OllyDbg
Difficult : Easy (but not for newbies :D)
Packer/Protector/Compiler : N/A
Objective : Keygen
Cracker : kienmanowar
///////////////////////////////////////////////////////////////////////////////////////////

1. First, run this keygenme and input Name, Password and Serial then click Login. Hola, the keygenme terminate without Nag.
Retry to test with one char in Name textbox, blah blah i get the Nag : “At least, more than 4 letters”.

2. Okie, Load to Olly and search all ref strings. I find it here :

Text strings referenced in CrackMe_:.text, item 10
Address=00401C88
Disassembly=PUSH CrackMe_.004871A6
Text string=ASCII "At least, more than 4 letters"

3. Double click to this line, and scroll up to find the start point of this routine.And then set a BP :

00401A18 >/. 55 PUSH EBP ; _TForm1_Button1Click <== Set BP
00401A19 |. 8BEC MOV EBP, ESP
00401A1B |. 83C4 94 ADD ESP, -6C
00401A1E |. 53 PUSH EBX
00401A1F |. 56 PUSH ESI
00401A20 |. 57 PUSH EDI
00401A21 |. 8BD8 MOV EBX, EAX

4. F9 to run and input data (ex: kienmanowar / 1234 / 56789) then press Log in.Wow, stop at BP that i set.Trace downward i get the
the first point. That code will use the Lenght of szName to calculate and store the result in edi reg :

00401A43 >|. 8B83 64030000 MOV EAX, DWORD PTR DS:[EBX+364] ; *TForm1.Edit1:TEdit (szUserName)
00401A49 |. E8 42B40400 CALL ; <== eax : Length(szName)
00401A4E |. 837D FC 00 CMP DWORD PTR SS:[EBP-4], 0 ; <== Length(szName) != 0
00401A52 |. 74 08 JE SHORT
00401A54 |. 8B55 FC MOV EDX, DWORD PTR SS:[EBP-4] ; <== edx : szName
00401A57 |. 8B4A FC MOV ECX, DWORD PTR DS:[EDX-4] ; <== ecx : Length(szName)
00401A5A |. EB 02 JMP SHORT
00401A5C >|> 33C9 XOR ECX, ECX ; |> 8D3C89 LEA EDI, DWORD PTR DS:[ECX+ECX*4] ; <== edi = ecx + ecx*4 (LengthIsNotZero__)
00401A61 |. 8D45 FC LEA EAX, DWORD PTR SS:[EBP-4]
00401A64 |. BA 02000000 MOV EDX, 2 ; <== edx = 0x2
00401A69 |. 8D3CB9 LEA EDI, DWORD PTR DS:[ECX+EDI*4] ; <== edi = ecx + edi*4
00401A6C |. C1E7 03 SHL EDI, 3 ; <== edi = edi * 2^3
00401A6F |. 2BF9 SUB EDI, ECX ; <== edi = edi - ecx
00401A71 |. 8D3CF9 LEA EDI, DWORD PTR DS:[ECX+EDI*8] ; <== edi = ecx + edi*8
00401A74 |. 81C7 A31C0000 ADD EDI, 1CA3 ; <== edi = edi + 0x1CA3

5. Continue trace downward and analyze, i find 4 same forged codes to cheat my thinkin’ and one of them like this below 🙂 :

00401A9B >|. 8B83 70030000 MOV EAX, DWORD PTR DS:[EBX+370] ; *TForm1.Edit2:TEdit (szPassWord)
00401AA1 |. E8 EAB30400 CALL ; <== eax : Length(szPassWord)
00401AA6 |. 8D55 F8 LEA EDX, DWORD PTR SS:[EBP-8]
00401AA9 |. 52 PUSH EDX
00401AAA |. 8D45 F4 LEA EAX, DWORD PTR SS:[EBP-C]
00401AAD |. 8B55 A0 MOV EDX, DWORD PTR SS:[EBP-60] ;
00401AB0 |. E8 5B110700 CALL ; <== Convert int to string
00401AB5 |. FF46 1C INC DWORD PTR DS:[ESI+1C] ;
00401AB8 |. 8D55 F4 LEA EDX, DWORD PTR SS:[EBP-C]
00401ABB |. 58 POP EAX
00401ABC |. E8 D7110700 CALL ;
00401AC1 |. 50 PUSH EAX
00401AC2 |. FF4E 1C DEC DWORD PTR DS:[ESI+1C]
00401AC5 |. 8D45 F4 LEA EAX, DWORD PTR SS:[EBP-C]
00401AC8 |. BA 02000000 MOV EDX, 2
00401ACD |. E8 82110700 CALL
00401AD2 |. FF4E 1C DEC DWORD PTR DS:[ESI+1C] ; |
00401AD5 |. 8D45 F8 LEA EAX, DWORD PTR SS:[EBP-8] ; |
00401AD8 |. BA 02000000 MOV EDX, 2 ; |
00401ADD |. E8 72110700 CALL ; \CrackMe_.00472C54
00401AE2 |. 59 POP ECX
00401AE3 |. 84C9 TEST CL, CL
00401AE5 |. 74 0C JE SHORT
00401AE7 |. A1 CCF44800 MOV EAX, DWORD PTR DS:[48F4CC]
00401AEC |. 8B00 MOV EAX, DWORD PTR DS:[EAX]
00401AEE >|. E8 9D260400 CALL ; ->:TApplication._Terminate()

6. By pass all of this code, i land here :

00401C47 >|. 8B83 64030000 MOV EAX, DWORD PTR DS:[EBX+364] ; *TForm1.Edit1:TEdit (szName)
00401C4D |. E8 3EB20400 CALL ; <== eax = Length(szName)
00401C52 |. 837D D8 00 CMP DWORD PTR SS:[EBP-28], 0
00401C56 |. 74 08 JE SHORT
00401C58 |. 8B55 D8 MOV EDX, DWORD PTR SS:[EBP-28] ; <== edx : szName
00401C5B |. 8B4A FC MOV ECX, DWORD PTR DS:[EDX-4] ; <== ecx : Length(szName)
00401C5E |. EB 02 JMP SHORT
00401C60 >|> 33C9 XOR ECX, ECX ; loc_401C60
00401C62 >|> 83F9 04 CMP ECX, 4 ; loc_401C62
00401C65 |. BA 02000000 MOV EDX, 2
00401C6A |. 0F9CC0 SETL AL
00401C6D |. 83E0 01 AND EAX, 1
00401C70 |. 50 PUSH EAX ; /Arg1
00401C71 |. 8D45 D8 LEA EAX, DWORD PTR SS:[EBP-28] ; |
00401C74 |. FF4E 1C DEC DWORD PTR DS:[ESI+1C] ; |
00401C77 |. E8 D80F0700 CALL ; \CrackMe_.00472C54
00401C7C |. 59 POP ECX
00401C7D |. 84C9 TEST CL, CL
00401C7F |. 74 18 JE SHORT
00401C81 |. 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
00401C83 |. 68 C4714800 PUSH CrackMe_.004871C4 ; |Title = "BEEP!"
00401C88 |. 68 A6714800 PUSH CrackMe_.004871A6 ; |Text = "At least, more than 4 letters"
00401C8D |. 6A 00 PUSH 0 ; |hOwner = NULL
00401C8F >|. E8 204D0800 CALL ; \->UnrealizeObject.MessageBoxA()
00401C94 |. E9 F6000000 JMP

7. Ok my UserName has the length greater than 4 letters so that i bypass this check.After bypass, hola i land at the second important point.
The edx = edi + 0x1CA3 and will be converted to String and save into the szTruePassWord :

00401CAC >|. 8B83 70030000 MOV EAX, DWORD PTR DS:[EBX+370] ; *TForm1.Edit2:TEdit (szPassWord)
00401CB2 |. E8 D9B10400 CALL ; <== eax : Length(szPassWord)
00401CB7 |. 8D55 D4 LEA EDX, DWORD PTR SS:[EBP-2C]
00401CBA |. 52 PUSH EDX
00401CBB |. 8D97 A31C0000 LEA EDX, DWORD PTR DS:[EDI+1CA3] ; <== edx = edi + 0x1CA3
00401CC1 |. 8D45 D0 LEA EAX, DWORD PTR SS:[EBP-30] ; <== szTruePassWord
00401CC4 |. E8 470F0700 CALL ; <== ConvertIntToString (&szTruePassWord, edx)
00401CC9 |. FF46 1C INC DWORD PTR DS:[ESI+1C]
00401CCC |. 8D55 D0 LEA EDX, DWORD PTR SS:[EBP-30]
00401CCF |. 58 POP EAX
00401CD0 |. E8 C30F0700 CALL
00401CD5 |. 50 PUSH EAX
00401CD6 |. FF4E 1C DEC DWORD PTR DS:[ESI+1C]
00401CD9 |. 8D45 D0 LEA EAX, DWORD PTR SS:[EBP-30]
00401CDC |. BA 02000000 MOV EDX, 2
00401CE1 |. E8 6E0F0700 CALL
00401CE6 |. FF4E 1C DEC DWORD PTR DS:[ESI+1C] ; |
00401CE9 |. 8D45 D4 LEA EAX, DWORD PTR SS:[EBP-2C] ; |
00401CEC |. BA 02000000 MOV EDX, 2 ; |
00401CF1 |. E8 5E0F0700 CALL ; \CrackMe_.00472C54
00401CF6 |. 59 POP ECX
00401CF7 |. 84C9 TEST CL, CL
00401CF9 |. 0F84 83000000 JE

8. Lets continue, i found the last important point.The edx = edi – 0x1CA3 and will be converted to String and save into the szTrueSerial :

00401D12 >|. 8B83 78030000 MOV EAX, DWORD PTR DS:[EBX+378] ; *TForm1.Edit3:TEdit (szSerial)
00401D18 |. E8 73B10400 CALL ; <== eax = Length(szSerial)
00401D1D |. 8D55 CC LEA EDX, DWORD PTR SS:[EBP-34]
00401D20 |. 52 PUSH EDX
00401D21 |. 8D97 5DE3FFFF LEA EDX, DWORD PTR DS:[EDI-1CA3] ; <== edx = edi - 0x1CA3
00401D27 |. 8D45 C8 LEA EAX, DWORD PTR SS:[EBP-38] ; <== szTrueSerial
00401D2A |. E8 E10E0700 CALL ; <== ConvertIntToString (&szTruePassWord, edx)
00401D2F |. FF46 1C INC DWORD PTR DS:[ESI+1C]
00401D32 |. 8D55 C8 LEA EDX, DWORD PTR SS:[EBP-38]
00401D35 |. 58 POP EAX
00401D36 |. E8 5D0F0700 CALL
00401D3B |. 50 PUSH EAX
00401D3C |. FF4E 1C DEC DWORD PTR DS:[ESI+1C]
00401D3F |. 8D45 C8 LEA EAX, DWORD PTR SS:[EBP-38]
00401D42 |. BA 02000000 MOV EDX, 2
00401D47 |. E8 080F0700 CALL
00401D4C |. FF4E 1C DEC DWORD PTR DS:[ESI+1C] ; |
00401D4F |. 8D45 CC LEA EAX, DWORD PTR SS:[EBP-34] ; |
00401D52 |. BA 02000000 MOV EDX, 2 ; |
00401D57 |. E8 F80E0700 CALL ; \CrackMe_.00472C54
00401D5C |. 59 POP ECX
00401D5D |. 84C9 TEST CL, CL
00401D5F |. 74 13 JE SHORT

9. And finally we have the Good boy :

00401D61 |. 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
00401D63 |. 68 EB714800 PUSH CrackMe_.004871EB ; |Title = "Correct!!by ZeroTen"
00401D68 |. 68 CA714800 PUSH CrackMe_.004871CA ; |Text = "Now post your solution/KeyGen ;)"
00401D6D |. 6A 00 PUSH 0 ; |hOwner = NULL
00401D6F >|. E8 404C0800 CALL ; \->UnrealizeObject.MessageBoxA()

/

//////////////////////////////////
// Keygen source code //
//////////////////////////////////
int iDefault = 0x1CA3;

// Calculate Value
Value=0;
Value = LenUser + LenUser*4;
Value = LenUser + Value*4;
Value = Value * 8;
Value = Value – LenUser;
Value = LenUser + Value*8;
Value = Value + iDefault;

//Calculate szPassWord
iTemp = Value + iDefault;
wsprintf(szPassWord,”%i”,iTemp);

//Calculate szSerial
iTemp = Value – iDefault;
wsprintf(szSerial,”%i”,iTemp);

SetDlgItemText(IDC_PassWord,szPassWord);
SetDlgItemText(IDC_Serial,szSerial);

///////////////////////
The realkey for my username :
Username : kienmanowar
Password : 29369
Serial : 14707
///////////////////////

That’s all. Thanx for reading my tutor.
Sorry for my bad English!!! 😐

–++–==[ Greatz Thanks To ]==–++–
My family, Computer_Angel, Moonbaby , Zombie_Deathman, Littleboy, Benina, QHQCrker,
the_Lighthouse, Merc, Hoadongnoi, Nini … all REA‘s members, TQN, HacNho, RongChauA,
Deux, tlandn, light.phoenix, dqtln, ARTEAM …. all my friend, and YOU.

–++–==[ Thanks To ]==–++–
iamidiot, WhyNotBar, trickyboy, dzungltvn, takada, hurt_heart, haule_nth, hytkl, moth, XIANUA, nhc1987 v..v..

I want to thank Teddy Roggers for his great site, Reversing.be folks(especially haggar),
Arteam folks(Shub-Nigurrath, MaDMAn_H3rCuL3s) and all folks on crackmes.de, thank
to all members of unpack.cn (especially fly and linhanshi). Great thanks to lena151(I like your tutorials).
And finally, thanks to RICARDO NARVAJA and all members on CRACKSLATINOS.

If you have any suggestions, comments or corrections email me: kienmanowar[at]reaonline.net

Advertisements