Immortal Descendants CrackMe 4.0
Tutorial version 1.0 (4 avril 99) by Lucifer48 ===============
1. INTRODUCTION =============== We go into the code by a BPX
HMEMCPY, few F12/F10 and we are here: XXXX:00402260 PUSH EBX
;handle of the
window's crackme XXXX:00402261 PUSH 0040BE28
;serial XXXX:00402266 PUSH 0040BDE0
;group XXXX:0040226B
PUSH 0040BF30 ;name
XXXX:00402270 CALL 00401CF0
;Everything is there! XXXX:00402275 ADD ESP,10
;*pop pop pop pop* XXXX:00402278
CMP WORD PTR [0040BE20],28 ;If FFFF, our serial is a bad one
XXXX:00402280 JNZ 004022A0 Well, let's go into call 00401CF0...
============================ 2. HOLD ON! JUST A MINUTE...
============================ To bypass the check of the number of try.
3 chances for solving this crackme; it's not enougth. In the code:
XXXX:004022A0 MOV AX,[0040A074]
;numbers of tests already done XXXX:004022A6 INC AX
XXXX:004022A8 MOV [0040A074],AX
;save XXXX:004022AE CMP AX,0003 XXXX:004022B2
JNZ 004022E6 ;3 tests
= Button "Validate" disabled We change INC AX into NOP NOP and it's
allright. For those who wants to put in AX a value >3, TORN@ADO thought about
this. A MessageBox appears: "You're using a window editing tool
like THE CUSTOMISER You have had 3 chances for entering the right code!
Do you think that's fair?" ================== 3. LET'S CMP [1/5]
================== Going into the call 00401CF0 ...
XXXX:00401CF9 CALL 004019F0
;small and unseful XXXX:00401CFE ADD ESP,04
;pop-pop XXXX:00401D01
PUSH EBX XXXX:00401D02 CALL 00401720
;HERE! XXXX:00401D07 ADD ESP,04 XXXX:00401D0A
CMP EAX,01 XXXX:00401D0D JZ 00401D1D
;to go further we must have EAX=1 XXXX:00401D0F
MOV WORD PTR [0040BE20],FFFF ;bad serial! ... XXXX:00401D1C
RET
;ret We must exit the CALL 00401720 with EAX=1:
XXXX:00401722 MOV ESI,[ESP+0C]
;d ESI : our serial XXXX:00401726 PUSH EDI XXXX:00401727
MOV AL,[ESI+01] ;read the 2nd character
XXXX:0040172A MOV CL,[ESI+02]
;read the 3rd character XXXX:0040172D XOR AL,49 XXXX:0040172F
XOR CL,44 XXXX:00401732 MOVSX EAX,AL XXXX:00401735
MOV DL,[ESI+03] ;read the 4th character
XXXX:00401738 MOV BL,[ESI]
:read the 1st character XXXX:0040173A XOR
DL,39 XXXX:0040173D XOR BL,54 XXXX:00401740 MOVSX
ECX,CL XXXX:00401743 MOVSX EDI,DL XXXX:00401746 MOV
DL,[ESI+04] ;read the 5th character
XXXX;00401749 XOR DL,39 Then, 5 cmp, if everything goes
right then EAX=1 otherwise EAX=0 CMP BL,1D ( 1D XOR 54 = 49 [I] )
CMP EAX,0D ( 0D XOR 49 = 44 [D] ) CMP ECX,07 ( 07 XOR 44 = 43 [C] )
CMP EDI,0D ( 0D XOR 39 = 34 [4] ) CMP EDX,09 ( 09 XOR 39 = 30 [0] )
end of CALL 00401720, the beginning of the serial is IDC40. Continue
in 00401D1D. ================================== 4. LET'S CMP [2/5]
: XOR MY FRIEND ================================== XXXX:00401D2D
CALL 00401A20 ;100%
unuseful XXXX:00401D32 ADD ESP,10 XXXX:00401D35 PUSH
EBX XXXX:00401D36 CALL 00401790 XXXX:00401D3B ADD
ESP,10 XXXX:00401D3E CMP EAX,01 XXXX:00401D41 JZ
00401D51 ;the same
as above... XXXX:00401D43 MOV WORD PTR [0040BE20];FFFF ;bad serial...
... XXXX:00401D50 RET
;ret Our goal:
exit the call 00401790 with EAX=01. XXXX:00401790 MOV EAX,[ESP+04]
;d EAX : our serial XXXX:00401794
PUSH EBX XXXX:00401795 PUSH ESI XXXX:00401796
MOV CL,[EAX+07] ;read the
8th character XXXX:00401799 XOR CL,52 XXXX:0040179C
MOV DL,[EAX+08] :read the
9th character XXXX:0040179F XOR DL,45 XXXX:004017A2
MOV BL,[EAX+09] ;read the
10th character XXXX:004017A5 XOR BL,53 XXXX:004017A8
MOV AL,[EAX+06] :read the
7th character XXXX:004017AB MOVSX ECX,CL XXXX:004017AE MOVSX
EDX,DL XXXX:004017B1 MOVSX ESI,BL XXXX:004017B4 XOR
AL,54 Then (again), few cmp: CMP AL,11 ( 11 XOR 54 = 45 [E]
) CMP ECX,06 ( 06 XOR 52 = 54 [T] ) CMP EDX,07 ( 07 XOR 45 = 42 [B]
) CMP ESI,1F ( 1F XOR 53 = 4C [L] ) End of call 00401790, with
EAX=1 For the moment, our serial is like IDC40*ETBL***... "*" is
any character. Go on XXXX:00401D51. =============================
5. LET'S CMP [3/5] : THE DATE =============================
XXXX:00401D51 PUSH EBX XXXX:00401D52 CALL 004017E0
;HERE XXXX:00401D57
ADD ESP,04 XXXX:00401D5A CMP EAX,01 XXXX:00401D5D
JZ 00401D6D XXXX:00401D5F MOV DWORD PTR [0040BE20],FFFF
... XXXX:00401D6C RET
:ret We must
(again) exit the CALL 004017E0 with EAX=1 ... XXXX:00401851
PUSH EAX
;d EAX : the 4 last characters of my serial. XXXX:00401852 CALL
00403480 ;DEC->HEX. Result
in EAX. XXXX:00401857 ADD ESP,04 XXXX:0040185A MOV
ESI,EAX ;save the
result. XXXX:0040185C CALL 004016A0
;HERE! (GetLocalTime...) XXXX:00401861
SUB EAX,ESI XXXX:00401863 POP EDI XXXX:00401864
POP ESI XXXX:00401865 CMP EAX,01 XXXX:00401868
SBB EAX,EAX
;we must have CF=1 XXXX:0040186A ADD ESP,04 XXXX:0040186D
NEG EAX
;NEG FFFFFFFF = 00000001 XXXX:0040186F RET In the
call 004016A0: XXXX:004016A8 PUSH EAX XXXX:004016A9
CALL [KERNEL32!GetLocalTime] ;TORN@DO like this call... XXXX:004016AF
XOR EDX,EDX XXXX:004016B1 XOR EAX,EAX XXXX:004016B3
MOV DX,[ESP+06] ;month
XXXX:004016B8 XOR ECX,ECX XXXX:004016BA MOV AX,[ESP+0A]
;day XXXX:004016BF IMUL
EDX,EAX XXXX:004016C2 MOV CX,[ESP+0E]
;minute XXXX:004016C7 MOV EAX,[ESP+0C]
;hour XXXX:004016CB AND EAX,0000FFFF
XXXX:004016D0 IMUL EAX,ECX XXXX:004016D3 MOVSX ECX,BYTE
PTR [0040BF60] ;1st letter of (*) XXXX:004016DA ADD EDX,EAX
XXXX:004016DC MOV EAX,[ESP+04]
;year XXXX:004016E0 SUB EDX,ECX XXXX:004016E2
AND EAX,0000FFFF XXXX:004016E7 LEA ESI,[EAX+EDX] XXXX:004016EA
PUSH ESI
;save the result XXXX:004016EB CALL 00401290
;Soft Ice (for win95/98) installed ?
XXXX:004016F0 ADD ESP,04 XXXX:004016F3 TEST
EAX,EAX XXXX:004016F5 JZ 004016FD XXXX:004016F7
ADD ESI,00000143 ;if "si95" is
installed ESI=ESI+143 XXXX:004016FD PUSH ESI XXXX:004016FE
CALL 004012D0 ;Soft
Ice (for winNT) installed ? XXXX:00401703 ADD ESP,04 XXXX:00401706
TEST EAX,EAX XXXX:00401708 JZ 00401710 XXXX:0040170A
ADD ESI,00000271 ;if "siNT" is
installed ESI=ESI+143 XXXX:00401710 MOV EAX,ESI XXXX:00401712
POP ESI XXXX:00401713 ADD ESP,10 XXXX:00401716
RET
;ret (*) [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion]
"RegisteredOwner"="LuCiFeR48" So, our 4 last characters of our
serial is the encryption of the date and knowing if Soft-Ice is installed.
There is a new serial every minute! Continue in XXXX:00401D6D
==================================================== 6. LET'S CMP [4/5]
: FirstInstallDateTime OF WINDOWS ====================================================
XXXX:00401D71 CALL 00401B70
;unuseful XXXX:00401D76 ADD ESP,10
XXXX:00401D79 MOV EAX,[0040C380] XXXX:00401D7E PUSH
EAX XXXX:00401D7F PUSH EBX XXXX:00401D80 CALL
00401870 ;HERE XXXX:00401D85
ADD ESP,08 XXXX:00401D88 CMP EAX,01 XXXX:00401D8B
JZ 00401D9B
;must have EAX=1 XXXX:00401D8D MOV WORD PTR [0040BE20],FFFF
... XXXX:00401D9A RET
;retour (bad cracker)
Explorons le call 00401870: (**) copy a part of the serial from 6th
character to 12th character (included) so 7 numbers. ... XXXX:004018BB
LEA EAX,[ESP+10] ;a part of our
serial (**) ...
;then DEC=>HEX XXXX:004018EE CALL 00403559
;give a hexa number XXXX:004018F3
SUB EAX,ESI ;we must
have EAX=ESI to win! XXXX:004018F5 POP EBP XXXX:004018F6
POP EDI XXXX:004018F7 CMP EAX,01 XXXX:004018FA
SBB EAX,EAX XXXX:004018FC POP ESI XXXX:004018FD
NEG EAX XXXX:004018FF POP EBX XXXX:00401900
ADD ESP,64 XXXX:00401803 RET
;end of call 00401870
A few words on the call 00403559 ... XXXX:004018CA MOV
EAX,[0040BEFC] ;(#)
XXXX:004018CF MOV [ESP+10],EAX XXXX:004018D3 MOV
DWORD PTR [ESP+14],00000000 XXXX:004018DB FILD QWORD PTR [ESP+10]
; What are those instructions?
XXXX:004018E1 CALL 00403559
; XXXX:004018E6 FMUL
REAL8 PTR [00409020] ; I don't understand
those lines XXXX:004018EC FSUBP ST(1),ST
; help me! XXXX:004018EE
CALL 0040264C
; XXXX:004018F3 SUB EAX,ESI
;subtract
the result with our hexa number ...
RET (#) This number is from the 4 bytes read in [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion]
FirstInstallDateTime And a small modification... XXXX:00401E70
MOV EBP,[USER32!wsprintfA] XXXX:00401E76 PUSH EAX
;the 4 bytes
of "FirstInstallDateTime" XXXX:00401E77 PUSH 0040A6C8 XXXX:00401E7C
PUSH 0040BF90 ;area
for the result XXXX:00401E81 CALL EBP The result (in
EAX) of the call 00403559, must be converted in hexa and must belong in the serial.
Example, for me: IDC40-ETBL22226617393-xxxx
----- ---- -------
---- LET'S CMP [1/5] ----
------- ---- part:
[2/5] ------- ----
[4/5] ----
[3/5] -: any character xxxx: to replace by the result of the encryption
of the data (changes every minute) (put a BPX 00401865,
and R EAX=0, et go on...) Next, in XXXX:00401D9B =========================================
7. LET'S CMP [5/5] : Encrytion Name+Group =========================================
XXXX:00401D9F CALL 00401C30
;unuseful XXXX:00401DA4 ADD ESP,10
XXXX:00401DA7 PUSH EBX XXXX:00401DA8 CALL 00401910
;HERE XXXX:00401DAD ADD
ESP,04 XXXX:00401DB0 CMP EAX,01 XXXX:00401DB3 JZ
00401DC3 ;the end of the
crackme! XXXX:00401DB5 MOV WORD PTR [0040BE20],FFFF ...
XXXX:00401DC2 RET In XXXX:00401DC3, it's the end of
the crackme But before...let's visit the call 00401910. ...
XXXX:00401972 LEA EDX,[ESP+08]
;D EDX : a part of our serial (***) XXXX:00401976 PUSH EAX XXXX:00401977
CALL 00403480 ;DEC=>HEX
(result in EAX) XXXX:0040197C ADD ESP,04
;pop XXXX:0040197F MOV
EDI,EAX ;save the result
in EDI XXXX:00401981 CALL 00401590
;In EAX, a new hexa number (few +) XXXX:00401986
MOV ESI,EAX XXXX:00401988 CALL 00401540
;In EAX, a new hexa number ("RegisteredOwner")
XXXX:0040198D XOR ESI,EAX XXXX:0040198F PUSH 0040BDE0
;group XXXX:00401994
PUSH 0040BF30 ;nom
XXXX:00401999 CALL 004015E0 XXXX:0040199E ADD ESP,08
XXXX:004019A1 ADD EAX,ESI then: EAX=EAX*DB (EAX times 219)
ECX=4*ECX ECX=ECX-EAX ECX=64*ECX ECX=ECX-EAX ECX=2*ECX
XXXX:004019B8 MOV [ESP+08],ECX (***) The serial is (definitively)
like: IDC40-ETBL-24654564564-6617393-xxxx
----------- LET'S CMP [5/5]
In 00401972, d EDX : you see 24654564564. | About the
call 00401540, it adds every characters of the "RegisteredOwner" (except the last)
| Example for me: | ------IDCRKME40!.data+1F60-----------------------------------------------------
| XXXX:0040BF60 4C 75 43 69 46 65 52 34 38 00 00 00 00 00 00 00
LuCiFeR48...... | | 4C+75+43+69+46+65+52+34 = 29E = result of EAX
| About the call 00401590, each number of character of the "RegisteredOwner"
(except the last) | is multiplicated par 2 and make an add of all of this.
| Example: 1*2 + 2*2 + 3*2 + 4*2 + 5*2 + 6*2 + 7*2 + 8*2 = (1+2+3+4+5+6+7+8)*2
= 24*2 = 48 | With letters: if 'n' is the length of the string of the "RegisteredOwner"
| We've got the formula: (n-1)*n | Length of "LuCiFeR48" = 9 and so
9*8=48 | Remarque: everything is calculated in hexa Few words on
the call 004015E0, Each character (except the last) is multiplicated by A29
and added. We add the ascii value of character of the group (except the last).
The result is multiplicated by B (11) [...] ...
XXXX:004019C4 FILD QWORD PTR [ESP+08] ; XXXX:004019C8
FLD ST(0)
; XXXX:004019CA FSIN
; I don't understand
this! XXXX:004019CC FMUL REAL8 PTR [00409028] ;
XXXX:004019D2 FSUBP ST(1),ST
; XXXX:004019D4 CALL 0040264C
; XXXX:004019D9 SUB
EAX,EDI ;subtract
the result with our hexa number ... XXXX:004019DD CMP
EAX,01 ;EAX=00 =
good serial XXXX:004019E0 SBB EAX,EAX XXXX:004019E2
ADD ESP,64 XXXX:004019E5 NEG EAX XXXX:004019E7
RET ======================== 8. FINALY: MY OWN SERIAL
======================== Name: Lucifer48 Group: None Serial:
IDC40-ETBL-605573733-6617393-xxxx xxxx: to replace by the encrytped
date (see part 5. LET'S CMP [3/5] ) /* FirstInstallDateTime: E1 B1 39
25 RegisteredOwner: LuCiFeR48 */
|