||There is a crack, a crack in everything. That's how the light gets in.|
Enter your Name, Company, and fake Registration Code (if you need to
access the registration window, click on Help and then click on
Press CTRL-D to go into Softice.
Now, we want to set a breakpoint. Let's try bpx GetWindowTextA (that is what the program uses, actually).
Type X to return to the program.
Click on "OK".
Bang! We are now in Softice at the start of USER32!GetWindowTextA.
Since the program is going to get the text 3 times (Name, Company, and Registration Code), we want to do this:
Press F11 to step out of the function call.
Type bc * to kill your breakpoints, as they will no longer be needed.
We should now be at the instruction following the call to USER32!GetWindowTextA.
CALL [USER32!GetWindowTextA] <- get what is in the
<- Registration Code text box
:00449D86 MOV ECX, [EBP+10] <- fake registration code
:00449D89 PUSH FF
:00449D8B CALL 004430CA
:00449D90 JMP 00449D9D
F10 over the call at 00449D8B (you can
F8 into it, but it is not very interesting).
:004246D2 PUSH DWORD PTR [ESI+000000DD]
If you type d esi+dd you'll see this in your data window:
:006FFA2D 1C 2B D3 00 50 41 00 .....
Do you see the first 3 pairs of numbers (1C 2B
D3)? Reverse them and type:
Ahhh...your fake registration code.
Below this PUSH instruction you'll find:
:004246DD MOV EBP, EAX
:004246DF MOV EAX, [00484C5C]
:004246E4 ADD ESP, 0C
:004246E7 CMP [EAX+0000029F], BL
:004246ED JZ 0042482A
Doesn't look very interesting, does it? No dramatic test of EAX right after the call, etc...
This call, therefore, most likely does not check
the fake registration code against the real registration code.
F10 over the call at 004246D8
Just out of curiosity, check out EAX by typing
Look at the decimal value of EAX. Ahhh....the fake registration code.
:004246F3 CMP EBP, EBX
If you type ? EBP you'll see that it holds
the hex value of the fake registration code. EBX holds nothing.
F10 some more until:
:004246FC PUSH DWORD PTR [ESI+000000D5]
If you check the value at this location (00D32AEC), you'll see the name that you had entered. So, the next instruction:
:00424702 CALL 00424FAF
must do something with your name, eh? Perhaps
it calculates the real registration code?
Right after the call at 00424702 is something very interesting: a CMP instruction.
:00424707 CMP EBP, EAX
F10 until you reach this CMP instruction
If you type ? EBP you'll see that it holds the hex value of your fake registration code.
Notice that EBP is being compared with EAX. I wonder what EAX holds?
Type ? EAX
See the decimal value of EAX? Write it down. That's the real registration code.
Type X to return to the program. Now, click on "OK" (nasty message box!).
Ready? Enter in the number that you had written down and click on "OK".
My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end of the tunnel.
|[ Return ]|