Figure 11.5 Imports and exports for Key4 (from OllyDbg).
At the moment, you’re interested in the Import entry titled USER32.
MessageBoxA, because that could well be the call that generates the message
box from Figure 11.2. OllyDbg lets you do several things with such an import
entry, but my favorite feature, especially for a small program such as a crackme,
is to just have Olly show all code references to the imported function. This pro-
vides an excellent way to find the call to the failure message box, and hopefully
also to the success message box. You can select the MessageBoxAentry, click
the right mouse button, and select Find References to get into the References to
MessageBoxAdialog box. This dialog box is shown in Figure 11.6.
Here, you have all code references in Key4.exeto the MessageBoxAAPI.
Notice that the last entry references the API with a JMPinstruction instead of a
CALLinstruction. This is just the import entry for the API, and essentially all
the other calls also go through this one. It is not relevant in the current discus-
sion. You end up with four other calls that use the CALLinstruction. Selecting
any of the entries and pressing Enter shows you a disassembly of the code that
calls the API. Here, you can also see which parameters were passed into the
API, so you can quickly tell if you’ve found the right spot.
Figure 11.6 References to MessageBoxA.
Breaking Protections 361