--Softice Tutorial--- Date written: 12.4.2001 Program Details: Name: cracking4newbiews CrackMe2 by analyst Author: Bengaly Tools Used: Softice ________________________________________________________________________ -About this protection system- easy Protection which based on a serial number and code. __________________________________________________________________________ The Essay As this is a tutorial for newbies, I'll go into details about how I go about cracking the program. I suggest that you read this tutorial first. When you have completed the tutorial, leave this tutorial open and follow the instructions. Re-do it once more after you have completed the step by step guide... In this essay, when I write type "d EAX" or similar commands in Softice, I mean it without the quotes. __________________________________________________________________________ Lets Crack The Bitch ;) ok that's easy. *after looking in 32dasm (disassmble first, i am sure it's easy), we can see acttualy everything. ok let's crack then; open the crack me , u see two texr fields, i entered this: name: Shani serial: 123456 <= very easy to remember ;) open your fav black debugger SoftIce ;) set a nice breakpoint BPX GETWINDOWTEXTA (u can use hmemcpy as well) press f5/ctrl+d Press CHCEK THE SERIAL..BOOOMMM Sice poped up ;) we are in the GETDLGITEMTEXTA hehe ;) press F12.(get out from fucking DLL ;) ) we will see that: blahb lah blah......!GETWINDOWTEXTA: xxx:yyy PUSH 68 <=we land here. xxx:yyy PUSH EbX -remember that i told u to look in 32dasm???, why u ask?? cuz it will make the crack even easier to crack. how?? 1.dissasmble 2.click strREF button 3.chose "congratualation u cracked....." we land here: * Possible StringData Ref from Data Obj ->"Congratulations! IF this number " <= u will land here ->"comes *FROM YOUR* keygen, Write " ->"a tutorial dude ;)." | :00401211 6854B44000 push 0040B454 :00401216 FF75FC push [ebp-04] * Reference To: USER32.SetWindowTextA, Ord:0000h | :00401219 E82C9B0000 Call 0040AD4A :0040121E EB1C jmp 0040123C so what next??? 4. scroll up to find where is the call/jmp/cmp/push somwthing that check our serial 5. it is here: * Possible StringData Ref from Data Obj ->"%lX%lu-%lu%lX-%lu%lu-%lX%lX" <= that's the serial structure, the serial mus have dashes ("-") ie: xxxx-xxxx-xxxx | :004011E6 6838B44000 push 0040B438 :004011EB 8D857CFEFFFF lea eax, dword ptr [ebp+FFFFFE7C] :004011F1 50 push eax ; name :004011F2 E88D3D0000 call 00404F84 ; serial algoritm :004011F7 83C428 add esp, 00000028 :004011FA 8D957CFEFFFF lea edx, dword ptr [ebp+FFFFFE7C] :00401200 52 push edx ; <= contain the right serial (d edx) :00401201 8D8DE0FEFFFF lea ecx, dword ptr [ebp+FFFFFEE0] :00401207 51 push ecx *somethines u will have to trace (f10) alot untill u will reach the correct adderss (:00401146) *i have noticed that in c4n1/c4n2 crackme there are alot of looping, so dont afraid to trace over them a couple of times ;) un till u will reach the destination . another way to get to he adress is by setting a bpx 00401146 (hopefully it will take u there, if not try and lower but near adress and just f10 till u will reach :00401146 ) :00401146 contain our right serial. how did i knew??? well if u will do in SIce d eax <= then we will see "1E29A126643-1064F574-4773367706616437-A12EE050" heh weeee 6. enter the correct data and crackme cracked. *although the program is excactly as tut5 this is a good idea how to find data/calls/jmp over 32dasm and use it in siICE __________________________________________________________________________ Final Notes This tutorial is dedicated to all the newbies like me. I've tried to explain everything in details. This is my first tut so...;) And because I'm a newbie myself, I may have explained certain things wrongly So, if that is the case, please forgive me. Email me if there is anything you are not clear about. My thanks and gratitude goes to:- ---ANALYST(ACiD-BUrN)--- ----CODE_INSIDE----- -----BLAcKgH0sT------ for being good friend :) -------FusS------ All the writers of Cracks tutorials and CrackMes