This is a new crackme that’s created by r4v3n. This is challenge 1 and you can download the binary here.

**Edit**: It is now available at crackmes.de.

I like to launch PEiD (their site seem to have expired but there are other similar tools around (pestudio, cff explorer)) and check what information that is available.

It would seem it is either C# or .NET. With some luck we can explore the binary in a .NET reflector and view the source-code in clear text. I’m going to use redgate’s reflector. As we can see in the first picture the program got 4 text boxes, 1 label and 1 button. It is likely that what we’re after is located in the button. Navigate to **Button1_Click(Object, EventArgs)** and inspect its content. We’ll find the following source-code.

```
private void Button1_Click(object sender, EventArgs e)
{
if (!Versioned.IsNumeric(this.TextBox1.Text))
{
Interaction.MsgBox(RuntimeHelpers.GetObjectValue(this.msg), MsgBoxStyle.ApplicationModal, RuntimeHelpers.GetObjectValue(this.title));
this.TextBox1.Text = "0000";
}
if (!Versioned.IsNumeric(this.TextBox2.Text))
{
Interaction.MsgBox(RuntimeHelpers.GetObjectValue(this.msg), MsgBoxStyle.ApplicationModal, RuntimeHelpers.GetObjectValue(this.title));
this.TextBox2.Text = "0000";
}
if (!Versioned.IsNumeric(this.TextBox3.Text))
{
Interaction.MsgBox(RuntimeHelpers.GetObjectValue(this.msg), MsgBoxStyle.ApplicationModal, RuntimeHelpers.GetObjectValue(this.title));
this.TextBox3.Text = "0000";
}
if (!Versioned.IsNumeric(this.TextBox4.Text))
{
Interaction.MsgBox(RuntimeHelpers.GetObjectValue(this.msg), MsgBoxStyle.ApplicationModal, RuntimeHelpers.GetObjectValue(this.title));
this.TextBox4.Text = "0000";
}
if ((((this.TextBox1.Text == "") | (this.TextBox2.Text == "")) | (this.TextBox3.Text == "")) | (this.TextBox4.Text == ""))
{
Interaction.MsgBox(RuntimeHelpers.GetObjectValue(this.msg), MsgBoxStyle.ApplicationModal, RuntimeHelpers.GetObjectValue(this.title));
}
this.vala = Conversions.ToInteger(this.TextBox1.Text);
this.valb = Conversions.ToInteger(this.TextBox2.Text);
this.valc = Conversions.ToInteger(this.TextBox3.Text);
this.vald = Conversions.ToInteger(this.TextBox4.Text);
if (Operators.ConditionalCompareObjectEqual(((Conversions.ToDouble(this.TextBox1.Text) * Conversions.ToDouble(this.TextBox2.Text)) * Conversions.ToDouble(this.TextBox3.Text)) * Conversions.ToDouble(this.TextBox4.Text), this.sval, false))
{
Interaction.MsgBox(RuntimeHelpers.GetObjectValue(this.gmsg), MsgBoxStyle.ApplicationModal, RuntimeHelpers.GetObjectValue(this.gtitle));
}
else
{
Interaction.MsgBox(RuntimeHelpers.GetObjectValue(this.dmsg), MsgBoxStyle.ApplicationModal, RuntimeHelpers.GetObjectValue(this.title));
}
}
```

The line we’re interested is this: `if (Operators.ConditionalCompareObjectEqual(((Conversions.ToDouble(this.TextBox1.Text) * Conversions.ToDouble(this.TextBox2.Text)) * Conversions.ToDouble(this.TextBox3.Text)) * Conversions.ToDouble(this.TextBox4.Text), this.sval, false)) `

It would seem that it takes the value of the 4 text boxes and multiply them together and then check their value against a variable.

**TextBox1 * TextBox2 * TextBox3 * TextBox4 == sval**

If the following statement equals true then the program will be successfully cracked. So, next step would be to find the value of sval. After poking around in the reflector I come across the following section.

The value of sval is **0x94bdd4c01693**, which is a hex value. So we’ll need to convert it to decimal. This can be done by the reflector but you can also use your favorite scripting/programming language or the windows calculator if you’re so inclined.

```
print str(0x94bdd4c01693)
163543039088275
```

So, an updated version of the statement would look like this.

**TextBox1 * TextBox2 * TextBox3 * TextBox4 == 163543039088275**

This means we need 4 numbers, multiply them with each other and they should end up with the sum 163543039088275. Another limitation is that each number must have a maximum length of four, this because that’s what the maximum length is on each TextBox. To find the 4 numbers we need with a max length of 4 we need to perform magic (math) or writie a tool which will brute-force it. Now, I’m no math wizard but I figured I’d go for the prime factors of the number and see how that looks.

I know the picture is quite big but I didn’t want it to become unreadable.

Anyhow, the prime factors are: **5^2 7 11 29 43 101 653 1033**

If all of those are multiplied together we will get the same number that is required for the serial to be valid. But, now we need to multiply a few of the numbers together and create 4 numbers with the maximum length of 4.

1033 * 7 = **7231**

653 * 11 = **7183**

101 * 43 = **4343**

29 * 5^2 = **725**

**7231 * 7183 * 4343 * 725 = 163543039088275**

The math looks correct so it is time to put the numbers into program and see if it works.

Awesome write up!!!! You should try and do some python magic to see if you can do a brute force tool!! Would love to see that.

Prime factorization (Primes.py):

http://pastebin.com/fE587r6v

Output:

Enter number to factor: 163543039088275

The prime factors of 163543039088275 are:

5^2 7^1 11^1 29^1 43^1 101^1 653^1 1033^1

Operation took 1 milliseconds

Awesome :)