This reverseme is written by Lena and is one of the classic reverseme’s used to learn reversing. Use this in conjunction with xAnalyzer plugin for x64dbg to practice serial key fishing.

Link: https://crackinglessons.com/reverseme2-by-lena/

Software

The software was only showing Evaluation Period is Out of Date message.

00 - out of date

Detect It Easy (die)

Using DIE software I found the entry point.

EntryPoint = ImageBase + AddressOfEntryPoint --> 0x00401000

01 - dier

x32dbg

After opening x32dbg, I searched the string and found the address.

02 - string

Before these commands, It was executing CreateFile command which was set to open only existing files and the file name was Keyfile.dat.

03 - open existing

So I created that file.

04 - created

However this time the app was showing another error Keyfile is not valid.

05 - file is not valid

So I debugged it and found the part where it reads the file contents.

06 - suspicious

So code can be seen below:

push 0                                     | LPOVERLAPPED lpOverlapped = NULL
push reverseme2-by-lena.402173             | LPDWORD lpNumberOfBytesRead = 402173
push 46                                    | DWORD nNumberOfBytesToRead = 46
push reverseme2-by-lena.40211A             | LPVOID lpBuffer = 40211A
push eax                                   | HANDLE hFile
call <JMP.&ReadFile>                       | ReadFile
test eax,eax                               |
jne reverseme2-by-lena.4010B4              |
jmp reverseme2-by-lena.4010F7              |
xor ebx,ebx                                |
xor esi,esi                                |
cmp dword ptr ds:[402173],10               |
jl reverseme2-by-lena.4010F7               |
mov al,byte ptr ds:[ebx+40211A]            |
cmp al,0                                   |
je reverseme2-by-lena.4010D3               |
cmp al,47                                  | 47:'G'
jne reverseme2-by-lena.4010D0              |
inc esi                                    |
inc ebx                                    |
jmp reverseme2-by-lena.4010C1              |
cmp esi,8                                  |

jl reverseme2-by-lena.4010F7               |
jmp reverseme2-by-lena.401205              |

This code simply does below things sequentially:

  1. it reads the file to a 46 byte buffer.
  2. cmp dword ptr ds:[402173],10 is used to check if the file includes a string longer then 16 character and if not it jumps to a place where wrong message is shown.

08 - comparison

  1. cmp al,0 is used to check if file is empty and if it is it jumps.
  2. cmp al,47 is used to check if file includes G character and it counts them by inc esi command.
  3. When the loop finished (all characters are checked), it checks if there was more than 8 G using cmp esi,8 command. If there is, we simply jump to a good end.

09 - minimum 8G

So to sum the things up, I created a pseudo code for this part:

file = "Keyfile.dat"
if file not exists:
  exit

content = read file
if content.length < 16:
  exit

i = 0
g = 0
while (i < content.length):
  if content[i] = null:
    exit
  if content[i] = 'G':
    g++
  i++

if g > 8:
  good ending

So I updated Keyfile.dat to include 9 G characters.

10 - 8g

And that was it.

11 - gg

<
Previous Post
CrackMe9
>
Blog Archive
Archive of all previous blog posts