This is a tutorial for http://www.crackmes.de/users/dr.c0der/crackme_level_1/

before you start, there are some things you might want to know for this and all tutorials....

Vista changes memory locations OFTEN, reverse-engineering on it is much more difficult, also, if you have a different locale (non-english) there may be a few minor differences, try not to follow step by step and word for word, try to get ideas from this tutorial about how to look at a crackme instead of just folllowing this 1 method for all of them, after all, when it comes to reversing, it's up to you to decide how you want to defeat it, if it works then it's good (but that doesn't mean all solutions are as efficient as others )

Tools:

1. IDA Pro 5.2 (OllyDBG does not work on .net)
2. Hex-Editor (Ultra-Edit i use)
3. brain

Method:

ok this crackme is level 1 so it is really easy, many will tell you to just get reflector which is a good .net disassembler, and makes your job easy, i think TOO easy. and we want to learn a little bit :)

So open IDA and load the CrackMe - Level 1.exe

It might ask you what type to use, just stick with .net assembly, then it might load up in graph view, right click outside one of the boxes and select text view.

Now you are ready to RVE....but wait. What does the program even do?

Remember that when RCE'ing you always want to at least get a little knowledge of your target. So start the program outside IDA.

Now when testing serial checks, you want to get a feel for how the serial is checked, in this program, try with no username, try with a username and no serial, try with something in both. You will notice there are 2 different messages, so we know there are at least 2 different checks inside.

Different programs will do this all differently so just remember to play with your target before looking inside it ;)

now back to IDA. The question i hear most often is "where do i start?" the answer is, it's up to you. No one can tell you where to start when you have your own target otherwise you will be following in their footsteps the rest of their lives, never doing your own work.

For the sake of this tutorial, we will go to the functions tab first, now scroll down and look at some of the function names....any of them look interesting? maybe CreateSerial? double click it in the functions window and you will be brought to the function in the IDA View-A window.

now it looks like a bunch of gibberish, and unless you understand algorithms, it is :) so scroll up (if you remember from the functions window, above is the Button1_Click (what is the first button on the window? check serial)

Now you will see some text there "Wrong Serial Number :(" "Will Done :)" and "Wrong Input :("

the first pieces are a couple "callvirt class" methods, that we won't worry about just yet, but below that you see the call int32 CompareString

and inbetween each one is the empty text "" "" so what is it comparing it to? nothing :) empty string.

if it is not empty, or if the answer to the compared string is "false" you see it jumps below from the arrow, here it is getting some text and again comparing it, but instead of comparing it to an empty string "" you see it first gets the text from TextBox2, then TextBox1, but before it compares, it does a call to "CreateSerial" and just before that, gets the text from TextBox1, which in this case is the username, after it runs the createSerial on the username, it compares it to what you have entered in TextBox2 (serial) if they are not equal or "false" you see it jumps below from the arrow, that's the "brfalse.s loc_155C" (loc_155c is something IDA creates)

now if you have programmed before, you can guess that this is an IF ELSE IF statement, and the false means continue to the next IF check, so we don't want to simply patch and change the false to nothing, since this would make it not an IF statement and break the program, also it would make it so the REAL serials no longer work.

so what we have to do is make it jmp or (jump) to the "Will Done :)" below it no matter what, how to do this?

click on the brfalse.s text, and you will see below it lists 00001E24, that is the hex offset of the .exe file on your hard drive so remember it for patching later,

now click on the Hex View-A and see what bytes represent this false-jump code, it's 2C 26, well what does this mean?

we don't know, so go back to IDA View-A, and below we see after the "Good Job :)" there is a br.s loc_156F, well above it was brFALSE.s loc_XXXX

so we can guess that the br.s is simply .NET's way of saying jmp no matter what. click on the br.s and go back to hex view-a it's 2B 13 :S what does this mean?

in the case of .NET 2C means jump if false, and 2B means jump always, the second byte 26 or 13 just means how many bytes to jump over.

click the offset of br.s 1E4A right? + 13 (in hex) = 1E5F as you can see from the arrow just helping you, so now we know how to change where it jumps, we could change this 13 to 00 and it would jump down to the "Wrong Serial Number :(" below, but we don't want that, we want the brfalse.s to jump below to the good

so remember what the offset was? 1E24 open the .exe in Ultra-Edit (or your favorite hex editor) and go to that offset

then change the 2C 26 to 2C 00

now save it to a new file as i have, and run a test serial in it, any serial.

:) cracked.

below is a proper serial so you can test it in the original and the cracked to verify they both work.

mazuki
10925-STA-100

i also included a keygenerator for any name, but instructions for making that i will show you next time ;)

enjoy

-mazuki

Will Done :) Mazuki

Great first tut!

any freeware programs that could be used?

or maybe torrents of the ones listed.

First here, but not his first....

kirmil you could use reflector (free) but it produces source code instead of assembly, so it's not good for this tutorial, IDA is available on many torrent sites though

reflector will be used in the next tutorial for this crackme but only after IDA, really i only use IDA for .net apps when reflector won't work

never seen that site before, so thanks for that initially,

now you have gone and done it, always wondered about the reverse engineering side of things... time to go get ida etc.

many many thanks for the tutorial Maz

:D

I stand corrected

When can we expect the sequel Maz?

the sequel as soon as i have time to write it, i wrote the keymaker without the tutorial

shouldn't take much time anyway

i have about 4 more all ready to go, but they go more in depth and get much harder after this.....even though they are considered "low-level" crackmes

Great info Maz

if anyone has any trouble following this feel free to PM me or post here and I will reply back as soon as I can

Thank you very much, something I always wanted to try.

Nice tut. I will countine reading it.

Very nice I use to write small programs back in day. I have not done any for years and after reading your tutorial you have reawaken the juices again thanks. I another hobby comes to light. Can't wait for chapter two.

WOW, thanks a lot, i was looking for this kind of works for long time, thanks...

Thanks for this man, I have finaly cracked something!

Tools:

1. IDA Pro 5.2 (OllyDBG does not work on .net)
2. Hex-Editor (Ultra-Edit i use)
3. brain <<<<<< Well that's me out of the running then mate eh?...
Great Tut Mazuki..Thanks bud

always a pleasure knightron

I was sure I had replied here before

It is a excellent guide and very easy to follow with a little brain power used.

awesome tut maz i was amazed i actually did it right

any recommendations on the ida torrent I keep finding ones with viruses?

linky

Thanks Maz figured it out, had a hard time just saving it to a new file, and opening it after finishing ultra edit, thanks for the fun, will be waiting for the next one.

It's usually the simplest things that appear hardest when beginning reversing. If you stick with it and be dedicated things will come. Dedication is a must.

Nice one Maz...

thanks i find this very usefull

cheers mate found this very handy.