Dynasty's ScrewMe #1
| Download ScrewMe_#1_by_Dynasty.zip, 71 kb (password: crackmes.de) Browse contents of ScrewMe_#1_by_Dynasty.zip ***********************************************
Difficulty: 2 - Needs a little brain (or luck) | Send a message to Dynasty » View profile of Dynasty » |
Solutions
Solution by Kalippan, published 05. mar, 2008; download (82 kb), password: crackmes.de or browse.
Kalippan has rated this crackme as nothing special.
Discussion and comments
| hound 02. Mar 2008 | Nice and easy one. Will post a solution if I have time to write it up :). |
|---|---|
| hound 02. Mar 2008 | Actually, upon writing the solution realised it doesn't quite work. There is a bug in this. When you are checking that all the comparisons were correct, the final one on the registration file doesn't work because you add 0x14 to the count, but you only ever increment the count 0x13 times when checking through the file. Loop checking through file: 004019F3 |> /83BD 38FFFFFF 12 /CMP [LOCAL.50],12 ; Loop 18 times 004019FA |. |7F 34 |JG SHORT ScrewMe_.00401A30 ..... 00401A21 |. 8D45 D0 |LEA EAX,[LOCAL.12] 00401A24 |. FF00 |INC DWORD PTR DS:[EAX] ..... 00401A2E |.^\EB C3 \JMP SHORT ScrewMe_.004019F3 You only ever increment LOCAL.12 0x13 times at maximum, yet your logic below is expecting 0x14 times. 00401A4B |. 8D0403 LEA EAX,DWORD PTR DS:[EBX+EAX] 00401A4E |. 83C0 14 ADD EAX,14 <== But from the loop, you can only get 13 00401A51 |. 3945 D0 CMP [LOCAL.12],EAX As it stands, you can never pass this check, because even if it is all correct you even up 1 short on this comparison. |
| hound 02. Mar 2008 | So, are you saying I'm wrong, or just quoting the string in the file :)? |
| Dynasty Author 02. Mar 2008 | Sorry... had to delete soychino's comment, saying too much for the ones who want to really try it out and reverse this themselves... ;( |
| Dynasty Author 02. Mar 2008 | hound: for your info, it has already been keygenned by two people -- however, no tutorials yet, so I'm working on one myself, that I plan on putting up on my website meant for newbie reversers. Did you at least find a valid serial for your name though? |
| HMX0101 03. Mar 2008 | @hound, you're wrong... you've probably see that variable [LOCAL.12] is initialized as zero at the start of the routine: 00401640 |. C745 D0 00000000 MOV [LOCAL.12],0 ; | But after the second sprintf it get incremented by 1: 00401851 |. 8D45 D0 LEA EAX,[LOCAL.12] ; | 00401854 |. FF00 INC DWORD PTR DS:[EAX] ; | So, the first check can be passed sucessfully... remember first part = 4, second part = 8... and the '1' which you've been missing :) 4 + 8 + 1 = 13 Now the second part (keyfile), if you see code carefully you will look another 'incrementation' of this variable at this point: 0040195B |. C74424 14 80000000 MOV DWORD PTR SS:[ESP+14],80 ; | 00401963 |. C74424 10 03000000 MOV DWORD PTR SS:[ESP+10],3 ; | 0040196B |. C74424 0C 00000000 MOV DWORD PTR SS:[ESP+C],0 ; | 00401973 |. C74424 08 01000000 MOV DWORD PTR SS:[ESP+8],1 ; | 0040197B |. C74424 04 00000080 MOV DWORD PTR SS:[ESP+4],80000000 ; | 00401983 |. 8D85 68FFFFFF LEA EAX,[LOCAL.38] ; | 00401989 |. 890424 MOV DWORD PTR SS:[ESP],EAX ; | 0040198C |. E8 6F020000 CALL <JMP.&KERNEL32.CreateFileA> ; \CreateFileA 00401991 |. 83EC 1C SUB ESP,1C 00401994 |. A3 44504000 MOV DWORD PTR DS:[405044],EAX 00401999 |. 833D 44504000 FF CMP DWORD PTR DS:[405044],-1 004019A0 |. 75 05 JNZ SHORT ScrewMe_.004019A7 004019A2 |. 8D45 D0 LEA EAX,[LOCAL.12] 004019A5 |. FF00 INC DWORD PTR DS:[EAX] So, if the keyfile doesn't exists your variable will be increased by '1' again! and this time its not good :) And if the keyfile contains the valid string, variable will be incremented by 19... 13 + 19 = 32 There exists a bug?... no ;) |
| Kalippan 03. Mar 2008 | I think there is another bug in this... give the name 'zzzzzzzzzz' can u find a valid serial for this one??.... there are 2 parts for the serial... rite? when the length of the first part reaches 5.. i think there is a bug in the comparing..... if u found a valid key plz send it 2 me... |
| hound 04. Mar 2008 | @Dynasty, yes I wrote a keygen, the serial and the whole thing was very straight forward. @HMX0101. Thanks for the explanation. Not sure what went wrong when I stepped through it with a proper keyfile and serial, but may have a look at it again. Probably laziness not spotting a problem somewhere. The thing is, my serial passed the first test, but then after the keyfile and that final test (from which it incremented each time) it was 1 below. So, I don't see how I missed the '1' earlier. |
| hound 04. Mar 2008 | Anyway, my approach probably wasn't best. I should have reviewed through it before raising a 'problem'. Was just in a bit of a rush. Thanks for the crackme Dynasty, and the advice HMX0101. |
| Kalippan 04. Mar 2008 | i have submitted a solution |
| Dynasty Author 05. Mar 2008 | Kalippan: --> Thanks for the little solution ;) was a pretty good job |
| Kalippan 06. Mar 2008 | Good Crackme........... |
| Dynasty Author 09. Mar 2008 | I submitted a keygen for it, waiting for the admins to validate it... Im making a detailed tutorial but it's in french and I'm WAAAAAY too lazy to translate it :S |
| xylitol 10. Mar 2008 | i like the cheat anti olly :] |
| DrPepUr 12. Mar 2008 | I have a video solution @ http://video.reverse-engineering.net/index.php?cat=16 If anyone wants to check it out.. BTW Dynasty...nice keygenme! |
| Dynasty Author 21. Mar 2008 | Thanks DrPepUr :) For the ones who wanna check it out here's the link to the tutorial (in french unfortunately for most of you) and the keygen: http://deezdynasty.xdir.org/cours/TutoScrewMe1.pdf http://deezdynasty.xdir.org/download/ScrewMe_#1_by_Dynasty.zips/keygen.zip Enjoy ;) |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.