Name/Serial Number Using Softice.

Crackme 2 by Acid Burn

By Krobar / Dec 1999

Ok. We doing Acid Burn's crackme, and first thing we see is the nag. How many times we seen snags (shit nags) ??? Well we deal to that later. For now just click ok and load the crackme.

This time we gonna choose the serial/name option. Do it and enter name and serial.
You know what to do now!!! Ctrl d softice up, and set a breakpoint. We gonna try bpx hmemcpy again, coz it seems to work most times.
So type:

bpx hmemcpy and push enter. Now F5 out of softice and click Check it Baby!

Well we back in softice and do the same as last time...push F11, then disable breakpoint... bd0

We know what to do here! We gotta get to the code in the program remember. Look down between the bottom two windows and you see KERNEL(01), so we in the KERNEL.dll. Start pushing F12 till we see CRACKME2!CODE+0002B4BD...six times actually, then STOP and look at the code.

Looks a lot like level one code dont it...we'll see. F10 through the six returns and we land here:

xxxx:0042F9CD 8B45F0 MOV EAX[EBP-10]

Stop here. The code looks different from the last level now, so have a look at it...lots of calls...and remember what we looking for? A compare before a jump, or a call before a jump. Well scroll the code window down a bit (Ctrl down arrow) and we see a call before a jump at:

xxxx:0042FA52 E8D96EFDFF CALL 00406930

Think we'll try it. F10 down to that address so it is highlighted, and F8 into the call. We land here:

xxxx:00406930 89FA MOV EDX , EDI

and if you do a d eax you see a bit of your name in the display window. I also see a compare followed by a jump further down, but we arent going to get there this time coz there a RET in the way.

F10 to the RET and we land here:

xxxx:0042FA57 83F804 CMP EAX , 04 <.....is our serial 4 characters
xxxx:0042FA5A 7D1D  JGE 0042FA79
<.....jump if greater or equal to 4

Cant see nothing interesting here...can check the registers if you want (d etc) but see not a lot so F10 once to the JGE (jump if greater or equal) and F10 to execute the jump.
Stop where you land and look at the code. Lots of calls, AND, if you scroll the code window down (Ctrl down arrow) you see a call followed by a jump at:


xxxx:0042FAFE    E8F93EFDFF    CALL    004039FC
xxxx:0042FB03    751A          JNZ     0042FB1F  

Well I think we go into that call, so F10 down to it, then F8 into it. We land here:


xxxx:004039FC    53             PUSH   EBX<--we land here
xxxx:004039FD    56             PUSH   ESI
xxxx:004039FE    57             PUSH   EDI
xxxx:004039FF    89C6           MOV    ESI,EAX
xxxx:00403A01    89D7           MOV    EDI,EDX
xxxx:00403A03    39D0           CMP    EAX,EDX
xxxx:00403A05    0F848F000000   JZ     00403A9A

and what you know...it the same bit of code that we ended up at in our last tut. The bit that gives us our correct serial.

F10 to the CMP, do a d edx...our number, and a d eax...looks like the correct serial to me.

Now dont forget to make a note of the address where the jump takes place, although if you worked through the last tut, we already have it.

F5 out of softice and enter the serial...Congratz!! Good job dude=).

That it. We done it. Did you notice that the well done messages were different for the two levels??? I wonder if that means anything.

Next we gonna look at patching the crackme so we can use any name and number, using W32dasm and Hiew. We been here before so before we start our next tut, load crackme2.exe into W32dasm, you know how coz we already done it for crackme1, then yep, click on string references.

See ya next tut!