Our First Program?

By Krobar / Feb 2000
Tut 10

Regview 2.21...Get it here

Ok, we ready!!

As always, there more than one way to deal with the program, but we gonna find the serial number. I think it better to try to find a serial number first anyway, coz it much 'cleaner' than changing program code, although sometimes it harder to find a valid serial when you're starting out.

Anyway, we gonna get the serial number.

So unzip regview somewhere and look for any readmes in the folder. There a regform and a readme, and we told we have 30 trys and if we register, we get an updated version. It doesnt say anything about a registration number at all, and starting it up and looking at the menu items doesnt reveal any place to put a registration either. When we click on 'about' we are told we are using unregistered version and have 29 more trials. This goes down everytime we start up the program.

Anyway, I going to cut to the rego number. You either start the program 30 times to bring up the registration box, or delete this line out of the registry...HKEY_CLASSES_ROOT\VR_T..., which will expire the program and so cause the rego box to appear. I used regmon to locate this key (see the excellent tut in the beginners section, for full explanation of how the regmon works)...and it small!

Well a box comes up saying we have to register, click ok and rego box appears. Enter the name we want, and any number (you might notice that the name has to be longer than 4 characters, otherwise the ok button stays greyed out).

Now we know what to do right?? Ctrl d softice up, and enter bpx hmemcpy/enter, then F5 out of sice, and click on ok to register...softice pops up.

We ready to search for our serial. Now we going to do one thing different this time than in our previous serial tuts. You notice that there two text fields on the registration box...one for name and one for serial. We want to get to where the serial number comparison takes place..the second text box...and I not sure why (feel free to explain) but apparently a quicker way to get to this comparison is to make softice break again. We still get there if we dont, but I read that we do this, so we gonna do it.

When softice breaks the first time, push F5 and it will break again. Now we carry on as normal. F11 once, disable breakpoint...bd0, then F12 to program code. When we see it between the bottom two windows, we F10 till we see something that we looking for.

What we see is a ret a little down the page so F10 down to it and we end on another bit of code. This happens a few times..six actually, hmmmm very similar to crackme2, and after the 6th one we end here:

xxxx:00487BDC    8B45F4       MOV   EAX,[EBP-0C]<-land here
xxxx:00487BDF    8D55F8       LEA   EDX,[EBP-08]
XXXX:00487BE2    E8FD08F8FF   CALL  004084E4
XXXX:00487BE7    8B45F8       MOV   EAX,[EBP-08]
XXXX:00487BEA    E861C1F7FF   CALL  00403D50
XXXX:00487BEF    83F805       CMP   EAX,05
XXXX:00487BF2    7C3E         JL    00487C32
Stop and look at the code...a few calls, and remember often we looking for a call before a jump with maybe a CMPare as well. We see one a few lines down:

xxxx:00487BEA    E861C1F7FF    CALL   00403D50
which is followed by a CMP (compare), then JL (jump if less).

XXXX:00487BEF    83F805       CMP   EAX,05
XXXX:00487BF2    7C3E         JL    00487C32
If we look at the CMP, we see something getting compared to 5...name/serial??. Now we made both our name and serial longer than 5 so there no need to go into this call, but just for an exercise, we will. F10 to the call and F8 into it. You land here:

xxxx:00403D50    85C0         TEST  EAX,EAX<-land here
xxxx:00403D52    7403         JZ    00403057
XXXX:00403D54    8B40FC       MOV   [EAX,[EAX-04]
XXXX:00403D57    C3           RET
See the RET a few lines down from where we landed?? This returns us to where we came from (the call we just entered), so F10 down to it (you wont jump unless you entered less than 5 characters), and you will end up at the next line down from the call that we previously entered...here:

XXXX:00487BEF    83F805       CMP   EAX,05<-land here
XXXX:00487BF2    7C3E         JL    00487C32
So we just entered a little routine where a comparison is done with 5; we jump if we less; otherwise we dont.

Anyway, once we back to the original call we entered (next line down actually, coz we executed the call) we land here:

xxxx:00487BDC    8B45F4       MOV   EAX,[EBP-0C]
xxxx:00487BDF    8D55F8       LEA   EDX,[EBP-08]
XXXX:00487BE2    E8FD08F8FF   CALL  004084E4
XXXX:00487BE7    8B45F8       MOV   EAX,[EBP-08]
XXXX:00487BEA    E861C1F7FF   CALL  00403D50
XXXX:00487BEF    83F805       CMP   EAX,05<-land here
XXXX:00487BF2    7C3E         JL    00487C32
xxxx:00487BF4    8D55FC       LEA   EDX,[EBP-04]
XXXX:00487BF7    8B83D0020000 MOV   EAX,[EBX+000002D0]
Now look down code abit and you see other calls, and one followed by a JNZ at address:

xxxx:00487C23    E838C2F7FF   CALL  00403E60<- here
xxxx:00487C28    7508         JNZ   00487C32
You remember from our crackme2 tuts that we were looking for a CALL followed by a Jump, so same as then, we gonna F8 into this one. We end up here:

xxxx:00403E60    53           PUSH  EBX<-land here
xxxx:00403E61    56           PUSH  ESI
xxxx:00403E62    57           EDI
xxxx:00403E63    89C6         MOV   ESI,EAX
XXXX:00403E65    899D7        MOV   EDI,EDX
XXXX:00403E67    39D0         CMP   EAX,EDX
XXXX:00403E69    0F848F000000 JNZ   00403EFE
Hmmmmmm, dont you think this code looks familiar to what we found in crackme2 just before we found the correct serial?

I think we may be close. You know what to do!! We gonna dump the different addresses to see if a serial pops out, so type d xxx as we F10 down the lines. At address:

xxxx:00403E63    89C6         MOV   ESI,EAX
if you type d eax, you see the number you entered and another one (You will find it at other addresses as well).

Take note of number (it goes with the name you entered), put it in the serial box, and yeah, we done it.

Well that it. We done our first program?? Just be aware that there are many different protection schemes, and this way will not always work. You just have to follow tuts and get familiar with the different ones, and build up your knowledge...so