Reverse Code Engineering - WinEye v3.1
Finding Correct Serial Numbers
Author: Volatility

Please Read The Disclaimer Before Continuing.

Target WinEye v3.1 - (wineye31.exe) - 622,625
Protection(s) User Name/Serial Number
Tools Needed NuMega Soft-Ice (Any Version)
Level (X) Beginner ( ) Intermediate ( ) Advanced ( ) Expert

I shouldn't be writing an essay on this program, but it still serves for KNOWLEDGE PURPOSES.

I wrote up an essay on how to crack this program, before I visited the author's homepage, and saw what he had to say.  Here's what he says:

"A good reason to register - The registration charges will be given to SOS Children’s Villages organisation.  SOS Children’s Villages is a non-political and non-denominational welfare organisation. SOS Children’s Villages offer abandoned, orphaned and destitute children - regardless of race, nationality or creed - a new and permanent home, and prepare them for an independent life."

What a way to make a cracker feel bad!  Nonetheless, I still published the essay for its knowledge purposes.  If you keep this program (I really don't know why you would) without paying for it, you should burn in hell.  Normally, I post the user name and serial I got for the program, but I'm not going to do that here, so lamers don't use it.

Prepare To Crack: 

After starting WinEye up, right click on the eyes in your system tray, and choose "Properties", then choose the "Registration" tab.  We need to enter a name and code. 

Our favorite methods for trapping serial numbers in Soft-Ice are GetWindowTextA and GetDlgItemTextA, so let's try those first.  To save you time, we need GetWindowTextA.

Making The Crack: 

Enter your user name and some dummy data for the code.  Press Cntrl+D to enter Soft-Ice.  Set a breakpoint on GetWindowTextA (BPX GETWINDOWTEXTA).  Press Cntrl+D again to exit back to the program.  Click on "OK".  Soft-Ice will pop up.

Now, if we think about it, the function will be called twice -- once for the user name, and once for the code.  So, the first time Soft-Ice pops.  Press Cntrl+D once, and you'll be back in Soft-Ice.  Press F11 once to exit the code, and you should be here:
0137:0041ED7C  FF15A0A94300             CALL    [USER32!GetWindowTextA]
0137:0041ED82  8B4D10                   MOV     ECX,[EBP+10]       :ECX will hold your user name
0137:0041ED85  6AFF                     PUSH    FF
0137:0041ED87  E8B37EFFFF               CALL    00416C3F           :call routine to process your user name
0137:0041ED8C  EB0B                     JMP     0041ED99
0137:0041ED8E  8B4510                   MOV     EAX,[EBP+10]
0137:0041ED91  FF30                     PUSH    DWORD PTR [EAX]
0137:0041ED93  56                       PUSH    ESI

You could now display the user name you entered by pressing F10 to step through the line "CALL    00416C3F", and typing d ecx.

This part of the code isn't interesting though, so we need to keep stepping until we find something that does look useful, like a compare (CMP, TEST) and jump (JE, JNE, JZ, JNZ etc).  You'll find it here:
0137:004048FA  8D8D8C000000     LEA     ECX,[EBP+0000008C] :ECX will hold the code
0137:00404800  E88B190000       CALL    00406290           :call function to calculate code
0137:00404805  84C0             TEST    AL,AL              :compare your code to valid one
0137:00404807  0F8584000000     JNZ     00404991           :jump to unregistered if no good
0137:0040480D  6A00             PUSH    00
0137:0040480F  6A00             PUSH    00
0137:00404811  8D542418         LEA     EDX,[ESP+18]
0137:00404815  682D010000       PUSH    0000012D

Now, to display your code, just step through the line "CALL    00406290", and display ECX by typing d ecx.

*** Disclaimer ***
This Essay Is For Knowledge Purposes Only. Neither We, Our ISP, Nor Any Persons Mentioned Shall Be Held Liable For Any Damages Improper Usage May Cause To Your Machine.

If You Successfully Crack A Program, You Must Delete It Immediately. If You Want To Keep The Program, Please BUY It! Support Shareware, This Is Our Learning Tool!

It Is Illegal To Continue To Use Cracked/Patched Software.

Copyright © 1999 Volatility And The Immortal Descendants. All Rights Reserved.
ourier"> :004FF75B 8BD8