Underground InformatioN Center [&articles] 
[network & security news] [RSS & Twitter] [articles, programing info] [books] [links, soft & more...] [soft archive][home]

Solution for Cronos Crackme 1

I hope you understand my terrible english ;-)

Tools...
Cronos Crackme 1, which can be found here
SoftICE
Pen&Paper
good brain :)

The first protection
>>The first protection is a name/serial number passed as two arguments to
>>the program on the command line.

Ok. Enter on command line 'cronos1.exe corbio 123456789012'.
bpx GetCommandLineA
Hit "Enter".
Si will pop. You in the SI now.
Start tracing with F10 until you get:

           CALL [ESP+18]
F8
Now we are inside cronos1!:

           PUSH   EBP
           MOV    EBP,ESP
           PUSH   EBX 
           PUSH   ESI
           PUSH   EDI
CALL   0041074    ;Important! Its redirection call. F8
Trace down until you get:
0041012C:  CALL   004100E7  ; STRLEN
           POP    ECX    
           CMP    EAX,06    
           JL     00410176 ; IF length_of_the_name < 6
                           ; THEN GO_OUT! 
           PUSH   EDI
           CALL   004100E7
           POP    ECX
           CMP    EAX,0C   ; IF LENGTH_OF_THE_SERIAL < 12
                           ; THEN GO_OUT!
           JL     00410176
           XOR    ECX,ECX
           MOV    EDX,EDI
           MOV    EAX,ESI
00410149:  MOVSX  ESI,BYTE PTR [EAX]
           MOVSX  EDI,BYTE PTR [EAX]
           IMUL   ESI,EDI
           MOVSX  EDI,BYTE PTR [EDX]
           ADD    ESI,EDI
           MOVSX  EDI,BYTE PTR [EDX+6]
           ADD    EDI,-60
           IMUL   EDI,EDI,1A
           ADD    ESI,EDI
           ADD    ESI,-60
           OR     EBX,ESI
           INC    ECX
           INC    EDX
           INC    EAX
           CMP    ECX,06
           JL     00410149       
here:      CMP    EBX,01   ;for correct name/serial EBX=0.
                           ;Can you code the KeyGen now?
                           ;I can :))
           SBB    EBX, EBX
           NEG    EBX
The second protection
>>I will let you deduce the second protection from there.

Ok. Lets start our deduce ;)
Start from 'here:' label. Trace down until you see:

004101F3:  MOV    [EDX],CL  ;store 
           INC    EDI         
           INC    EDX
           INC    EAX
           MOV    CL,[EAX]
d eax
Some strings. Do you know what it is? It's environment block.
(see GetEnvironventStrings in Win32 SDK Reference Help)
           TEST   CL,CL
           JZ     00410203
           CMP    EDI,06
           JZ     004101F3
..........

0041020F:  MOV    EAX,[EBP-0C] ; for correct: EAX=41455244 'DREA'
           MOV    EDX,[EBP-08] ; for correct: EDX=0000534D 'MS'
                               ; DREAMS ;)
           IMUL   ECX,EAX,00DA7949
           MOV    EAX,ECX
           IMUL   ECX,EDX,2262AD4D
           MOV    EDX,ECX
           CMP    EAX,6E8E9964
           JNZ    00410270
           CMP    EDX, 55DE1729
           JNZ    00410270
           PUSH   ESI
           CALL   004100E7 ;STRLEN
           POP    ECX
           CMP    EAX,0C   ; if length_environment_string < 12
                           ; then go_out!
           ..............
           ..............
And some checks for our environment string:
At the end of checks we understand - our string should be DREAMS\DARES
Lets do it.
On command line: 'set DDREAMS\DARES=CORBIO[GC]' ;)
If you know correct name/serial - start the program:
"Cronos Says - Registered" :)

Yes! I do it. hehe
Thats all.
If you want the keygen for this crackme, go to www.genocidecrew.cjb.net

Greets to...
Genocide Crew members
Acid Bytes and all my german friends(you know who you are)
mamaich, devull
all crackers in the world ;)

Corbio
corbio@uinc.ru
uinC Member
Genocide Crew Member
[c]uinC

Все документы и программы на этом сайте собраны ТОЛЬКО для образовательных целей, мы не отвечаем ни за какие последствия, которые имели место как следствие использования этих материалов\программ. Вы используете все вышеперечисленное на свой страх и риск.

Любые материалы с этого сайта не могут быть скопированы без разрешения автора или администрации.


[network & security news] [RSS & Twitter] [articles, programing info] [books] [links, soft & more...] [soft archive][home]
 Underground InformatioN Center [&articles] 
2000-2015 © uinC Team