LaFarge's crackme v0.2
Target:
LaFarge's crackme v0.2∞
Tools:
Ollydbg
Rating: Beginner
Okay, here's another quick tutorial.
Open it up, first of all we realise it has a tune playing, we can first disable this so it doesn't become annoying :P
Firstly, view the list of imported symbols (
ctrl + n). You should see a few winmm.<label_name>.
As we want to stop the music playing, we can check the MSDN library to find that winmm.waveOutWrite is used to play music, in this case.
Thus we should stop this function from working. If we view the number of references to this function we can assume there is only one location where this function is used:
00401B3A |. 6A 20 PUSH 20
00401B3C |. 57 PUSH EDI
00401B3D |. FF35 40DC4000 PUSH DWORD PTR DS:[40DC40]
00401B43 |. E8 DC250000 CALL <JMP.&winmm.waveOutWrite>
From MSDN we know:
MMRESULT waveOutWrite(
HWAVEOUT hwo,
LPWAVEHDR pwh,
UINT cbwh
);
So we can try to disable this music by nopping the lines starting 00401B3A and 00401B43.
Now we can get on with keygenning the prog ;)
Firstly, we should identify the algorithm. We can find the algorithm in one of many ways, we can either search for functions which are associated with getting input from the user and search forward, or we can find the good cracker/bad cracker messages and work backwards, either works fine in this case. For ease, I will take the former approach in finding the algorithm.
We can, again, scan through the imported functions in the program, by pressing
ctrl + n. There are several notable functions. Firstly there is SendMessage(). Although this function can be used for getting input, it is largely not helpful because there may be dozens of occurences of SendMessage within the program (it's function differs depending on paramaters). On further inspection we see lstrlen and lstrcopy. These two string functions are generally used in validation of input data. Right click the lstrlen line and find all references to this import. From here we can follow the first occurence in the disassembler (in fact, both occurences of this function are close together). Following this code should find us around here:
00401135 . 68 EA030000 PUSH 3EA ; /ControlID = 3EA (1002.)
0040113A . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
0040113D . E8 E2010000 CALL <JMP.&user32.GetDlgItem> ; \GetDlgItem
00401142 . 68 84634000 PUSH crackme.00406384 ; /lParam = 406384
00401147 . 6A 40 PUSH 40 ; |wParam = 40
00401149 . 6A 0D PUSH 0D ; |Message = WM_GETTEXT
0040114B . 50 PUSH EAX ; |hWnd
0040114C . E8 EB010000 CALL <JMP.&user32.SendMessageA> ; \SendMessageA
00401151 . 83F8 03 CMP EAX,3
00401154 . 77 18 JA SHORT crackme.0040116E
00401156 . 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
00401158 . 68 37634000 PUSH crackme.00406337 ; |Title = "Bad boy..."
0040115D . 68 0A624000 PUSH crackme.0040620A ; |Text = "Username must have at least 4 chars..."
00401162 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
00401165 . E8 C6010000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
0040116A . C9 LEAVE
0040116B . C2 1000 RETN 10
0040116E > 68 A46B4000 PUSH crackme.00406BA4 ; /String = "_r <()<1-Z2[l5,^"
00401173 . E8 06020000 CALL <JMP.&kernel32.lstrlenA> ; \lstrlenA
00401178 . A3 9C6B4000 MOV DWORD PTR DS:[406B9C],EAX
0040117D . 8BD8 MOV EBX,EAX
0040117F . 68 84634000 PUSH crackme.00406384 ; /String = ""
00401184 . E8 F5010000 CALL <JMP.&kernel32.lstrlenA> ; \lstrlenA
"
SendMessage" is being used, here, to get text from a control into a buffer. This text corresponds to the name you entered.
<continue>
Categories
CategoryTutorial
There are no comments on this page. [Add comment]