“Sandwich” CrackMe tutorial by qwertyoruiop

This is a cracking and keygenning tutorial by the reader qwertyoruiop. He’s having fun doing the crackmes and I asked him to write tutorials about them and he did it! So here it is the first in full glory 🙂

Things been quiet around here but busy in real life. I wanted to write a few posts about OS X malware but I’m going to present at a conference in July on that topic (hopefully something interesting!). I will post the slides and tools after the conference.

Enjoy the tutorial. Great work qwertyoruiop, keep’em coming!

fG!

Sandwich_crackme_tut_qwertyoruiop.txt

10 thoughts on ““Sandwich” CrackMe tutorial by qwertyoruiop

  1. Nice tutorial, learned a few new things. Some parts confused me, though. Especially the part where you explain a few things briefly about the assembler code, and then begins listing what it checks for, without explaining it in-depth.
    But nice tutorial! 🙂

    1. One of these days when I get bored I will try to add some “newbies” content to qwertyoruiop’s tutorial, so those kinds of things are more clear.

  2. Hello!
    Good tutorial. As old win32 reverser, writing tutorials was the way I found to learn how to crack.
    This is the very first contact with OSx reversing that I’m having, and I found a lack of how the keygen was figured it out.
    In order to solve that, I’m writing a complementation tutorial to this one, showing how to read the code.
    But I have a serious doubt about it.
    The code below is just the beginning of validadeSerial function, we can see the length message passing on the call and then the comparison with 0x13.

    The question is: where is the typed string serial on those registers?

    __text:00001B3C mov ebx, [ebp+arg_8] ; ? Is arg_8 the typed serial?
    __text:00001B3F mov esi, ds:off_3004 ; Length function
    __text:00001B45 mov [esp+4], esi
    __text:00001B49 mov [esp], ebx
    __text:00001B4C call _objc_msgSend
    __text:00001B51 cmp eax, 13h ; Compares length with 0x13 (19 in decimal)

    Thanks for your help
    @brunosalvador

    1. The string is stored in a NSString*, which is passed to objc_msgSend(id obj, SEL message, …); as first argument;
      mov [esp], ebx sets ebx as first argument, so ebx will contain the pointer to the NSString* instance.

  3. Hey, thank you for your feedback!
    Sorry for that assembler part, but I assumed reader already had a basic x86 knowledge.
    I’ll write another tutorial in a few weeks. It’ll be more detailed, and will have a different crackme.
    That one was written at 2AM; Sorry if I didn’t explain it well.

    1. Hi qwertyyoruiop (How did you come up with that name? :P)
      I’ve been attempting to learn x86 (Well, Assembler in general), but some of the stuff just seems to get lost.
      But as I wrote, the rest of the tutorial was well explained, but this particular part just confused me. 🙂

      Are you going to post the new tutorial here too, or do you have your own blog?

Leave a Reply

Your email address will not be published. Required fields are marked *