Whooh.. am tired..:/ Target app: Acoustica 2.0 (2.01a) Toolz: SI, (Wdasm) Level: 1, easy URL: prolly www.aconas.de (or the Lazarus' and +Sandman's board where I picked this up members.boardhost.com/reversing2) Some info on target MMm... I really dunno what to do with this app.. but since I found out this app was the target of the new newbie project (by Lazarus).. I thought I'd take a look at it.. NOTE! This tute will only show how to find your real serial, IT WONT explain how to crack all the Tasks that Laz has assigned on the forum! Lemme explain how I found the right code I started (thou i had first traced in SI..) by deadlisting incase I'd find some useful info.. and I did! I started with the error message which you'll receive whenever you've entered a wrong serial (surprise..!).. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00446F6B(C) -------------------CUT---------------------- * Possible StringData Ref from Data Obj ->"Acoustica" | :00446FA6 68B6A04900 push 0049A0B6 * Possible StringData Ref from Data Obj ->"The key does not match license " ->"owner." I traced back to the jump...(446F6B).. :00446F63 E80CFBFFFF call 00446A74 <- Call to serial algo :00446F68 59 pop ecx :00446F69 84C0 test al, al <- Test serial :00446F6B 7432 je 00446F9F <- Jump if it doesnt match :00446F6D 8B4F66 mov ecx, dword ptr [edi+66] <- Passed check... :00446F70 8B01 mov eax, dword ptr [ecx] :00446F72 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"Acoustica" | :00446F74 6886A04900 push 0049A086 * Possible StringData Ref from Data Obj ->"Your license is registered. Thank " It seemed quite clear what to do in order to get the right serial.. trace the call before the testing .. but before I went back to SI I traced the call in Wdasm first.. and to my surprise I found something useful.. (goto call and scroll down til u see this:) * Possible StringData Ref from Data Obj ->"AC200-%d" <- What's this?.. part of the serial? | :00446B85 68A39F4900 push 00499FA3 :00446B8A 8D85A0FEFFFF lea eax, dword ptr [ebp+FFFFFEA0] :00446B90 50 push eax :00446B91 E8DA880300 call 0047F470 <- Trace into this (thou not necessary) :00446B96 83C40C add esp, 0000000C :00446B99 8D9510FFFFFF lea edx, dword ptr [ebp+FFFFFF10] :00446B9F 52 push edx :00446BA0 8D8DA0FEFFFF lea ecx, dword ptr [ebp+FFFFFEA0] :00446BA6 51 push ecx * Reference To: KERNEL32.lstrcmpA, Ord:0000h <-String compare.. Hmm.. AC200-%d... what does it mean?.. Could it be that AC200- is the first part of the serial and %d is a checksum of some sort which'll get replaced by the correct last part...yeah.. i think so.. ok.. now that we found this out (note: U could've traced and found this in SI too .. but I thought I'd show the "easier" way :)) we can now start the real serial hunt in SI! This is what I entered in Acoustica Name: C_DKnight Company: HellSoft Serial: AC200-22446688 <- Remember to put AC200- Set a breakpoint on GetDlgItemTextA .. and press OK SI breaks.. and since there are three boxes.. GetDlgItemTextA breaks thrice.. so press F5 two times (2x) followed by F11 to get into the serial part! To make this one little more easier we can use "G 446B85" to make a direct jump to the serial calculation.. (u can trace your way in there.. whatever u want) *Yawn*.. damn.. its 2 am.. im tired.. lets continue this the first thing in the morning.. ok? K.. g'nite.. *ZZZZzzzzzZZZZ* Whoa.. 9 hours good sleep .. and we're ready to rumble!...mmm.. so where were we?..oh yeah .. the serial part.. k let's check it out K.. if u did everything I said, u should now be at 446B85: :0047F470 55 push ebp :0047F471 8BEC mov ebp, esp :0047F473 8B4508 mov eax, dword ptr [ebp+08] :0047F476 8D4D08 lea ecx, dword ptr [ebp+08] :0047F479 C60000 mov byte ptr [eax], 00 :0047F47C 8D4510 lea eax, dword ptr [ebp+10] <- do "? ebp+10" here :0047F47F 50 push eax :0047F480 8B550C mov edx, dword ptr [ebp+0C] :0047F483 52 push edx :0047F484 51 push ecx :0047F485 6848F44700 push 0047F448 :0047F48A E8ED020000 call 0047F77C :0047F48F 83C410 add esp, 00000010 :0047F492 5D pop ebp :0047F493 C3 ret If u wish to trace on to see where exactly this serial calc is done.. u should eventually end up here .. :0047FFCA 8D85BCFAFFFF lea eax, dword ptr [ebp+FFFFFABC] :0047FFD0 50 push eax :0047FFD1 8B55E8 mov edx, dword ptr [ebp-18] :0047FFD4 FF45E8 inc [ebp-18] :0047FFD7 8A0A mov cl, byte ptr [edx] :0047FFD9 51 push ecx :0047FFDA E841F7FFFF call 0047F720 <- Trace here..(thou not necessary either..) :0047FFDF 83C408 add esp, 00000008 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0047FFC8(U) | :0047FFE2 8B45C0 mov eax, dword ptr [ebp-40] :0047FFE5 8345C0FF add dword ptr [ebp-40], FFFFFFFF :0047FFE9 85C0 test eax, eax <- All numbers done? :0047FFEB 75DD jne 0047FFCA <- Nope, loop until done Btw.. When u get to 47FFCA and if u'll do "d eax" and trace the whole calc thru.. u'll see the serial generated in the eax :) If u traced the call at 47FFDA u came here: :0047F720 55 push ebp :0047F721 8BEC mov ebp, esp :0047F723 53 push ebx :0047F724 8B5D0C mov ebx, dword ptr [ebp+0C] :0047F727 837B5050 cmp dword ptr [ebx+50], 00000050 <- The current number to do :0047F72B 7C07 jl 0047F734 <- Always jumps..(?) :0047F72D 53 push ebx :0047F72E E8BDFFFFFF call 0047F6F0 :0047F733 59 pop ecx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0047F72B(C) | :0047F734 8B4350 mov eax, dword ptr [ebx+50] :0047F737 8A5508 mov dl, byte ptr [ebp+08] <- Add the correct number :0047F73A 881403 mov byte ptr [ebx+eax], dl :0047F73D FF4350 inc [ebx+50] :0047F740 FF435C inc [ebx+5C] :0047F743 5B pop ebx :0047F744 5D pop ebp :0047F745 C3 ret So.. its pretty clear (hopefully.. :)).. 47F727 is a comparison for the current number.. (the serial has 10 numbers excluding -).. so u should always see the hex value for the current number in the right upper corner of SI.. 0A (10) is the last value 47F737 is the spot where the correct number for the current number is added (the above thing).. if u do "d ebp+8" u'll see the current number.. Weeh.. this looks like one helluva mess .. hope ya could/can figure something out.. I know my knowledge of assembly isnt as good as it should be :).. but hopefully I got those things right.. but if I didnt.. I know someone will ;) But anyways.. this one was an excellent program to practice cracking on I know I learnt a lot from this one.. I express my gratitude to Lazarus!! Excellent Choice! But incase Laz didnt pick this program but someone else did... I wanna greet him too!! :) Ok.. that was enuff blah blah.. this is what I finally got Name: C_DKnight Company: HellSoft Serial: AC200-39014 If u wanna practice doing this.. u can wipe out the reg info (in the registry of course) at My Computer\HKEY_USERS\.DEFAULT\Software\Acon AS\Acoustica\2.0\RegisterInfo (thats the place where my registration was..shouldnt differ on your comp) -C_DKnight <- c_dknight@iobox.com or see me at #cracking4newbies, #cdrinfo Greetz: All c00l fellaz at #cracking4newbies and #cdrinfo .. especially these dudes: AB4DS, r!sc, Dead-Mike, RevX (u know.. pokémon is a weird game on gameboy color..), E_Bliss, Sinn0r, Hades', cTT!!!!!!, Acid Burn and Lazarus of course.. Plus all I forgot..(sorry.. :)) plus Tailz, Mathras, F0ley, LM555, MR-B etc. ;)