Serial Number Using Softice.

Crackme 2 by Acid Burn

By Krobar / Dec 1999

Ok. We look at Acid Burn crackme, and first thing we see is the nag. How many times we seen snags (shit nags) ??? Well we deal to that later. For now just click ok and load the crackme.

First we gonna enter the single serial number and use softice to find the correct one.

So click the serial button and enter 999999999.
You know what to do now!!! Ctrl d softice up, and set a breakpoint. We gonna try bpx hmemcpy again, coz it seems to work most times.
So type:

bpx hmemcpy and push enter. Now F5 out of softice and click Check it Baby!

Well we back in softice and do the same as last time...push F11, then disable breakpoint... bd0

We know what to do here! We gotta get to the code in the program remember. Look down between the bottom two windows and you see KERNEL(01), so we in the KERNEL.dll. Start pushing F12 till we see CRACKME2!CODE+0002B4BD...six times actually, then STOP and look at the code.

See a RET instruction a few lines below where we landed. This means we gonna return from a procedure so F10 down to it, and yep, onto another bit of code. Heh, another RET a few lines down...so F10 down and onto another bit of code. Keep F10 ing through the RETs, about six RETs all up. If we look at the EAX register (top left) it still equals 9...length of our serial???

After about the 6th RET, we'll land here:


xxxx:0042F4CA    8B45F0          MOV    EAX,[EBP-10]
xxxx:0042F4CD    8B55F4          MOV    EDX,[EBP-0C]
xxxx:0042F4D0    E82745FDFF      CALL   004039FC
xxxx:0042F4D5    751A            JNZ    0042F4F1

We see a CALL just before a jump. Well we gonna trace INTO this call. F8 traces INTO a call (push F8 when we on the call line) and we end up here:


xxxx:004039FC    53             PUSH   EBX<--we land here
xxxx:004039FD    56             PUSH   ESI
xxxx:004039FE    57             PUSH   EDI
xxxx:004039FF    89C6           MOV    ESI,EAX
xxxx:00403A01    89D7           MOV    EDI,EDX
xxxx:00403A03    39D0           CMP    EAX,EDX
xxxx:00403A05    0F848F000000   JZ     00403A9A

Hmmmm, three pushes followed by some MOVs, then a CMP/JZ, a TEST/JZ, and another TEST/JZ. I think this interesting. Often we look for a CMP followed by a jump, or TEST followed by a jump, coz it maybe where our serial is compared to the real one. If not the same we jump to piss off message; or if the same, jump to good boy message.

I think we might be close, so we gonna to do some dumping (d) to see what the different registers and addresses contain.

  • At line 004039FC type d eax and push the enter/return key...our serial in the display window, d ebx...hmm nothing.
  • F10 to line 004039FD d esi...nothing.
  • F10, d edi/enter...nothing.
  • F10, to MOV ESI, EAX d esi/enter...nothing, d eax/enter...our serial.
  • F10 to line 00403A01, d edi/enter...nothing, d edx/enter...what this in the display window? Correct serial??

Next line down we see an address compare (thanks Ralph) and if they the same we jump. Guess if they the same we jump to good boy message. Now before we F5 out of softice to see if we got the correct serial, we going to note down the JZ address...

xxxx:0403A05 0F848F00000 JZ 00403A9A

...I explain why later.

F5 out of sice and put in the serial. Congratz! Hey God Job dude!!=) <--hmm,spelling as bad as mine??

Well we finished this level. You may have noticed that this seemed to be different from the last crackme....we had to go into a call to find the correct serial. From what I have observed, you normally have to trace into at least one call...usually more...before we find the serial number, so keep this in mind when you start looking at full programs.

We finished. Next we gonna look at the name/serial level.