Figure 11.2 KeygenMe-3’s invalid serial number message.
Unfortunately for crackers, sophisticated protection schemes typically avoid
such easy-to-find messages. For instance, it is possible for a developer to create
a visually identical message box that doesn’t use the built-in Windows message
box facilities and that would therefore be far more difficult to track. In such
case, you could let the program run until the message box was displayed and
then attach a debugger to the process and examine the call stack for clues on
where the program made the decision to display this particular message box.Let’s now find out how KeygenMe-3 displays its message box. As usual,
you’ll try to use OllyDbg as your reversing tool. Considering that this is sup-
posed to be a relatively simple program to crack, Olly should be more than
enough.
As soon as you open the program in OllyDbg, you go to the Executable
Modules view to see which modules (DLLs) are statically linked to it. Figure
11.3 shows the Executable Modules view for KeygenMe-3.
Figure 11.3 OllyDbg’s Executable Modules window showing the modules loaded in the
key4.exe program.
Breaking Protections 359