Ok. We look at Acid Burn crackme, and first thing we see is the nag. How many times we seen snags (shit nags) ??? Well we deal to that later. For now just click ok and load the crackme.
First we gonna enter the single serial number and use softice to find the correct one.
So click the serial button and enter 999999999.
bpx hmemcpy and push enter. Now F5 out of softice and click Check it Baby!
Well we back in softice and do the same as last time...push F11, then disable breakpoint... bd0
We know what to do here! We gotta get to the code in the program remember. Look down between the bottom two windows and you see KERNEL(01), so we in the KERNEL.dll. Start pushing F12 till we see CRACKME2!CODE+0002B4BD...six times actually, then STOP and look at the code.
See a RET instruction a few lines below where we landed. This means we gonna return from a procedure so F10 down to it, and yep, onto another bit of code. Heh, another RET a few lines down...so F10 down and onto another bit of code. Keep F10 ing through the RETs, about six RETs all up. If we look at the EAX register (top left) it still equals 9...length of our serial???
After about the 6th RET, we'll land here:
xxxx:0042F4CA 8B45F0 MOV EAX,[EBP-10] xxxx:0042F4CD 8B55F4 MOV EDX,[EBP-0C] xxxx:0042F4D0 E82745FDFF CALL 004039FC xxxx:0042F4D5 751A JNZ 0042F4F1
We see a CALL just before a jump. Well we gonna trace INTO this call. F8 traces INTO a call (push F8 when we on the call line) and we end up here:
xxxx:004039FC 53 PUSH EBX<--we land here xxxx:004039FD 56 PUSH ESI xxxx:004039FE 57 PUSH EDI xxxx:004039FF 89C6 MOV ESI,EAX xxxx:00403A01 89D7 MOV EDI,EDX xxxx:00403A03 39D0 CMP EAX,EDX xxxx:00403A05 0F848F000000 JZ 00403A9A
Hmmmm, three pushes followed by some MOVs, then a CMP/JZ, a TEST/JZ, and another TEST/JZ. I think this interesting. Often we look for a CMP followed by a jump, or TEST followed by a jump, coz it maybe where our serial is compared to the real one. If not the same we jump to piss off message; or if the same, jump to good boy message.
I think we might be close, so we gonna to do some dumping (d) to see what the different registers and addresses contain.
Next line down we see an address compare (thanks Ralph) and if they the same we jump. Guess if they the same we jump to good boy message. Now before we F5 out of softice to see if we got the correct serial, we going to note down the JZ address...
xxxx:0403A05 0F848F00000 JZ 00403A9A
...I explain why later.
F5 out of sice and put in the serial. Congratz! Hey God Job dude!!=) <--hmm,spelling as bad as mine??
Well we finished this level. You may have noticed that this seemed to be different from the last crackme....we had to go into a call to find the correct serial. From what I have observed, you normally have to trace into at least one call...usually more...before we find the serial number, so keep this in mind when you start looking at full programs.
We finished. Next we gonna look at the name/serial level.