Tutorial for cRCMe (cRC)
by Sanhedrin

Tools
W32Dasm
Softice

This crackme requires a single password in order for it to be registered.

--CODE COMPARING--

This protection scheme takes the first character that you entered, compares it to the correct
one, then either kicks you back to the unregistered section of the program, or continues to 
check the next character. Click on Help/Register and enter any code:

123321

Start up softice and enter the breakpoint:

bpx hmemcpy

Exit softice and click on OK.  Once you are in softice, disable the breakpoint, press F12 
several times until you end up:


:00401732 E811F9FFFF              Call 00401048<---stop here
:00401737 83F806                  cmp eax, 00000006<---compare length of your code to 6
:0040173A 754A                    jne 00401786<---jump if not the same
:0040173C BA01000000              mov edx, 00000001
:00401741 B810204000              mov eax, 00402010

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401774(C)
|
:00401746 8B0D2C304000            mov ecx, dword ptr [0040302C]
:0040174C 0FB64C11FF              movzx ecx, byte ptr [ecx+edx-01]
:00401751 8B30                    mov esi, dword ptr [eax]
:00401753 83C661                  add esi, 00000061
:00401756 3BCE                    cmp ecx, esi<---compare our 1st # to the real #
:00401758 7409                    je 00401763<---jump if the same
:0040175A 33C0                    xor eax, eax
:0040175C A330304000              mov dword ptr [00403030], eax
:00401761 EB23                    jmp 00401786<---jump to unregistered section

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401758(C)
|
:00401763 C7053030400001000000    mov dword ptr [00403030], 00000001
:0040176D 42                      inc edx
:0040176E 83C004                  add eax, 00000004
:00401771 83FA07                  cmp edx, 00000007<---are we at the end of the password?
:00401774 75D0                    jne 00401746<---jump if no
:00401776 833D3030400001          cmp dword ptr [00403030], 00000001
:0040177D 7507                    jne 00401786<---jump if not 1
:0040177F 8BC3                    mov eax, ebx

* Reference To: VCL30.Forms.TCustomForm.Close@23EDC2EF, Ord:0000h
                                  |
:00401781 E882FCFFFF              Call 00401408<---call to Registered


Cancel all of your breakpoints, and enter a breakpoint at 

bpx 00401756

Before you exit softice type

d ecx <---you see the first number of your serial
d esi <---you will see the real serial

Exit softice, enter the first character, plus 5 others (remember that the password is 6 
characters long).  Once back in softice press F5, type d esi, write down the character.  
Now you have the first and second characters.  Enter the first two, and continue this 
process until you have the entire password.  To start you off the first three characters are:

A
V
I



Thanks to all of those coders that make these crackmes, to Pepper for sending me on the 
right path so long ago and of course to Eternal Bliss.


Sanhedrin
stachi@geocities.com