About this protection system

 
Magenta's Crackme 3 is based loosely on many protection systems that requires you to enter a valid serial number to activate a disabled button, that in turn, will allow you to proceed further into the program itself.

This Crackme required, in may case, entering an 18 digit number based on my Handle, The Sandman

292198277317318317
 

The Essay

 
Magenta says: "This is a crackme differs from those i have written till yet in the way that you have to enter the valid serial, or the button won't be activated. I have written this crackme to show this sort of protections. I want to crack WebWhacker some time ago.
 
This tool uses such a protection. First i don't know where to start, but then after some time of thinking i found the way. So i have written this crackme for everybody who want to try his skills on such a protection. I don't think it should be too hard to crack this babe, because there are only a few differences to crackme#2."
 

Right, lets get down to the task at hand..

If you run this program then you will be greeted with a simple dialogue box, asking you to enter a User Name and Serial, which I type:-

User Name: The Sandman
Serial         : 777777

At this point I fired up softice, pressing Ctrl & D keys together..

Because this Crackme operates on each and every keystroke you type into the serial box, one of the best system functions we can use for a Softice breakpoint is our favourite, Hmemcpy.
 

Type: bpx hmemcpy then x to return to our Crackme.
 
Since our  'OK' is disabled, we can still trigger softice to break on Hmemcpy simply by adding another '7' to our *fake* serial number..
 
Softice Breaks at the start of the Hmemcpy routine...

We're now deep within the operating system, we now need to type: bd 00 to disable our original Hmemcpy breakpoint, this will prevent softice from acting on it as we start going through the rest of the Crackme's code.

Now Press...

F11 Once
F12 Sixteen Times Softice should be resting on a RET instruction.
F10 Once

You should now be in the Crackme's Code at this memory location...  At this point I tend to F10 through the code checking on what data gets passed to certain registers and where it's stored for later retrieval.. At this stage of the crack I'm not looking for anything in particular, other than to make some quick notes as I execute each instruction.

:00402489 3BC3             cmp eax, ebx ; We Land here
:0040248B 7D18             jge 004024A5
:0040248D 8B95E4FEFFFF     mov edx, dword ptr [ebp+FFFFFEE4]
:00402493 68A0000000       push 000000A0
:00402498 68401E4000       push 00401E40
:0040249D 52               push edx
:0040249E 50               push eax
.....
.....
<...Snip  Snip....> 
.....
.....
:00402520 51               push ecx
:00402521 50               push eax
:00402522 FF155C414000     Call MSVBVM50.__vbaHresultCheckObj
:00402528 8B8548FFFFFF     mov eax, dword ptr [ebp+FFFFFF48] ;EAX=location of *fake* serial
:0040252E 8D9530FFFFFF     lea edx, dword ptr [ebp+FFFFFF30]

At this point I typef: d eax to  show me in Softice's Hex/ASCII Code Window what the EAX register pointed to and saw my *fake* serial in Wide Character Format:  7.7.7.7.7.7.7

Nothing new here, we know this crackme must handle our Fake serial somewhere in memory but what I also saw was this:-

Could those 'extra' numbers be a serial?.

One way to find out was to try them and see..  Sure enough, as I typed in the last number the 'OK' button became 'enabled'!.

BINGO!.. As Jeff would say, I had busted this crackme *grin*  The Serial for 'The Sandman' is: 292198277317318317
 

Job Done.
 

The Crack

     
None is required nor needed. 
 

Final Notes

    
This crackme was surprising easy to handle... Using Hmemcpy on programs that uses this method will normally take you directly into the sub-routine where the program checks each letter you type in against the valid serial number it has already made for your User Name. Of course some programs won't have a valid serial number for you to 'see' since they will 'create' each letter/number on the 'fly' as you type in each letter, this makes our job much harder because we would then only have one letter/number to work on each time the routine was called..
 

My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.
 

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will be encouraged to producing even *better* software for us to use and enjoy.

Ripping off software through serials and cracks is for lamers..
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.