Terminal Cilla's
		   	   Tutorial#3

[Target Infos:]
[Name  :] CrackMe 2 
[Author:] Brad Soblesky
[Type  :] Name - Serial
[Where :] http://crackmes.cjb.net

[Needed Tools:]
SoftIce

[Our Aim:]
Find a valid serial

-----------------------------------------------------------------------------
			Hi Reader. 
I'm sorry for all grammatical and orthographic errors.
Today we deal with "CrackMe2" by 'Brad Soblesky'.

   At first of all study the Crackme.
   We got two input-boxes and one check-button.
   Let's enter a name and a dummy serial.
   I used:

       Name: Terminal Cilla
       Code: 2244668800

   Click the 'Check'-button and we get our assumed error-message.
   ("Incorrect!!, try again.")

   Now it's time for us to play with SoftIce.
   I assume that you already configured your SoftIce and
   that you are basicly down with SI - otherwise stop reading
   and take a "SoftIce4Newbies - Tutorial".
   
   Still here? 
   OK;)   
   Fire up SoftIce and set a breakpoint on 'hmcpy' (<bpx hmemcpy>).
   Return to our CrackMe with F5.
   Hit the 'Check'-button and we get back to SI.
   Hit F5 once again, since we got two input-boxes.
   Disable the breakpoint with <bd 0>.

For now on press:
1 * F11
8 * F12

   Now you should be in the code from our CrackMe.
   Trace down with F10 and you will pass the checking
   about our name-length (must be >5). In order to
   get faster to our main-routine you can type
   <g 00401627> or simply step until you come here:
   
:00401627 E852070000              Call 00401D7E -> here we should land
:0040162C 83C40C                  add esp, 0000000C
:0040162F 8D4DDC                  lea ecx, dword ptr [ebp-24]
:00401632 E879020000              call 004018B0
:00401637 50                      push eax -> pushes the valid code
:00401638 8D4DE8                  lea ecx, dword ptr [ebp-18]
:0040163B E880020000              call 004018C0
:00401640 85C0                    test eax, eax
:00401642 0F85FF000000            jne 00401747 ->Jump to Error-message
						 if eax <>0.

   Trace further until ':00401642'. On the way check the 
   'eax - register'. It will contain our valid serial.
   At ':00401642' we check 'edx'(<d edx>) and 'ecx'(<d ecx>)
   and we see our fake - serial in 'edx' and the valid serial
   once again, but this time in 'ecx'.
   In my case it's: 3610542334 . 
   Write down the needed serial and clear all breakpoints
   using <bc *>.

   Back to the CrackMe we enter our values and earn the
   "Correct!!, way to go"-message.

   Well, our job is done!

   Thx4Readin'
-----------------------------------------------------------------------------

	    -=I'm still a newbie - So I can only get better!=-

(c) Terminal Cilla (april 1999)

                     ________________________
		    |   Be sure to visit:    |
		    | http://crackmez.cjb.net|
		    |	       &             |
	            | http://crackmes.cjb.net|
                    |________________________|