Results 1 to 5 of 5

Thread: Crackme Patched but finding correct serial not so easy

  1. #1

    Crackme Patched but finding correct serial not so easy

    Hello. I've recentley been working on a crackme, its only rules were do whatever you can to find the correct serial for your name. I have opened it in ollydbg had a look and have so far managed to patch it so that it accepts any name with any serial! this does work 100%, however the aim is to find the 1 serial that works with the name you enter. please can somebody help me

    http://www.sendspace.com/file/z68eoe

    (the above is the download link for; the crackme in normal state, the crackme after patching and my notes on my work so far)

    thanks in advance
    DENiSON

  2. #2
    Opened in ollydbg there are 2 strings entitled "GetDlgitemTextA"
    1 is located at 00401070 and the other at 004010B2
    I've tried putting a bp on both of these (because many previous crackmes ive completed these have been name and serial grabbers. i now pressed F9 to run the crackme and entered:

    Username: DENiSON
    serial: 12345

    once back in ollydbg i scroll down and come to the following code:
    0040112B |. FF35 96424000 PUSH DWORD PTR DS:[404296]
    00401131 |. FF35 92424000 PUSH DWORD PTR DS:[404292]
    00401137 |. FF35 8E424000 PUSH DWORD PTR DS:[40428E]
    0040113D |. FF35 8A424000 PUSH DWORD PTR DS:[40428A]
    00401143 |. E8 4C100000 CALL simple1.00402194
    00401148 |. 68 0A414000 PUSH simple1.0040410A
    0040114D |. FF35 96424000 PUSH DWORD PTR DS:[404296]
    00401153 |. E8 0A040000 CALL simple1.00401562
    00401158 |. 68 8A414000 PUSH simple1.0040418A ; /String2 = ""
    0040115D |. 68 0A414000 PUSH simple1.0040410A ; |String1 = ""
    00401162 |. E8 CB110000 CALL <JMP.&KERNEL32.lstrcmpA> ; \lstrcmpA
    00401167 |. 85C0 TEST EAX,EAX
    00401169 |. 74 16 JE SHORT simple1.00401181
    0040116B |> 68 4E404000 PUSH simple1.0040404E ; /Text = "wrong serial"
    00401170 |. 68 EA030000 PUSH 3EA ; |ControlID = 3EA (1002.)
    00401175 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
    00401178 |. E8 DF110000 CALL <JMP.&USER32.SetDlgItemTextA> ; \SetDlgItemTextA
    0040117D |. C9 LEAVE
    0040117E |. C2 1000 RETN 10
    00401181 |> 68 44404000 PUSH simple1.00404044 ; /Text = "well done"
    00401186 |. 68 EA030000 PUSH 3EA ; |ControlID = 3EA (1002.)
    0040118B |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
    0040118E |. E8 C9110000 CALL <JMP.&USER32.SetDlgItemTextA> ; \SetDlgItemTextA
    00401193 |> 817D 10 EC0300>CMP DWORD PTR SS:[EBP+10],3EC

    String 1 and string 2 appear to be waiting input so i tried pressing f9 and f9 again and got the following text:
    00401158 |. 68 8A414000 PUSH simple1.0040418A ; /String2 = "#"
    0040115D |. 68 0A414000 PUSH simple1.0040410A ; |String1 = " p„<VxFw{f !u˜"
    00401162 |. E8 CB110000 CALL <JMP.&KERNEL32.lstrcmpA> ; \lstrcmpA

    I believe this to be comparing the serial we entered with the real serial however when trying these in the crackme it still says wrong serial. so do i need to convert to hex or decimal or something like that to reveal the serial in its true form?

  3. #3
    If it's using strcmp (string compare) you shouldn't have to do any conversion, as what your typing in is a string. However, 'p<VxFw{f !u' sounds more like garbage data to me than a string, which says something is wrong.

  4. #4
    Squidge: thanks for your reply. i at first myself thought it to be garbage data but the only reason i suspect it not to be as that the line p„<VxFw{f !u˜ changes with each different name and serial i enter. which is why i assumed that the debugger must be comparing the serial we enter with this (which could be "the correct serial"

  5. #5
    I've just had a quick look at the crackme and you seem to be correct. It generates a 32-bit hex value for the username (you can see the generation shorly after the GetDlgItem call) and then calls a slightly more complex routine to generate a binary hash of the serial. If both end up being the same value, then it congratulates you.

    Obviously since both are hashes, neither is the correct serial - you have to work the serial routine backwards to find out the string to put in to generate the same hash as the username does.

Similar Threads

  1. Replies: 5
    Last Post: March 24th, 2012, 05:00
  2. what is the correct path
    By Silkut in forum The Newbie Forum
    Replies: 1
    Last Post: December 20th, 2010, 10:23
  3. Which tool is correct:
    By Bengaly in forum Tools of Our Trade (TOT) Messageboard
    Replies: 17
    Last Post: April 13th, 2009, 04:05
  4. Help finding the correct api
    By michelinok in forum OllyDbg Support Forums
    Replies: 6
    Last Post: December 27th, 2005, 16:49
  5. need assistance for finding a serial in a .net appln...plz
    By senavis in forum The Newbie Forum
    Replies: 2
    Last Post: June 7th, 2005, 01:31

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •