Brad Soblesky's Crack Me 2 -------------------------- Tools Used: Softice --- Protection: Name/serial prot --- Ok, start the crackme, enter a name and a junk serial, set a breakpoint on hmemcpy and press the Ok button now proceed until you come here: :0040156A 8D4DEC LEA ECX,[EBP-14] :0040156D E8DE020000 CALL 00401850 ; eax = len of name :00401572 8945E4 MOV [EBP-1C],EAX ; ebp-1c = eax :00401575 837DE405 CMP DWORD PTR [EBP-1C],05 ; check if name < 5 :00401579 7D43 JGE 004015BE ; jump if greater or equal :0040157B 6A40 PUSH 40 :0040157D 6820404000 PUSH 00404020 ; push the label of the msg box :00401582 6828404000 PUSH 00404028 ; and the 'at least 5 chars' text :00401587 8B8D40FEFFFF MOV ECX,[EBP-01C0] :0040158D E8F2070000 CALL 00401D84 ; print it out :00401592 C645FC01 MOV BYTE PTR [EBP-04],01 :00401596 8D4DDC LEA ECX,[EBP-24] :00401599 E8C2070000 CALL 00401D60 :0040159E C645FC00 MOV BYTE PTR [EBP-04],00 :004015A2 8D4DE8 LEA ECX,[EBP-18] :004015A5 E8B6070000 CALL 00401D60 :004015AA C745FCFFFFFFFF MOV DWORD PTR [EBP-04],FFFFFFFF :004015B1 8D4DEC LEA ECX,[EBP-14] :004015B4 E8A7070000 CALL 00401D60 :004015B9 E9F9010000 JMP 004017B7 :004015BE C745E000000000 MOV DWORD PTR [EBP-20],00000000 ; ebp-20 = 0 :004015C5 EB09 JMP 004015D0 :004015C7 8B55E0 MOV EDX,[EBP-20] ; edx = ebp-20 (counter) :004015CA 83C201 ADD EDX,01 ; edx = edx + 1 :004015CD 8955E0 MOV [EBP-20],EDX ; counter = edx :004015D0 8B45E0 MOV EAX,[EBP-20] ; eax = counter :004015D3 3B45E4 CMP EAX,[EBP-1C] ; is eax < len of name :004015D6 7D42 JGE 0040161A ; jump if greater or equal :004015D8 8B4DE0 MOV ECX,[EBP-20] ; ecx = counter :004015DB 51 PUSH ECX :004015DC 8D4DEC LEA ECX,[EBP-14] :004015DF E81C030000 CALL 00401900 :004015E4 0FBED0 MOVSX EDX,AL ; edx = char[counter] :004015E7 8B45F0 MOV EAX,[EBP-10] ; eax = ebp-10 (which from the beginning is 81276345h) :004015EA 03C2 ADD EAX,EDX ; eax = eax + edx :004015EC 8945F0 MOV [EBP-10],EAX ; ebp-10 = eax :004015EF 8B4DE0 MOV ECX,[EBP-20] ; ecx = counter :004015F2 C1E108 SHL ECX,08 ; ecx = ecx shl 8 :004015F5 8B55F0 MOV EDX,[EBP-10] ; edx = ebp-10 :004015F8 33D1 XOR EDX,ECX ; edx = edx xor ecx :004015FA 8955F0 MOV [EBP-10],EDX ; ebp-10 = edx :004015FD 8B45E0 MOV EAX,[EBP-20] ; eax = counter :00401600 83C001 ADD EAX,01 ; eax = eax + 1 :00401603 8B4DE4 MOV ECX,[EBP-1C] ; ecx = length of name :00401606 0FAF4DE0 IMUL ECX,[EBP-20] ; ecx = ecx * counter :0040160A F7D1 NOT ECX ; not ecx :0040160C 0FAFC1 IMUL EAX,ECX ; eax = eax * ecx :0040160F 8B55F0 MOV EDX,[EBP-10] ; edx = ebp-10 :00401612 0FAFD0 IMUL EDX,EAX ; edx = edx * eax :00401615 8955F0 MOV [EBP-10],EDX ; edp-10 = edx :00401618 EBAD JMP 004016C7 ; jump to beginning of routine :0040161A 8B45F0 MOV EAX,[EBP-10] ; eax = the REAL serial :0040161D 50 PUSH EAX :0040161E 6854404000 PUSH 00404054 :00401623 8D4DDC LEA ECX,[EBP-24] :00401626 51 PUSH ECX :00401627 E852070000 CALL 00401D7E :0040162C 83C40C ADD ESP,0C :0040162F 8D4DDC LEA ECX,[EBP-24] :00401632 E879020000 CALL 004018B0 :00401637 50 PUSH EAX :00401638 8D4DE8 LEA ECX,[EBP-18] :0040163B E880020000 CALL 004018C0 :00401640 85C0 TEST EAX,EAX ; test if the entered serial = the real serial :00401642 0F85FF000000 JNZ 00401747 so the routine starts at 4015BE and is pretty simple.. here follows a sample c source for a keygen //Keygen source by Klefz int main(){ unsigned char name[500]={0}; int i,len=0; unsigned long ebp10=0x81276345,ecx,counter=0,length=0; tryagain: length=0; clrscr(); printf("Brad Soblesky's Crack Me2 Keygen by Klefz\n"); printf("Enter your name: "); gets(name); /* work out length (tnx prophecy ;) */ while (name[length] != '\0'){ length++; } if(length==0){ printf("\nYou must enter a name!"); getch(); goto tryagain; } if(length<5){ printf("\nYour name must contain at least 5 chars!"); getch(); goto tryagain; } for(i=0;i