Tutorial for Abex's 5th crackme

By HaQue 25 March 2001


Information

  • you will need W32Dasm v8.93
  • Notepad to edit the ASM source code.
  • TASM v5.0r to compile the keygen.
  • win32.hlp if you want to look up the windows API functions
  • softice v4.05 to trace it for practice (not really necessary in this crackme)
  • cheat by looking at the Serial!


The protection system

Hello again, Ready for another session? YES? Good! We are going to get straight to work!
This crackme uses a different method of generating a valid serial number than the usual name/serial combination. The crackme is a machine dependent serial meaning that it will only work on the computer that it was made on. It uses the windows API GetVolumeInformationA() to get the disk name (drive label), manipulate it a little bit, and add a string to the start, and a string to the end. Assuming that most disk names are different, this gives different serial numbers on different machines. This type of protection is fairly common, but most that I have seen use the registry to get the ProductID number for the validation. I wont go through the preliminary steps to cracking this one such as running the crackme, entering in dodgy serials to see what the message is, if any, when the number is wrong etc.. this should be done with all programs, so it would get quite boring!....

The dead listing from W32dasm shows the process quite well, and also makes it easy to trace in softice once we are familiar with what we are looking at, mainly due to the small number of lines used by the protection.

Here is the dead listing from w32Dasm of the relevant part of the program. I edited it for readability, taking out the HEX opcodes and putting the actual strings in place of the pushes, and the functions in place of mem address of the calls.

 



:0040107D	push 00000000			; Un-needed parameter for GetVolumeInformationA
:0040107F 	push 00000000			; Un-needed parameter for GetVolumeInformationA
:00401081	push 004020C8			; 
:00401086	push 00402190			; 
:0040108B	push 00402194			; 
:00401090	push 00000032			; 
:00401092	push 0040225C			; 
:00401097	push 00000000			; Un-needed parameter for GetVolumeInformationA
:00401099	Call GetVolumeInformationA	; The windows API function

:0040109E	push "4562-ABEX"		; Second parameter to lstrcatA
:004010A3	push 0040225C			; First parameter to lstrcatA 
:004010A8	Call lstrcatA		; lstrcatA(FirstString, SecondString) joins 2 strings
					; the result gets written to FisrtString location

:004010AD	mov dl, 02				; dl is loop counter, initialised to 2
:004010AF	add dword ptr [0040225C], 00000001	; incr the 1st letter of the vol label
:004010B6	add dword ptr [0040225D], 00000001	; incr the 2nd letter of the vol label
:004010BD	add dword ptr [0040225E], 00000001	; incr the 3rd letter of the vol label
:004010C4	add dword ptr [0040225F], 00000001	; incr the 4th letter of the vol label
:004010CB	dec dl				; decrease the loop counter
:004010CD	jne 004010AF			; if ZERO FLAG is not 1, jump

:004010CF	push "L2C-5781"			; Second parameter to lstrcmpA
:004010D4	push 00402000			; First parameter to lstrcmpA
:004010D9	Call lstrcatA			;  add the strings and put result in 00402000

:004010DE	push 0040225C			; Second parameter to lstrcatA
:004010E3	push 00402000			; First parameter to lstrcatA
:004010E8	Call lstrcatA			; add the strings and put result in 00402000

:004010ED	push 00402324			; Second parameter to lstrcmpA 
:004010F2	push 00402000			; First parameter to lstrcmpA
:004010F7	Call lstrcmpiA			; compare the strings

:004010FC	cmp eax, 00000000		; If the strings match: 
:004010FF	je 00401117			; jump, else :

:00401101	push 00000000					; Parameter to MessageBoxA
:00401103	push "Error!"					; The titlebar text
:00401108	push "The serial you entered is not correct!"	; The text
:0040110D	push [ebp+08]					; Parameter to MessageBoxA
:00401110	Call MessageBoxA				; The windows API to draw it


It is pretty clear what happens here, so I will now put it in psuedocode form to get ready for the keygenerator:
  • START
  • Get the volume label
  • Add it to the front of the string "4562-ABEX".
  • Increment the first letter.
  • Increment the second letter.
  • Increment the third letter.
  • Increment the fourth letter.
  • Increment the first letter again.
  • Increment the second letter again.
  • Increment the Third letter again.
  • Increment the Fourth letter again.
  • Add the string "L2C-5781" to the front of the above string.
  • Print out result.
  • END
We could code it in whatever we want, but I chose to use win32 assembly this time. Get the source code for the keygen here! compile it in Tasm5.

The Patch!

This is an easy patch! Just go to 000006FFh in Hiew and change the "74" to "EB" and any serial will be correct!

Serial

The serial number for this crackme depends on the computer volume label. for my computer the volume label is "HDD" and the serial is

"L2C-5781JFF6562-ABEX"