Finding Correct Serial Using Softice.

Crackme 1 by Brad Soblesky.

By Krobar / Nov 1999


Now I assuming you have made the relevant changes to your winice.dat, and can Ctrl d softice up when you want to. If you dont know what I talking about then go and read these:

When we double click on the crackme, we get a box requiring a code. There not actually that many programs around these days that use just a serial number entry to register, but it serves to get us started, and for us, we can also get a little familiar with softice.

So enter some numbers...we gonna enter 999999999...and I explain why soon. Push 'check' and see what it does. Hehe 'incorrect try again' Well we could have fluked it...but not this time.

Click ok to get rid of the piss off message, then Ctrl D softice up. Now we gonna enter a breakpoint coz we want to break into the program code.

After reading the tuts before, you should be familiar with some of the breakpoints we can use, but one that seems to work quite regularly is HMEMCPY. Doesnt seem to matter if its upper or lower case, and I always use lower case, so, set the breakpoint...
type bpx hmemcpy in the command window (the one down the bottom) and push enter/return.

Now we want to get back to our program, so we have to exit softice. We do this by pushing Ctrl D again, or we can push F5, or x and enter/return. Whatever, get back to the crackme. Push 'check' (the 999999999 should still be entered) and softice will appear again.

But where the fuck are we? Well we arent where we want to be. If you look between the bottom (command) and second to bottom (code) windows, you see 'KERNEL (01)' We in KERNEL.dll, where the function first called from, and we want to be in crackme.

Anyway, this how we get there.

Push F11 once, then disable our breakpoint coz we dont want to break again...type bd 0 . (We can also clear it by typing bc 0). Now F12 until we get to our program. About 9 times. You know when you get there because?????? yep, it be displayed between the bottom two windows ....CRACKME!.text+0557.

Stop when you get there. Have a look at the code. You can scroll the code window up or down by using the Ctrl and up/down arrow keys. The line of code that is about to be executed will be highligted. Look down at the code under the highlighted line. You see
CALL [KERNEL32! lstrlen]....and further down CALL [KERNEL32! lstrcmp] ???
Hmmm....interesting....something about string length and string compare.

Now if you look up at the top left of the softice screen at the EAX register, you see EAX=00000009. This is the length of the serial we entered (9) and our serial is being stored in the EAX register. If you cant see your register window (should be at the top) type wr and push enter/return.

Well I think we might be nearly there. Our serial in EAX and some functions are gonna be called that have something to do with string length and string compare.

Push F10 once to highlight the line that says
xxxx:xxxxxxxx PUSH EAX (you be familiar with this from reading previous tuts, but F10 steps through the code line by line), and see what is in EAX. Type d eax and at the top right of the display window (the third one up) you'll see 999999999. If you cant, make sure you got the display window on...type wd enter/return (this toggles it on and off).

At this stage, in this program, we could see the correct number by scrolling the display window up (alt up arrow), but we gonna F10 a bit more. So F10 down (a few times), till you do a little jump, then push F10 once more. You should be at line
xxxx:xxxxxxxx PUSH ECX and type d ecx. You see the correct number in the display window.

Note it down, F5 out of softice, and jam it in the box that says 'Enter Registration Number', click 'check', and you get rewarded with 'correct way to go'.

Well that it. We done it!