Terminal Cilla's
		   	   Tutorial#2

[Target Infos:]
[Name  :] CrackMe 2 
[Author:] FireWorx
[Type  :] Name - Serial
[Where :] http://crackmes.cjb.net

[Needed Tools:]
SoftIce

[Our Aim:]
Find a valid serial

-----------------------------------------------------------------------------
			Hi Reader. 
I'm sorry for all grammatical and orthographic errors.
Today we deal with "CrackMe2" by 'FireWorx'.

   Ok, let's start.
   At first of all we do examine the CrackMe.
   There are two input-boxes and the OK-button of interest.
   Let's enter a name and a dummy serial.
   I used:
   
   Name: Terminal Cilla
   Serial  : 0022446688
    
   Hit the OK-button and we get a 'Wrong Code'- message.

   Now we had to deal with SoftIce.
   I assume that you already configured your SoftIce and
   that you are basicly down with SI - otherwise stop reading
   and take a "SoftIce4Newbies - Tutorial".
   Still here? 
   OK;)   
   Start SoftIce and do a <bpx hmemcpy>. 
   Press F5 to return to the CrackMe.
   Now hit the OK-Button once again and we get back to SoftIce.
   Since there were two input-boxes, let's press F5 once more.
   Enter <bd 0> to disable our breakpoint.
   For now on - press:
   1  * F11 ;
   11 * F12 ;

   We should finally come here:

:00441726 FF75F4                  push [ebp-0C] -> we land here
----------------------snip---------------------------------------------------
:0044173A 68BC174400              push 004417BC -> push '625'
:0044173F 68C8174400              push 004417C8 -> push 'g'
:00441744 68D4174400              push 004417D4 -> push '72'

:00441749 8D45F8                  lea eax, dword ptr [ebp-08]
:0044174C BA05000000              mov edx, 00000005
:00441751 E89E23FCFF              call 00403AF4
:00441756 8B55F8                  mov edx, dword ptr [ebp-08] ->good code
:00441759 58                      pop eax
:0044175A E8E523FCFF              call 00403B44 -> Compare
:0044175F 7517                    jne 00441778  -> Jump to Error-Message
						   if compare-result <>0

   
   We trace with F10 to ':0044173A'.
   Something is pushed in the stack here - let's check
   what it is. Type <d 0044173A> and we see 625.
   Do that with the other too and we got: '625g72'.
   What's that? Our serial? 
   Well, no at all. See what we got next.
   At ':00441756' edx gets a very strange string.
   Enter <d edx>.
   In my case it's: 'Terminal CillaTerminal Cilla625g72'.
   Do we do assume the same?
   Yes - that's our Serial! 
   
   Now do a <bc *> to clear all the breakpoints and return to
   the CrackMe. Enter our values and we get the OK-message.
   
   Let us make a sum up:
   serial = name+name+625g72.
   
   Well, our job is done!

-----------------------------------------------------------------------------

	    -=I'm still a newbie - So I can only get better!=-

(c) Terminal Cilla (april 1999)

                     ________________________
		    |   Be sure to visit:    |
		    | http://crackmez.cjb.net|
		    |	       &             |
	            | http://crackmes.cjb.net|
                    |________________________|