6 minutes read

Download the crackme from here.

The CrackMe is created by Spider and seems like it’s not too easy to solve. We should create a keygen and find three hidden easter eggs. As you will see, my solution is not creating a normal keygen , but maybe a more lazy and hacky way to solve the crackme .

At 0x0406486 it gets name string from a user, calculates dword value and writes to loc_4066B2+1 location, it overwrites 0xCCCCCCCC :

click here for larger version

After getting a serial from a user, it checks the serial’s length, it must be 26 bytes, and only contain following characters: 0 1 2 3 4 5 6 7 8 9 A B C D E F , after that it converts the serial into hexadecimal form, for example: 123456789ABCDEFABCDE123456 becomes 0x12 0x34 0x56 0x78 0x9A 0xBC 0xDE 0xFA 0xBC 0xDE 0x12 0x34 0x56 :

At 0x0406557 it calls checkOpcode function, which basically is a huge switch statement, the arguments are the hex version of the serial and start_of_some_DISASM_struct structure.

I’ve spent most of the time on analyzing/guessing what this huge function is, it modifies start_of_some_DISASM_struct structure based on values from the serial.

I found that inside sub_406622 function, it interprets the serial as code and calls it, I thought that checkOpcode function is maybe some kind of assembly instruction parser / disassembler , it gets opcodes, modifies start_of_some_DISASM_struct structure and returns some value via eax register.

For example, mov eax, 0x12345678 instruction in hex form is B878563412 , in case of B8 instruction, the function adds 5 to the serial to move to the next instruction:

After that it checks if an opcode is allowed:

Following opcodes are allowed in our serial:

It checks if the number of operands is more than zero and checks if operands are epb or esp (also there is check for lea instruction, etc.), if so it goes to bad_boy message.

After that it calls masterMind_mainCheck_406622 function, this is where serial checks happen:

0xCCCCCCCC will be overwritten by a value derived from a name:

masterMind_mainCheck_406622 is where checks happen and at first glance, seems like its not too easy. It calls a user controlled serial as a function, so I tried to hijack execution and jump into good_boy message, but that was not too easy as well, because many useful instructions like push , pop , mov ebp, ... , mov [esp], ... and etc. are not allowed, length must be equal or less than 13 bytes.

But we still can find useful instructions, I’ve changed return value ( [esp] ) to point good_boy message and ebp to valid window handle:

Now we have the universal key: 8B442408958B0424047E870424 and "keygen" if you wish :)

EASTER EGG #1

If on the main window a user presses any button, execution jumps to 0x04060AD location

We control 0x12345678 value, if we press a and b it becomes 0x56784142 ( a == 41, b == 42)

To jump the 0x04060DE block we need to solve the simple equation:

We need to type HOLE while focused on the main window:

EASTER EGG #2

The second easter egg is inside about window ’s dialog box procedure.

If we click the right mouse button two times in the about window area, it confines the cursor to the about window (to release the cursor we should right click the mouse button two times again)

EASTER EGG #3

If a name is einstein it changes the cursor shape to Einstein ’s image.

Thank you for your time.

Any feedback would be greatly appreciated.

Discuss on Reddit

Twitter: @_qaz_qaz