Finding the valid serial number for 5-Or-More

© 1997 by cTT / MiB


Software: 5-Or-More
Tools: Softice (any versions for Windows), pen and paper :-)

Hi there!

This is my first tutorial ever, but I'll try my best to make it easy to understand.
First thing you'll need is SoftIce I won't go anything deeper about SoftIce because I know that another cracker in MiB is about to finish his tutorial about this. Anyway this will be your tool (just as a fork when you are eating!) to be able to crack this (as far as I know) simple program. Second yo'll need a pen and a piece of paper to make you'r remarkable notes on :-). Third well haven't you guessed this allready? 5ormore.exe our target!


Well lets start with go inside SoftIce [CTRL-D] and set a breakpoint on GetDlgItemTextA:

:bpx getdlgitemtexta
Done? Good, now leave SoftIce (just press [CTRL-D] again) and start up the program.
UHH! A evil nagscreen tellin' us that we haven't registered the program, well click on OK and you'r in.
Now click on Help and then Register, you'll now gonna be able to enter your name and the valid serialnumber (The one we don't got but after this tutorial will have!).
Well lets enter something, I wrote 'cTT' with serial '123123', and then press OK
*BOOM* you'r inside SoftIce again ain't cha?
This was excpected due to the breakpoint we set, now press [CTRL-D] one more time and it just goes back into SoftIce ... why?
It first breaks due to the name you enter and the second time to the serial.
OK! Now we done this far, we know that SoftIce has breaked two (2) times (There was two boxes, Name and Serial, remember?). Now let's see if we can find the valid code?

What I first did was to press [F11] to jump to location SoftIce broke, then I investegate the code visible for me, any CMP's or TEST's ?

0137:00406073 CALL [USER32!GetDlgItemTextA]      <-- It broked in here 
0137:00406079 LEA  ECX,[EBP-50]
0137:0040607C PUSH ECX
0137:0040607D CALL [KERNEL32!lstrlen]
0137:00406083 TEST EAX,EAX                       <-- Here is the TEST's I'm talking about 
0137:00406085 JZ   00406114
0137:0040608B LEA  EAX,[EBP-10]
0137:0040608E PUSH EAX
0137:0040608F CALL [KERNEL32!lstrlen]
0137:00406095 TEST EAX,EAX                       <-- Here is the TEST's I'm talking about 
0137:00406097 JZ   00406114
0137:00406099 LEA  EAX,[EBP-10]
0137:0040609C PUSH EAX
0137:0040609D CALL 00405EF0
^    ^
segment:offset changes from computer to computer!
Yes! You would be able to see two or three TEST EAX,EAX aint cha? I can tell you because I know, none of them are important for the reg.nr.
Well as you can see if you trace trough the code [F10], you'll only gonna pop out to the program saying "Bad registration number". What now? Well klick OK again and were back inside SoftIce, what I did now was to look inside all CALL's, I can tell you this: the reg.nr. rutin are in the third call from the point SoftIce breaked.
0137:00406073 CALL [USER32!GetDlgItemTextA]      <-- It broked in here 
0137:00406079 LEA  ECX,[EBP-50]
0137:0040607C PUSH ECX
0137:0040607D CALL [KERNEL32!lstrlen]
0137:00406083 TEST EAX,EAX
0137:00406085 JZ   00406114
0137:0040608B LEA  EAX,[EBP-10]
0137:0040608E PUSH EAX
0137:0040608F CALL [KERNEL32!lstrlen]
0137:00406095 TEST EAX,EAX
0137:00406097 JZ   00406114
0137:00406099 LEA  EAX,[EBP-10]
0137:0040609C PUSH EAX
0137:0040609D CALL 00405EF0                      <-- Here is the CALL I'm talking about 
Inside that CALL you'll find something very intresting, a whole lotta CMP BYTE PTR [EAX],XX ain't I right?
The XX is what we want, this is the numbers of the registration code in right oder.
0137:00405EEF RET
0137:00405EF0 MOV  EAX,[ESP+04]
0137:00405EF4 TEST EAX,EAX                      <-- Test EAX where the reg.nr you wrote is
0137:00405EF6 JZ   00405F32                     <-- If it's empty go to --------
0137:00405EF8 CMP  BYTE PTR [EAX],31            <-- Compare the first number    |
0137:00405EFB JNZ  00405F32                     <-- If it's wrong go to  -------|
0137:00405EFD CMP  BYTE PTR [EAX+01],36         <-- Compare the second number   |
0137:00405F01 JNZ  00405F32                     <-- If it's wrong go to  -------|
0137:00405F03 CMP  BYTE PTR [EAX+02],31         <-- Compare the third number    |
0137:00405F07 JNZ  00405F32                     <-- If it's wrong go to  -------|
0137:00405F09 CMP  BYTE PTR [EAX+03],33         <-- Compare the forth number    |
0137:00405F0D JNZ  00405F32                     <-- If it's wrong go to  -------|
0137:00405F0F CMP  BYTE PTR [EAX+04],35         <-- Compare the fifth number    |
0137:00405F13 JNZ  00405F32                     <-- If it's wrong go to  -------|
0137:00405F15 CMP  BYTE PTR [EAX+05],35         <-- Compare the sixth number    |
0137:00405F19 JNZ  00405F32                     <-- If it's wrong go to  -------|
0137:00405F1B CMP  BYTE PTR [EAX+06],31         <-- Compare the seventh number  |
0137:00405F1F JNZ  00405F32                     <-- If it's wrong go to  -------|
0137:00405F21 CMP  BYTE PTR [EAX+07],30         <-- Compare the eight number    |
0137:00405F25 JNZ  00405F32                     <-- If it's wrong go to  -------|
0137:00405F27 CMP  BYTE PTR [EAX+08],00         <-- No more numbers I hope      |
0137:00405F2B MOV  EAX,00000001                 <-- Set EAX to 1                |
0137:00405F30 JZ   00405F34                     <-- If everthing is correct jump| to ----
0137:00405F32 XOR  EAX,EAX                      <-- Zero the EAX register <-----         |
0137:00405F34 RET                               <-- Return from the CALL <---------------
Now what? Well try to see what he compares with.
:? 31 (This is the number after the ',' in the CMP's)
00000031 0000000049 "1"
^ Hex    ^ Dec       ^ ASCii
Does this looks familiar? I guess it does! Now you'll get the answer in both Hex, Dec and ASCii, write down the ASCii answer and then do like this the whole way down 'til the end of CMP's, well not the ,00 one because it is just a blankstep, at the end you will have 8 number, this is the right reg.nr just clear your bpx and the try the code you write down, I hope you'll got it? Otherwise I got the code '16135510', did you got the same?


Final!

Hmm ... did you understand this tutorial, well I hope you did otherwise just mail me any feedback and I will try to make it better! :) But anyway this was as I told you my first turoial ever and I know that it isn't good but I hope it will help you find the registration number as well.


Send any feedback to me! ctt_@rocketmail.com is my email.

Back to Tutor page!Back to tutorial page.

Copyright © MiB 1997. All rights reversed.


0177:004106AB  NOP