			Terminal Cilla's
		   	   Tutorial#4

[Target Infos:]
[Name  :] CrackMe 6 
[Author:] FireWorX
[Type  :] Name - Serial
[Where :] http://crackmes.cjb.net

[Needed Tools:]
SoftIce

[Our Aim:]
Find a valid serial

-----------------------------------------------------------------------------
			Hi Reader. 
I'm sorry for all grammatical and orthographic errors.
Today we deal with "CrackMe 6" by 'FireWorX'.
I assume that you already configured your SoftIce and
that you are basicly down with SI - otherwise stop reading
and take a "SoftIce4Newbies - Tutorial".
		      Still here?
		     Ok, let's go!

Step1: 
------
        Looking at the CrackMe, we got 2 Input-Fields and
        one OK-button.
        Enter some values and hit OK.
        I used:
 
        Name  = Terminal Cilla
        Serial= 2200330044

        We got a error-message (well, of course;).

Step2:
------	
        Press <CTRL -D> to load up SoftIce and set a breakpoint
        on 'hmemcpy'.
	Return to our crackme with <F5>.
	Now press the OK-button and we'll be back in SoftIce.
	Press <F5> once again and then:

	1  * F11
	11 * F12
_____________________________________________________________________

Step3: (let's read our serial:)
------

:004417F2 8B45F4          mov eax, dword ptr [ebp-0C]->We are here -
						       eax=name;
:004417F5 8D55F8          lea edx, dword ptr [ebp-08]
:004417F8 E8FBFEFFFF      call 004416F8              ->serial calculation;
:004417FD 8B55F8          mov edx, dword ptr [ebp-08]->edx=good serial;
:00441800 58              pop eax
:00441801 E83E23FCFF      call 00403B44              ->compare routine;
:00441806 751A            jne 00441822               ->jump if wrong serial
						     ->to error-msg;
   

	Hopefully we land at :004417F2. Disable our breakpoint and
	trace further to 00441800. We see something moved to
	'edx'. Logically thought, it could be the result of the call 
	(:004417F8) before. Let's do a <d edx> and what's that?!
	Yes, it's our valid Serial number!
	In my case it's:

	Terminal Cilla
	14B3-00CC-F56F-38FA

Step4:
------
	Clear all breakpoint <bc *> and return to our crackme.
	Entering our valid serial will give us the 
	'Right Code'-msg.

	Well, our job is done!

	Thx4Readin'
-----------------------------------------------------------------------------

	    -=I'm still a newbie - So I can only get better!=-

(c) Terminal Cilla (april 1999)

Peace&Respects 2: FireWorX, Eternal_Bliss, The_Sandman, Torn@do,
		  duelist, Sanhedrin and all crackme-coders
		  and tutorial-writers.
                      ________________________
		     |   Be sure to visit:    |
		     | http://crackmez.cjb.net|
		     |	       &              |
	             | http://crackmes.cjb.net|
                     |________________________|