CrackMe1

A gui-based crackme written in Visual Studio 2017 win32 API.

Objectives:

Find the serial key and enter in the textbox
Patch the file to always show the Congrats message when button Check is clicked

Link: https://crackinglessons.com/crackme1/

Software

At first I opened the software and analyzed it. It was a simple app that shows a messagebox when wrong serial number is entered.

00 - 0 serial key

Detect It Easy

Then I analyzed it with DIE find the entry point.

EntryPoint = ImageBase + AddressOfEntryPoint --> 0x004013bf

00 - die

x32dbg

Then executed x32dbg then clicked F9 to start the program and get to user commands.

01 - 0 click run

01 - xdbg32 open

Then I searched the "Wrong" string to find where messagebox pops up.

02 - search

03 - wrong serial

And then clicked the address to go and check the assembly code.

04 - wrong

1st way (Reading Serial Key)

Because this is a local app, it must compare a serial key with the value that user entered. To find it we can check GetDlgItemTextA function from win32 api which gets the text that user entered.

Then I set a breakpoint by double clicking it.

07 - stop

Then one by one clicked step over (F8) to check where the comparison occurs. As seen in below image, before the cmp command, there is string stored in ECX register which is the correct serial key.

08 - comparing

We can simply enter it and GG.

06 - gg

2nd way (Patching to Bypass Serial Key via JMP)

Another way is to bypass controls and directly see messagebox. To do this we first neet to understand how messagebox works.

int MessageBox(
  [in, optional] HWND    hWnd, // parent windows (0 = belongs to no parent)
  [in, optional] LPCTSTR lpText, // text
  [in, optional] LPCTSTR lpCaption, // caption
  [in]           UINT    uType // button
);

As seen in above code, MessageBox has 4 parameters.

And as seen in this image it pushes the parameters in reverse order to stack then calls MessageBox.

So we need to find where it compares and performs jump. As seen in below image, after comparing it directly jumps to bad answer.

So to bypass this, we can edit jne command to nop command and edit return commands to jmp to the messagebox.

And make sure that pushes are in correct order.

09 - patch way

Than simply patch and save.

10 - patching

11 - patched

And that’s it.

12 - gg

3rd way (Bypassing Serial Key via XOR)

We could also use XOR operation and override JNE to write 0 to EAX register and show the messagebox.

Nagoya - Proving Grounds Practice

CrackMe2