Home » Tutorials

Solving crackmes: part 2 (i can walk)

17 October 2013 No Comment

Hello and welcome to part 2 of the cracking crackmes series, you can view part 1 here

In this part we will actually touch the disassembler.
In case you are not familiar with OllyDBG or the idea of disassembler i suggest you check disassembling tutorials before continuing.
I recommend this tutorial: Intro To Olly Debug

After reading that download OllyDBG if you don’t have it already from here
.
Then download the sample we are supposed to crack from here.

##################################################
Here is how i do it.

Step #1 The trial run:

This is the most boring step in all reversing, you just keep running line by line until you get to the interesting part — whether it’s comparing the data or how it’s calculated.
(Note: later i will teach you some tricks so you can sometimes save yourself some time and jump to interesting parts instead of running all the long miles)

So lets run this thing, keep pressing F8
You will notice once you hit this line and step over it (with F8) it will start executing and ask you for registration name and code.
We had no time for seeing what it actually did!

Lets restart it and be more careful! press CTRL+F2 to restart the application.

keep pressing F8 until you see that line again

0040C4AB E8 4055FFFF CALL FixedSec.004019F0

Instead of stepping over it (F8) step INTO it (F7).
Stepping over the line will run it and you won’t be able to control it, and since it looks like we hit a function that does everything we should dive into it, F7 will follow the function and not execute it immediately.

Step #2 Down the rabbit hole:
We finally get inside the function that does all the magic.

Keep pressing F8 since we are already inside, stepping over this line will make the program ask you for the registration name

00401A26 E8 35440000 CALL FixedSec.00405E60

This will ask you for the serial

00401A51 E8 0A440000 CALL FixedSec.00405E60

You should skip both since it’s not really interesting to us.
It will save the strings you entered (name, serial) to compare later.
And it will then count how many characters we have in the serial name so it can loop over it later.

Tip: You can monitor the changes that will happen to the string we just input by right clicking it down there and following it in the dump.

Keep running F8 till you see something that will change our input, either the registration name or serial.

BAZINGA! we find something that loops over our registration name and changes it.

00401A70 – XOR BYTE PTR DS:[EDX+42CC5C],19

It XOR’s the characters with 19.

And now we end up with the registration name changed to “tuu” instead of “moo”

But that’s not everything it does, keep running F8 till you see it changing our string again.
And it sure does.

It increases our string value by one, shifting every character to the character after it. (a will become b, b will become c.. etc)

INC BYTE PTR DS:[EDI+42CC5C]

I entered registration name “moo” and serial “123”
What happens next is it tries to compare the first character in the new serial it created (string we entered + XOR 19 + add 1) and what we entered.

CMP BYTE PTR DS:[EDI+42CC68],AL

Obviously it will fail and end prematurely so lets restart it and instead of “123” we will make “uuu”.
And run like we did till we come to this line again.

Ok we got the first character right now! *uwv*

We can see the right serial it should be now

So it doesn’t do anything more to the other characters, it’s exactly like the first character just the XOR and incrementing.

Lets write the serial generator!

Step #3 Writing the keygen:
Again we will stick with python, unless we can’t do it with python.

You should do this yourself then peek on my code, it’s a simple algorithm.

#!/usr/bin/env python regname = raw_input('Enter your registration name: ') # Get the registration name serial = "" # Serial tmp = 0; # Temporary variable used in computing the serial for char in regname: # Loop every charcter in the registration name tmp = ord(char)^0x19 # convert to int then XOR it with 19 tmp+=1 # Increment by one serial+=chr(tmp) # Convert to string again and add it to our serial print "Your serial is:",serial

Trivia: The function that checks the value of the serial doesn’t really check fr the last character so you can skip it, and it’s a problem in the loop, the for condition counter should be increased by one or the sign be changed from greater than to greater than or equals (the count of strings)

That’s it ladies and gentlemen.
See you in next parts.

Your opinion matters!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.