Registry Studio 1.01

By Krobar / Jan 2000

Now this tut is write by a newbie for those who know less than me, so dont expect any explanations about what I doing, coz I can only say what I did...at this stage!


The program..........Registry Studio v. 1.01...get it from http://www.download.com
The tools...............Softice.... I using version 4.

Description: MicroPlanet Registry Studio adds an array of useful tools and features for working with the Windows Registry, including Registry shortcuts, Registry bookmarks, an import/export preview tool, an email subkey tool, drag-and-drop support, powerful background searching, a Registry replacement wizard, Windows Explorer-style navigator buttons, sticky start-up positioning, and key abbreviations. This is a 7-day evaluation version.

Install proggie, and let it go where it wants. You get the snag ( shit nag ), telling how many days you got left.

From the menu, click on studio, click register, then fill in name, and serial number, BUT, dont click OK.

Now ctrl-d to bring up softice.

Okay, the first thing to do before you click ok, and after you ctrl-d softice up, is to set a breakpoint. You want to be looking at the code inside the program, and setting breakpoints is how we get to do it.

I tried a few, but the one that did it for me was: bpx hmemcpy. I typed this, then pushed enter.

Now ctrl-d out of softice ( or use F5 ), and you should be back at the registry Studio, looking at the registration screen.

Click OK (to register), and..........into softice.

Near the bottom of the softice screen, between the command and code windows, you should see some writing....Kernel32, User32, or something else. This tells us that we not where we wanna be. We want to be in Regstudio, SO......

push F5 once, because since we had two boxes to fill ( one for name, and one for number) we want to get to where our serial is calculated, and that was the second box.

F11 once and disable breakpoint....bd 0.

Now F12 till we get to the program.....7 times actually.......you'll see when you are there, it be displayed near the bottom.

I noticed that the eax register (in the top left of softice window) was 9, and the serial I entered was 9 characters, so I F10 down to the first call I came to, then F8 into it...at address:

00888162 call 00884297

After going into this call you'll be at address

00884297.

Just sit at this address and look at the code. This looked ( to my newbie eyes) like an interesting bit of code because down a few lines was a call for some sort of string length at address:

008842A5 CALL Kernal32! lstrlen <--doubleclick to set breakpoint....should turn green

and if you look down a few lines you'll notice that eax is compared to 08 at

008842AB CMP EAX ,08

and if your number less than 8 characters then see you later.

A few lines below this there seems to be some sort of comparing going on

008842B2 CMP CL 72<-- first character of serial ?)

We want to see what 72 is, so type ? 72 and you'll see the ascii character r in the command window (bottom window). If your first character isn't r, you'll jump to some piss off message.

A few lines below this address you'll see this:

008842BF CMP CL73<-- second character of serial ?)

Type ?73 you'll see s. If your second character isn't s, you'll jump to goodbye, so F5 out of softice and make r the first , and s the second letter of your serial. Click ok and you should break back into softice at the address where you set your breakpoint (where you doubleclicked before).....008842A5 CALL Kernal32! lstrlen.

Now F10 down (you'll get through the jumps if the first two characters of your serial are r and s. You'll find yourself in some sort of loop, jumping upwards 8 times until eax=8. If you watch the eax register you'll see it increasing by 1 each time you jump upwards. When it equals 8 you wont jump, so just keep stepping downwards (F10) looking out for a call, a compare, and a jump. You'll find one at address

0088430A CALL 008840B0

so trace into this call (F8), then F10 once to address

008840B1 MOV EBP, ESP and type d esp.

You'll see the correct serial number for the name you entered.