Hiya! First I want to thank all those good guys who are writing Crackme's and tests so that we can learn and improve our knowledge. Greetings this time especially to FireWorx who coded the target we're dealing with now and to Eternal Bliss for doing a great work with his CrackMe(s)-site. This time FireWorx just asks us to enter a valid password. If we're dealing with this kind of protection scheme it's quite likely that our entered password is compared with a hardcoded password - but the real code could also be calculated from the name/handle we entered or other variations. So let's check what we have here... Again we will use Numega's powerful SoftICE. Start Crackme3 then press the 'register'-button and type in your favorite name/handle. 'Ctrl-D' to go to SoftICE and set a breakpoint on hmemcpy ('bpx hmemcpy'). F5 to go back to the Crackme and press the OK-button. SoftICE pops up; disable the breakpoint ('bd0') and press F11 ('go to') once and then F12 ('Return from the procedure call') until we reach the Crackme3-code (watch the line between the Code window and the Command window). You can go on by pressing F10 ('step over') or - faster - by using some more F12's to pass some obvious ret's until we land... --- :004454B2 E849E3FDFF call 00423800 :004454B7 8B45F8 mov eax, dword ptr [ebp-08] ;...here :004454BA 8D55FC lea edx, dword ptr [ebp-04] :004454BD E84220FCFF call 00407504 :004454C2 8B45FC mov eax, dword ptr [ebp-04] :004454C5 8B9398000000 mov edx, dword ptr [ebx+00000098] :004454CB E874E6FBFF call 00403B44 :004454D0 752E jne 00445500 --- This is all we need. The password we have entered is copied to eax (004454B7). After the call at 004454BD our (maybe) 'uppercased' password is copied to eax (means that if your original password was eg 'walker72' it will be 'WALKER72' now). And here it is...the hardcoded real password is copied to edx at location 004454C5. The 'comparison-call' follows which checks if the password we entered is the same as the real one. It is not? Oh sorry then jump away bad guy...it is the same? Then set Zero flag and don't jump my good friend. Finished. Here's some additional info: Of course you can easily step over the call at 004454BD with F10 without getting a guilty conscience:); here's just a short description what's happening inside: --- :0040751F 8B37 mov esi, dword ptr [edi] :00407521 85DB test ebx, ebx ;nothing entered? :00407523 7415 je 0040753A ;..then jump away :00407525 8A02 mov al, byte ptr [edx] ;otherwise go on :00407527 3C61 cmp al, 61 ;with check and :00407529 7206 jb 00407531 ;uppercase :0040752B 3C7A cmp al, 7A ;routine :0040752D 7702 ja 00407531 ;.... :0040752F 2C20 sub al, 20 ;.... :00407531 8806 mov byte ptr [esi], al ;...save... :00407533 42 inc edx :00407534 46 inc esi :00407535 4B dec ebx ;length-1 :00407536 85DB test ebx, ebx ;end of password? :00407538 75EB jne 00407525 --- At 00407521 the ebx-register contains the length of our name; 'test ebx, ebx' means check if we have entered something? If not then jump away (00407523). Otherwise copy the first char of our password to al (00407525) and check if it is a char from 'a' (61h) to 'z' (7Ah) - look at your ASCII-table for this or just type in '? 61' and '? 71' in SoftICE. So if it is between 'a' and 'z' then sub 20h from the hex-value of our char which means uppercase our char (eg turn 't' into 'T'); save result for later use afterwards (00407531). If it's not between 'a' and 'z' go directly to 00407531. The ebx-register is used as a counter here (we know it holds the length of the password we entered). So this routine will loop until we reach the end of our password (ebx is zero). Done! This was not too hard eh? Greetings to CrackZ for being so helpful all the time. Good luck! cheers tnwo_