*[What]           : CrackMe 9			       
*[ID]             : 6				       
*[Type]           : Name-Company-Serial 	       
*[Coder]          : tC...			       
*[Downloaded from]: http://crackmes.cjb.net            
*[Official site]  : http://crackmez.cjb.net	       

By Sanhedrin

Tools
WDASM 
Softice

--Decompile--

Once you decompile this crackme, you notice two references:

* Possible StringData Ref from Code Obj ->"-159357-"
                                  
and

* Possible StringData Ref from Code Obj ->"-ID-"

Probably part of our registration code.  Let's keep those at the back
of our minds for now.  Enter you name, company, serial number 

Sanhedrin
Dalfor
12344321

then start up softice

BPX HMEMCPY

Press register, validate in the crackme and once you have broken into softice disable the breakpoint.

Press F12 several times until you get to:


:00442BC0 E87B06FEFF              call 00423240
:00442BC5 8B45F4                  mov eax, dword ptr [ebp-0C]<----you will land here
:00442BC8 E8670EFCFF              call 00403A34
:00442BCD 83F805                  cmp eax, 00000005<----compare user name to 5 characters
:00442BD0 0F8C85020000            jl 00442E5B<----jump if less than 5
:00442BD6 8D55F4                  lea edx, dword ptr [ebp-0C]
:00442BD9 8B87E0020000            mov eax, dword ptr [edi+000002E0]
:00442BDF E85C06FEFF              call 00423240
:00442BE4 8B45F4                  mov eax, dword ptr [ebp-0C]
:00442BE7 E8480EFCFF              call 00403A34
:00442BEC 83F805                  cmp eax, 00000005<----compare company name to 5 characters
:00442BEF 0F8C66020000            jl 00442E5B<-----jump if less than 5

Notice that your user name and company must be at least 5 characters. 

--Death by converted code--

To make a long story short, this crackme converts your user name and company many times.
This is why it is important to disable all breakpoints prior to continuing.  Press F10, and
watch the code convert before your eyes, until you end up at:

:00442DC4 0502010000              add eax, 00000102
:00442DC9 8D55E8                  lea edx, dword ptr [ebp-18]
:00442DCC E86748FCFF              call 00407638
:00442DD1 FF75E8                  push [ebp-18]
:00442DD4 B844594400              mov eax, 00445944
:00442DD9 BA05000000              mov edx, 00000005
:00442DDE E8110DFCFF              call 00403AF4
:00442DE3 E880FDFFFF              call 00442B68<----STOP here
:00442DE8 833D3858440001          cmp dword ptr [00445838], 00000001
:00442DEF 7543                    jne 00442E34

At 00442DE3, press F8 to see where this call came from and you will end up at:


* Referenced by a CALL at Address:
|:00442DE3   
|
:00442B68 A144594400              mov eax, dword ptr [00445944]<----move the real code to eax
:00442B6D 8B1534584400            mov edx, dword ptr [00445834]<----move the entered code to edx
:00442B73 E8CC0FFCFF              call 00403B44<----STOP here
:00442B78 7406                    je 00442B80<----jump if they are the same
:00442B7A E8A9FFFFFF              call 00442B28
:00442B7F C3                      ret

At 00442B73 press

D EDX <----entered code (12344321)
D EAX <----real code (5850-159357-76050-ID-312)

--Conclusion--

I have seen this type of protection many times in actual programs. The progammer codes the protection
in such a way that he/she hopes to frustrate the cracker.  Just keep following the code and eventually
you should end up at the final compare sequence.


Thanks to all of those coders that make these crackmes, and of course to Eternal Bliss.


Sanhedrin
stachi@geocities.com