Friday, April 29 2005 @ 04:04 PM CEST Contributed by: [N.T.G] Views: 2981
Level : newbie
Target : BoR0's 1st KeyGenme
get it here : crackme
Ok this crackme was a lil difficult for me(i am a newbie) as i was
not able to find the working solution for FSTP menomic ... in fact i was not able to get how a floating point number is rounded off to a integer. So if got it the other way. it was a nice learning for me.. i.e you can get the results from another algorithm if you know the Algebra well i.e the knowledge of Arithmetic Progressions(A.P) helped me a lot. the main part of the keygen is presented at the end.
This crackme was packed.. but it was not hard to fine OEP.
load it in Olly
004175D0 > $ 60 PUSHAD <---------------We are at EP.
004175D1 . BE 00104100 MOV ESI,CRACKME3.00411000
004175D6 . 8DBE 0000FFFF LEA EDI,DWORD PTR DS:[ESI+FFFF0000]
004175DC . 57 PUSH EDI
004175DD . 83CD FF OR EBP,FFFFFFFF
004175E0 . EB 10 JMP SHORT CRACKME3.004175F2
004175E2 90 NOP
004175E3 90 NOP
004175E4 90 NOP
a bit of code cut here
You've done it! :-D"
004012E4 57 PUSH EDI
004012E5 FFD3 CALL EBX
004012E7 85F6 TEST ESI,ESI
004012E9 75 0F JNZ SHORT CRACKME3.004012FA
004012EB 6A 10 PUSH 10
004012ED 68 F8724000 PUSH CRACKME3.004072F8; ASCII "BoR0's 1st keygenme"
004012F2 68 0C734000 PUSH CRACKME3.0040730C; ASCII "Wrong serial!"
004012F7 57 PUSH EDI
004012F8 FFD3 CALL EBX
004012FA 33C0 XOR EAX,EAX
a bit of code cut here
004013B4 FF15 44904000 CALL DWORD PTR DS:
004013BA 59 POP ECX
004013BB 59 POP ECX
004013BC C3 RETN
004013BD 6A 60 PUSH 60 <-----------------OEP... we are here!!
004013BF 68 38734000 PUSH CRACKME3.00407338
004013C4 E8 DB110000 CALL CRACKME3.004025A4
004013C9 BF 94000000 MOV EDI,94
004013CE 8BC7 MOV EAX,EDI
004013D0 E8 2B130000 CALL CRACKME3.00402700
004013D5 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
004013D8 8BF4 MOV ESI,ESP
004013DA 893E MOV DWORD PTR DS:[ESI],EDI
so double click on the line "004012AA E8 51FDFFFF CALL CRACKME3.00401000"
coz this is the serial check routine. now u would ask how did i know??
its very simple. just look at the CMP before the Good Boy message.
004012D3 83FE 01 CMP ESI,1
we get to this line by a JNZ at
004012C2 75 0F JNZ SHORT CRACKME3.004012D3<------this one.
moving up we see two calls ...one at 004012B9 and second at 004012AA
by tracing into both calls i found out that 004012AA is the serial check
the check routine is very long so i am not pasting it here.. just see it yourself.
the code checks the length of our name many times.. just to fool may be.
the check routine is like this
var1=length of name
var2= second character of the name.
var3=var1/31.2 + 72
var3 is stored into memory as two intergers. (FSTP mnenomic!!!! check out the numbers in olly)
lets call them var3A, var3B ;
var4= 6th character of name. (thats why name should be > 5 chars)
having calculated all these.. it puts them in wsprintf funtion.. its same c++ function.
string is "C%c32-B%co%fC%dR%d0%XE" always.
because %f is not a valid format specifire. therefor its ignored. read api help for
more. so only first 5 parameters are used and the sixth one is discarded. May be a
lastly the lowercase letters are converted to upper case. and there you go..
The main algo of the serial check is given here:
i have calculated the var3A and var3B (s1,s2) diferently from the original algo. as i dont
believe in pasting the asm into the c++ source as most of the reversers do.
MessageBox(NULL,"The Name must be more than 5 chars","Error",NULL);