Ok. We doing Acid Burn's crackme, and first thing we see is the nag. How many times we seen snags (shit nags) ??? Well we deal to that later. For now just click ok and load the crackme.
This time we gonna choose the serial/name option. Do it and enter name and serial.
bpx hmemcpy and push enter. Now F5 out of softice and click Check it Baby!
Well we back in softice and do the same as last time...push F11, then disable breakpoint... bd0
We know what to do here! We gotta get to the code in the program remember. Look down between the bottom two windows and you see KERNEL(01), so we in the KERNEL.dll. Start pushing F12 till we see CRACKME2!CODE+0002B4BD...six times actually, then STOP and look at the code.
Looks a lot like level one code dont it...we'll see. F10 through the six returns and we land here:
xxxx:0042F9CD 8B45F0 MOV EAX[EBP-10]
Stop here. The code looks different from the last level now, so have a look at it...lots of calls...and remember what we looking for? A compare before a jump, or a call before a jump. Well scroll the code window down a bit (Ctrl down arrow) and we see a call before a jump at:
xxxx:0042FA52 E8D96EFDFF CALL 00406930
Think we'll try it. F10 down to that address so it is highlighted, and F8 into the call. We land here:
xxxx:00406930 89FA MOV EDX , EDI
and if you do a d eax you see a bit of your name in the display window. I also see a compare followed by a jump further down, but we arent going to get there this time coz there a RET in the way.
F10 to the RET and we land here:
xxxx:0042FA57 83F804 CMP EAX , 04 <.....is our serial 4 characters
Cant see nothing interesting here...can check the registers if you want (d etc) but see not a lot so F10 once to the JGE (jump if greater or equal) and F10 to execute the jump.
xxxx:0042FAFE E8F93EFDFF CALL 004039FC xxxx:0042FB03 751A JNZ 0042FB1F
Well I think we go into that call, so F10 down to it, then F8 into it. We land here:
xxxx:004039FC 53 PUSH EBX<--we land here xxxx:004039FD 56 PUSH ESI xxxx:004039FE 57 PUSH EDI xxxx:004039FF 89C6 MOV ESI,EAX xxxx:00403A01 89D7 MOV EDI,EDX xxxx:00403A03 39D0 CMP EAX,EDX xxxx:00403A05 0F848F000000 JZ 00403A9A
and what you know...it the same bit of code that we ended up at in our last tut. The bit that gives us our correct serial.
F10 to the CMP, do a d edx...our number, and a d eax...looks like the correct serial to me.
Now dont forget to make a note of the address where the jump takes place, although if you worked through the last tut, we already have it.
F5 out of softice and enter the serial...Congratz!! Good job dude=).
That it. We done it. Did you notice that the well done messages were different for the two levels??? I wonder if that means anything.
Next we gonna look at patching the crackme so we can use any name and number, using W32dasm and Hiew. We been here before so before we start our next tut, load crackme2.exe into W32dasm, you know how coz we already done it for crackme1, then yep, click on string references.
See ya next tut!