I've got a question and forgive me if it's rather stupid but here goes. I've read thru Goatass's tutorial on cracking l0phtcrack 2.5.2

<snippet of tut>
Run
the
program and you should see a nag screen showing you how many days you have
left (15 days total) and there is also a "Register" button. Click the
"Register" button and you should see a dialog box with a grayed out box
with
the pre-assigned serial number and below it there will be a box for your
unlock code. The unlock code is alphnumeric but that doesn't matter right
now. Go ahead and put any number you like, I used 12345678.

Now go into SoftICE (Ctrl+D) and set a breakpoint on GetWindowTextA (BPX
GetWindowTextA). The approach here is to break right after the program
reads
your unlock code and then uses it along with the pre-assigned serial
number
to generate and compare the good unlock code. Now get out of SoftICE (X)
and
click the OK button. SoftICE breaks, press F11 to return to the calling
function, that reads in the pre-assigned serial number. Now press F5 to
read
your unlock code, SoftICE breaks a second time, press F11 again and now
you
are in the program's code. Trace through the code until you get to this
part:

:00406345 MOV EAX, [EBX] <-- if you type D EAX you will see the code you
entered.
:00406347 LEA ECX, [ESP+1C] <-- here is the 1st unlock code, D ECX to view
it.
</snippet of tut>


How did he know to go to 00406345 ?? I've followed thru w/this using SoftICE on my machine and I don't see any hints that referance this.

If anyone's interested I performed roughly the same crack w/W32dsm...

I am not sure how he knows, but I sort of understand that kind of line always make a newbie wondering.....how do you know it is here??? Based on my experience (or if you read most of my articles, it is full of those stuff), when we trace the code, we always dump what is inside the register and see if it is related to our name, fake code or something helpful until we got what we are looking for. After that, when we write the tutorial, we are sort of (or at least I am) point out where to look into.

The reason we know is part of experience on the road of reversing. instinct also paly a role in it. Just my 2cents opinion.

Thanks for the reply. When I hit F11 the second time it dumps me to 00456ECA mov ECX,[EBP+10] which is a hell of a long ways away from 00406345. I understand what you're saying but that seems like alot of "easter egging" (I use that term referring to me as I can't find any referance to it )to trace back that far just dumping registers along the way. I need to get busy on some more SoftICE tutorials as I'm obviously missing something I've put up how I did the same crack w/W32dsm on my site (www.ill0gik.org) under the /*Misc*/ section if anyones interested.

thanks,
daemon

one way that usually works to cut some of the useless registers is to do a search for the serial you entered (S 0 L FFFFFFFF 'yourserial') and then put a bpm/bpr on the address/range given by the search (BPM 0167:49A178 RW) [the RW is for read OR write]

When softice breaks, dig around a bit, if the fake serial gets transferred to a different memory address, BPM it. If it gets compared to something, find out what.

Hope that clears it up a bit for ya ;-)

Thanks to both of you for the replies. I've got some massive reading and learning to do but I think I can start looking in the right direction now

-d