Reverse Code Engineering - Command Line97
Finding Correct Serial Numbers
Author: Volatility

Please Read The Disclaimer Before Continuing.

Target Command Line97 - (cline97.zip) - 25,490 bytes
Location http://zeus.odyssey.net/subscribers/js01/CLine97.zip
Protection(s) User Name/Serial Number
Tools Needed Soft-Ice (Any Version)
Level (X) Beginner (X) Intermediate ( ) Advanced ( ) Expert


Prepare To Crack:

Run the program, and click on the "REGISTER" button. You'll see a box to enter your name, and one to enter your serial number. Enter some dummy data... mine's "VOLATILITY [ID]", and "272727". Now we must find the import the routine uses, and breakpoint on it in Soft-Ice.

With your dummy data entered, press Cntrl+D to enter Soft-Ice. The two most common imports for registrations in 32 bit Windoze programs are "GetWindowTextA", and "GetDlgItemTextA". So, let's go for the obvious... Set a breakpoint on GetWindowTextA like so: BPX GetWindowTextA Press X to return to the program. Click "Ok"... Hmmm....wrong registration number......let's try again. Press Cntrl+D to get back into Soft-Ice. Clear your breakpoint by typing BC * Let's try GetDlgItemTextA. Set your breakpoint like so: BPX GetDlgItemTextA. Press X to return to the program and click on "Ok". Bingo! Soft-Ice breaks. You can clear your breakpoint now "BC *". We Need to press F11 to get into the code. You've landed inside the following code:

0137:00402558  CALL     [USER32!GetDlgItemTextA]
0137:0040255E  PUSH     00
0137:00402560  MOV      EDI,000410B30
0137:00402565  PUSH     00
0137:00402567  PUSH     000003FC
0137:004025C6  PUSH     ESI
0137:0040256D  CALL     [USER32!GetDlgItemInt]

Let's see... We don't see anything interesting on the highlighted line, so We'll press F10 to step through the code line by line. After pressing F10 twice, you'll be on the line "0137:00402565 PUSH 00". Notice that up in the registers window, "EDI=00410B30" is now highlighted (your values may be different)... this looks interesting to us, so check the value of DI like so: ? EDI. Hmm... nothing useful. Let's try to display DI like so: d EDI. Killer! The name we entered... we must be close! We press F10 four times, until we get to the following line "0137:00402573 MOV ECX,FFFFFFFF". Notice that up in the registers window, "EAX=00042957" is now highlighted (your values may be different)... this looks interesting to us, so we check the value of AX like so: ? EAX. Killer! The serial we entered! Now we must be even closer!

Ok... we've found where we originally entered our name and serial, but that doesn't tell us anything really... just interesting, and good to know that we could at least find that much! Press the F10 key some more, until you land on the line "MOV [0040A550],ECX". Notice that up in the registers window "ECX=001720CC" is now highlighted (your values may be different). This looks interesting to us, so check the value of CX like so: ? ECX. Hmm... could it be? maybe... write this code down! (mine was 1515724 - it will be 7 characters long). I wasn't ready to stop just yet, it's useful to check a little further, so I kept pressing F10, and kept checking values when a register became highlighted. Our first check still seemed to me to be the most promising though, because of the line itself "MOV [0040A550],ECX" - store a value from CX to 0040A550.

Press X or Cntrl+D to return back to the program. Leave your user name the same, but let's try the new registration codes. Bingo! We were right! The first code works like a charm! Command Line97 is registered! If you'd like to unregister the program so you can do this again for practice, you'll need to edit the Registry. The program stores the values in "HKEY_LOCAL_MACHINE" - "SOFTWARE" - "SealesWare" - "Command Line97". Just delete the name you entered at the "RegName" key.


*** Disclaimer ***

This Essay Is For Knowledge Purposes Only. Neither We, Our ISP, Nor Any Persons Mentioned Shall Be Held Liable For Any Damages Improper Usage May Cause To Your Machine.

If You Successfully Crack A Program, You Must Delete It Immediately. If You Want To Keep The Program, Please BUY It! Support Shareware, This Is Our Learning Tool!

It Is Illegal To Continue To Use Cracked/Patched Software.

Copyright © 1998 Volatility And The Immortal Descendants. All Rights Reserved.
5.