28 October 2010

fabsys's Prolixe-KeygenMe#1 explained

Another easy crackme explained...
Download the fabsys's Prolixe-KeygenMe#1 from crackmes.de
Download the ollydbg tool for windows

Open the keygenme and read the instructions (run binary) A MsgBox says "KeygenMe and delete this window good luck!!!"

The first part of this tutorial explains ho to crack the application, without generating any keygen (I will do the keygen another time)

Try to get the "bad boy" (a simple window that says that your serial is invalid) this is it:
First part: remove the hello window messagebox...

This is the most easy part, select from PUSH 40 to CALL and right click "Binary=> "Fill with NOPs"

Save in new file... click right button "Copy to executable" => "All modifications"

In the new Dump window click right button again "Save file" and save as "Keygen_cracked_step1.exe"

Try this new binary, enjoy without the on-start messagebox.

Open this new file in ollydbg...

The second step, the "bad boy" hunt:

Run the program normally and set "Yout name:" and "Your serial:" with some garbage (typical aaaa is fine) and click on "Generate" you watch the "bad boy" in a MessageBox (like the one in the start) click on "Ok" to return to the main screen.

On ollydbg click on "Executable modules" in "View" menu (if the list is empty, rightclick and "Actualize")

This list is all modules used by application...

Little trick: if seems a duck, probably it's a duck

A messagebox is a user32.dll standard call read more about messagebox at msdn documentation

Select user32 module and click "View names", this is all exported functions by user32.dll, search "MessageBoxA" click right button and select "Toggle a breakpoint" (it turns red)

Select the Prolixe keygenMe another time and click on "Generate" button again.

The program stops and return to ollydbg, a breakpoint has found, in user32.dll module

Click on the button "Execute till return (Ctrl+F9)" in the main window toolbar.

Switch to keyhen window and click on the "Ok" button of "badboy" messagebox, the olly stops again, in the last user32 instruction before return from stack to the main code again, click on "Step into(F7)" of main ollydbg iconbar.

Now the CPU window is again in Keygen_c main module, after the call to MessageBoxA of user32.dll, with the "badboy" code in the top.

Select the first instruction of MessageBoxA call, have a " => " on it.

Right click and push on "Find references to" => "Selected command Ctrl+R" a new window opens with  all references (only two)

The last "PUSH 0" is the origin line, the other "JNZ SHORT Keygen_c.xxxx" is the "if" is the one who decides whether the serial is good or bad, do the same as the step1 right click and "Binary" => "Fill with NOPs"

Test the Button "Generate" of the Keygen again... a "godboy" messagebox appears.
Yes! you cracked the program, save the program like step1

Save in new file... right click "Copy to executable" => "All modifications"

In the new Dump window right click again "Save file" and save as "Keygen_cracked.exe"

Enjoy your first easy crackme for windows

Posted at BinaryCell

No comments:

Post a Comment


Disclaimer: In no event shall the blog owner, be liable for any damages, including without limitation, special, indirect or consequential damages, or any damages, whatsoever resulting from access or use, or inability to access or use this Website or arising out of any materials, information, qualifications or recommendations on this Website.