Whooh.. am tired..:/

 Target app: Acoustica 2.0 (2.01a)
 Toolz: SI, (Wdasm)
 Level: 1, easy
 URL: prolly www.aconas.de 
      (or the Lazarus' and +Sandman's board where I picked this up        members.boardhost.com/reversing2)

 Some info on target
 
 MMm... I really dunno what to do with this app.. but since I found out this app 
 was the target of the new newbie project (by Lazarus).. I thought I'd take 
 a look at it..
 NOTE! This tute will only show how to find your real serial, IT WONT
 explain how to crack all the Tasks that Laz has assigned on the forum!

 Lemme explain how I found the right code

 I started (thou i had first traced in SI..) by deadlisting incase I'd find some 
 useful info.. and I did! I started with the error message which you'll receive
 whenever you've entered a wrong serial (surprise..!)..
 
 * Referenced by a (U)nconditional or (C)onditional Jump at Address:
 |:00446F6B(C)

 -------------------CUT----------------------

 * Possible StringData Ref from Data Obj ->"Acoustica"
                                  |
 :00446FA6 68B6A04900              push 0049A0B6

 * Possible StringData Ref from Data Obj ->"The key does not match license "
                                        ->"owner."

 I traced back to the jump...(446F6B)..

 :00446F63 E80CFBFFFF              call 00446A74 <- Call to serial algo
 :00446F68 59                      pop ecx
 :00446F69 84C0                    test al, al <- Test serial
 :00446F6B 7432                    je 00446F9F <- Jump if it doesnt match
 :00446F6D 8B4F66                  mov ecx, dword ptr [edi+66] <- Passed check...
 :00446F70 8B01                    mov eax, dword ptr [ecx]
 :00446F72 6A00                    push 00000000

 * Possible StringData Ref from Data Obj ->"Acoustica"
                                  |
 :00446F74 6886A04900              push 0049A086

 * Possible StringData Ref from Data Obj ->"Your license is registered.  Thank "

 It seemed quite clear what to do in order to get the right serial.. trace the call before
 the testing .. but before I went back to SI I traced the call in Wdasm first.. and to my 
 surprise I found something useful.. (goto call and scroll down til u see this:)

 * Possible StringData Ref from Data Obj ->"AC200-%d" <- What's this?.. part of the serial?
                                  |
 :00446B85 68A39F4900              push 00499FA3
 :00446B8A 8D85A0FEFFFF            lea eax, dword ptr [ebp+FFFFFEA0]
 :00446B90 50                      push eax
 :00446B91 E8DA880300              call 0047F470 <- Trace into this (thou not necessary)
 :00446B96 83C40C                  add esp, 0000000C
 :00446B99 8D9510FFFFFF            lea edx, dword ptr [ebp+FFFFFF10]
 :00446B9F 52                      push edx
 :00446BA0 8D8DA0FEFFFF            lea ecx, dword ptr [ebp+FFFFFEA0]
 :00446BA6 51                      push ecx

 * Reference To: KERNEL32.lstrcmpA, Ord:0000h <-String compare..

 Hmm.. AC200-%d... what does it mean?.. Could it be that AC200- is the first part of the serial
 and %d is a checksum of some sort which'll get replaced by the correct last part...yeah..
 i think so.. ok.. now that we found this out (note: U could've traced and found this in SI too
 .. but I thought I'd show the "easier" way :)) we can now start the real serial hunt in SI!

 This is what I entered in Acoustica

 Name: C_DKnight
 Company: HellSoft
 Serial: AC200-22446688 <- Remember to put AC200-

 Set a breakpoint on GetDlgItemTextA .. and press OK
 SI breaks.. and since there are three boxes.. GetDlgItemTextA breaks thrice.. so press F5
 two times (2x) followed by F11 to get into the serial part! 

 To make this one little more easier we can use "G 446B85" to make a direct jump to the serial
 calculation.. (u can trace your way in there.. whatever u want)

 *Yawn*.. damn.. its 2 am.. im tired.. lets continue this the first thing in the morning.. ok?
 K.. g'nite.. *ZZZZzzzzzZZZZ*

 Whoa.. 9 hours good sleep .. and we're ready to rumble!...mmm.. so where were we?..oh yeah
 .. the serial part.. k let's check it out

 K.. if u did everything I said, u should now be at 446B85:

 :0047F470 55                      push ebp
 :0047F471 8BEC                    mov ebp, esp
 :0047F473 8B4508                  mov eax, dword ptr [ebp+08]
 :0047F476 8D4D08                  lea ecx, dword ptr [ebp+08]
 :0047F479 C60000                  mov byte ptr [eax], 00
 :0047F47C 8D4510                  lea eax, dword ptr [ebp+10] <- do "? ebp+10" here
 :0047F47F 50                      push eax
 :0047F480 8B550C                  mov edx, dword ptr [ebp+0C]
 :0047F483 52                      push edx
 :0047F484 51                      push ecx
 :0047F485 6848F44700              push 0047F448
 :0047F48A E8ED020000              call 0047F77C
 :0047F48F 83C410                  add esp, 00000010
 :0047F492 5D                      pop ebp
 :0047F493 C3                      ret

 If u wish to trace on to see where exactly this serial calc is done.. u should eventually 
 end up here ..

 :0047FFCA 8D85BCFAFFFF            lea eax, dword ptr [ebp+FFFFFABC]
 :0047FFD0 50                      push eax
 :0047FFD1 8B55E8                  mov edx, dword ptr [ebp-18]
 :0047FFD4 FF45E8                  inc [ebp-18]
 :0047FFD7 8A0A                    mov cl, byte ptr [edx]
 :0047FFD9 51                      push ecx
 :0047FFDA E841F7FFFF              call 0047F720 <- Trace here..(thou not necessary either..)
 :0047FFDF 83C408                  add esp, 00000008

 * Referenced by a (U)nconditional or (C)onditional Jump at Address:
 |:0047FFC8(U)
 |
 :0047FFE2 8B45C0                  mov eax, dword ptr [ebp-40]
 :0047FFE5 8345C0FF                add dword ptr [ebp-40], FFFFFFFF
 :0047FFE9 85C0                    test eax, eax <- All numbers done?
 :0047FFEB 75DD                    jne 0047FFCA <- Nope, loop until done

 Btw.. When u get to 47FFCA and if u'll do "d eax" and trace the whole calc thru.. u'll see
 the serial generated in the eax :)

 If u traced the call at 47FFDA u came here:

 :0047F720 55                      push ebp
 :0047F721 8BEC                    mov ebp, esp
 :0047F723 53                      push ebx
 :0047F724 8B5D0C                  mov ebx, dword ptr [ebp+0C]
 :0047F727 837B5050                cmp dword ptr [ebx+50], 00000050 <- The current number to do
 :0047F72B 7C07                    jl 0047F734 <- Always jumps..(?)
 :0047F72D 53                      push ebx
 :0047F72E E8BDFFFFFF              call 0047F6F0
 :0047F733 59                      pop ecx

 * Referenced by a (U)nconditional or (C)onditional Jump at Address:
 |:0047F72B(C)
 |
 :0047F734 8B4350                  mov eax, dword ptr [ebx+50]
 :0047F737 8A5508                  mov dl, byte ptr [ebp+08] <- Add the correct number
 :0047F73A 881403                  mov byte ptr [ebx+eax], dl
 :0047F73D FF4350                  inc [ebx+50]
 :0047F740 FF435C                  inc [ebx+5C]
 :0047F743 5B                      pop ebx
 :0047F744 5D                      pop ebp
 :0047F745 C3                      ret

 So.. its pretty clear (hopefully.. :)).. 
 47F727 is a comparison for the current number.. (the serial has 10 numbers excluding -)..
 so u should always see the hex value for the current number in the right upper corner of SI..
 0A (10) is the last value

 47F737 is the spot where the correct number for the current number is added 
 (the above thing).. if u  do "d ebp+8" u'll see the current number.. 

 
 Weeh.. this looks like one helluva mess .. hope ya could/can figure something out.. I know
 my knowledge of assembly isnt as good as it should be :).. but hopefully I got those things   right.. but if I didnt.. I know someone will ;)

 But anyways.. this one was an excellent program to practice cracking on I know I learnt a lot   from this one.. I express my gratitude to Lazarus!! Excellent Choice! But incase Laz didnt 
 pick this program but someone else did... I wanna greet him too!! :)
 Ok.. that was enuff blah blah.. this is what I finally got

 Name: C_DKnight
 Company: HellSoft
 Serial: AC200-39014

 If u wanna practice doing this.. u can wipe out the reg info (in the registry of course)
 at My Computer\HKEY_USERS\.DEFAULT\Software\Acon AS\Acoustica\2.0\RegisterInfo
 (thats the place where my registration was..shouldnt differ on your comp)

 -C_DKnight <- c_dknight@iobox.com or see me at #cracking4newbies, #cdrinfo

 Greetz: All c00l fellaz at #cracking4newbies and #cdrinfo .. especially these dudes:
	 AB4DS, r!sc, Dead-Mike, RevX (u know.. pokémon is a weird game on gameboy color..),  	 	 E_Bliss, Sinn0r, Hades', cTT!!!!!!, Acid Burn and Lazarus of course.. Plus all I 	 	 forgot..(sorry.. :)) plus Tailz, Mathras, F0ley, LM555, MR-B etc. ;)