Home > MalwareAnalysis > Zi_Crakme


September 2nd, 2011 Leave a comment Go to comments




Zi _Crackme (Download crackme)



This is a simple crackme, and it took only 5 minutes to crack fom a noobe like me. Here comes the solution:


Target Study


Run the target. You see something like the below:

We need to change the registration routine, so that whatever the input we give, it accepts it.


Fire the olly. Now, the problem is how do we reach the routine where this serial registration is shown. I tried looking at call stack, but of no help. What to do now ?


Lets use the “animate” feature of the olly to reach near this registration routine. Do “animate over”, and whenever you get the serial registration screen, there should be a call which lead to the screen. So, breakpoint the call, do F9, step in(F7), and “Animate over” again. Doing this again and again will take you closer to the registration routine.



When we follow the above strategy, we see something like:

Stepping over the code, we see the following:


If the EAX is 0, then CMP EAX,0 will set the zero flag, and the JNZ will lead to the wrong serial. So, we need to patch the code somewhere here. There can be many possibilities, and for that brain usage is strictly recommended ;) I will simply NOP the JNZ instruction, and check if it runs es, it fine. Yes, I can see the message “Well Done”.


But But But ……. OOPS !! Address A50183 is allocated at runtime, so we cannt directly change the instruction to nop. We need to write a loader for it.


So, here is the script for loader(I am using RISC Loader creater)

O=risc_Zi _Crackme.exe: ;Output filename

F=Zi _Crackme.exe: ;File to patch


T=50000: ;Patching times

P=00A50183/0F,85,20,00,00,00/90,90,90,90,90,90: ;Patch the JNZ


However, the loader this script will create doesnt work. :( So, I tried out some more reversing and found the reason. The address A50000h gets populated with instructions after you have entered the serial. In the meantime you enter the serial, the loader has already finished.


By reversing in depth(again using animate over and F7 trick), I found the following instruction to be responsible for copying the code.




He He…. so everything is clear now. The code from the location specified by ESI gets copied to the location specified by EDI. Think… think .. think.. !! You only need to change the corresponding instruction from ESI.


EDI = 0A50000

ESI = 1016cb5c



So, adding 183h to ESI



You will notice that it is the same JNZ instruction at address 1016CCDF. Its your wish now whether to directly patch it, or change the address in RISC loader creator script.

The new RISC loader script is:


O=risc_Zi _Crackme.exe: ;Output filename

F=Zi _Crackme.exe: ;File to patch


P=1016ccdf/0F,85,FC,FF,FF,FF/90,90,90,90,90,90: ;Patch the JNZ




Yippie !!!! it works beautifully.



CHEERS !!!! :)









  1. iphone 5
    September 7th, 2011 at 09:37 | #1

    This can be a superb guidelines specifically to these new to blogosphere, short and correct information… Many thanks for sharing this one particular. A should examine post.

  2. Mark
    September 7th, 2011 at 19:04 | #2

    Very nice, i suggest webmaster can set up a forum, so that we can talk and communicate.

  3. September 29th, 2011 at 03:45 | #3

    Much appreciated for the information and share!

  1. No trackbacks yet.

Switch to our mobile site