Tutorial - Crackme #8 by tC

--Finding the proper breakpoint--

The first thing that you notice with this crackme is that it gives you a message and a beep after you have entered an incorrect serial number.  This usually means a messagebox, so enter the breakpoint

bpx messageboxa

Now enter your name and serial number.

Sanhedrin
12344321

Press Validate and you will land at:


* Referenced by a CALL at Address:
|:00441B21   
|
:004417B4 6A00                    push 00000000

* Possible StringData Ref from Code Obj ->"Reg.Error"
                                  |
:004417B6 68D4174400              push 004417D4

* Possible StringData Ref from Code Obj ->"Invalid Serial - Use the Serial "
                                        ->"you paid for;)"
                                  |
:004417BB 68E0174400              push 004417E0
:004417C0 A1302C4400              mov eax, dword ptr [00442C30]
:004417C5 8B00                    mov eax, dword ptr [eax]
:004417C7 8B4024                  mov eax, dword ptr [eax+24]
:004417CA 50                      push eax

* Reference To: user32.MessageBoxA, Ord:0000h
                                  |
:004417CB E8004CFCFF              Call 004063D0
:004417D0 C3                      ret<---------You will end up here.


--Checking the Code--

Press F10 once to find out where this call originated from, and you will end up at:


:00441B03 E84020FCFF              call 00403B48
:00441B08 A134384400              mov eax, dword ptr [00443834]
:00441B0D 8B1538384400            mov edx, dword ptr [00443838]
:00441B13 E8F420FCFF              call 00403C0C<-----checks our code with the real code
:00441B18 7507                    jne 00441B21<------jump to good cracker if correct
:00441B1A E8F1FCFFFF              call 00441810
:00441B1F EB05                    jmp 00441B26<------jump to bad cracker if incorrect

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00441B18(C)
|
:00441B21 E88EFCFFFF              call 004417B4

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00441B1F(U)
|
:00441B26 33D2                    xor edx, edx<---------You will end up here.
:00441B28 8B83C4020000            mov eax, dword ptr [ebx+000002C4]
:00441B2E E86917FEFF              call 0042329C
:00441B33 33D2                    xor edx, edx


Clear the breakpoint and enter

bpx 00441B13

Re-enter you name and serial number and press validate.  Once you have broken into Softice type

D EAX <-----the number that we entered (12344321)
D EDX <-----the real serial number (IRE-1639033)


--Reversing the code--

The other method of cracking is changing the code.  In this case, changing

00441B18 7507                    jne 00441B21 (found at 00040F18h)
to
00441B18 7407			 je  00441B21 

and the program will be cracked.

--Final notes--

Sometimes it is just as easy to start at the end (error message) and work your way backwards to find that magic compare code, as it is from the beginning.
Thanks to all of those coders that make these crackmes.

Sanhedrin
stachi@geocities.com