Written by anTiHerO
Released: January 2001
Protection: Time-limit and registration
*Flash 32 is a 32 bit software running under Windows 95, Windows 98, Windows NT 4 and 2000 used to capture and save Windows screens (or parts of screens), images from files, images from Internet WebCams, images from the Internet Explorer cache.
*Flash 32 installs itself as a tray icon in the tray bar of Windows.
*The captures can be saved with several graphic formats, modified, printed...
*Flash 32 also allows the creation of icons, cursors, animations (ANI, AVI, FLI, FLC and GIF), wallpapers, logos...
*A screen capture can be saved or printed without interaction with the user.
*When you click on its icon, Flash 32 displays two menus:
*:right click: setup menu, help and about
*·left click: particular captures (clipboard, webcam, animations)
*Before we dive in, just a few things…….I am fairly new to code reversing, so my methods may not be the easiest or correct ones, but they work!!! Anyway, the first thing we need to do is fire up Flash32. You will see a small camera-shaped icon, if we right click on this we can see a registration option, click this, and we see the reg box with three empty fields, I filled them in as follows:
First Name: anTi
*Right, press OK, and we get the expected “invalid key” message box. Write this down. Fire up W32Dasm and disassemble Flash32. I’m assuming your familiar with W32Dasm, so open up the String Data References, double click on our string, scroll up a few lines and we should see:
*Hehe, this looks like it isn’t going to be too difficult. We look four lines up, an see a conditional jump, JE. This is preceeded by a compare instruction, which compares eax and ecx! Should we try something which could save us a lot of tracing through code? What should we do?
*Our compare instruction at 00421E67, is comparing two values, and if they are equal it jumps ( we haven’t looked where to yet! ), if not, it carries on through to our “invalid key” portion of code. Ah-ha! Could the compare instruction be comparing our “fake” serial against the correct serial? Well, there is a quick and easy way to find out! Write down the address of the compare instruction; 00421E67 ,and now we want to run our debugger , and load up Flash32. Boomph! , up pops your softice window, but we know we want the program to brake at location 00421E67, so we type:
*You should know this means that the program will break when it executes this line of code. Press ctrl+D ( or type x and hit enter if you are using TRW2000) to close your debugger window. We now go to our registration box again and type in again:
First Name: anTi
*Hit OK, and WALLOP!, up pops our debugger window bang on;
:00421E67 3BC1 cmp eax, ecx
*Right, hit F10 once, so that our jump command line is highlighted. We want to see what is being compared in the eax and ecx registers don’t we? So type;
? eax , what do we see? OUR FAKE REG NUMBER! Contain your excitement! What if we type;
? ecx , whats this? –610844068 ? Could this be our real reg number? Write it down!
*Now type bc* ( or just bc in TRW) to clear all breakpoints, and close our debugger. OK, the moment of truth! Go back to our registration box and type in our details with our new value from the ecx register;
First Name: anTi
*Hit OK, hmm , no “bugger off cracker” message! Right click on the taskbar icon and select About…. : WOOHOO!!! Registered to anTiHerO ! Job done!
We could have easily set about tracing through code with our debugger from the start, but this way cuts out all that. This method doesn’t always work, but when it does!!!!!!!!