Another gui-based crackme written in visual studio 2017 win32 api.

Objectives:

  • Without patching, Register it to your name.

Link: https://crackinglessons.com/crackme-2/

Software

It was a simple software. When I opened it it showed Unregistered messagebox.

image

Detect It Easy (die)

Using DIE software I found the entry point.

EntryPoint = ImageBase + AddressOfEntryPoint --> 0x004013b8

00 - entrypoint

x32dbg

Then executed x32dbg and started the software to check user code.

01 - run user code step by step

Then used step over (F8) to find when the pop up occurs. So checked every command step by step and found that call at 0040132F is the cause of the pop up.

02 - found function to check

So I restarted the program and stepped into the call.

03 - step into

04 - create file

As seen in above image, it was executing a CreateFileA function. It had 7 different parameters. (For more information: https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea)

HANDLE CreateFileA(
  [in]           LPCSTR                lpFileName,
  [in]           DWORD                 dwDesiredAccess,
  [in]           DWORD                 dwShareMode,
  [in, optional] LPSECURITY_ATTRIBUTES lpSecurityAttributes,
  [in]           DWORD                 dwCreationDisposition,
  [in]           DWORD                 dwFlagsAndAttributes,
  [in, optional] HANDLE                hTemplateFile
);

The 5th parameter dwCreationDisposition is critical for us. When it is set to 3, it only reads existing file otherwise it returns -1 (FFFFFFFF).

06 - returns error

And as seen in the code if the return value is -1 (FFFFFFFF) it executes JE command.

05 - check if file exists

So what we can do is create a file named keyfile.txt as seen in above codes and get a different return value.

07 - created the file

This time when executing we can see that it does not jump so command after JE are executed.

09 - passed

So we are simply registered.

10 - gg

<
Previous Post
CrackMe1
>
Next Post
CrackMe3