|
|
|
|
|
|
|
|
|
|
||
|
||
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
|
Enter your Name, Company, and fake Registration Code (if you need to
access the registration window, click on Help and then click on
Register...).
Press CTRL-D to go into Softice.
Now, we want to set a breakpoint. Let's try bpx GetWindowTextA
(that is what the program uses, actually).
Type X to return to the program.
Click on "OK".
Bang! We are now in Softice at the start of USER32!GetWindowTextA.
Since the program is going to get the text 3
times (Name, Company, and Registration Code), we want to do this:
Type X
Type X
Press F11 to step out of the function
call.
Type bc * to kill your breakpoints, as
they will no longer be needed.
We should now be at the instruction following
the call to USER32!GetWindowTextA.
:00449D80
CALL [USER32!GetWindowTextA] <- get what is in the
<- Registration Code text box
:00449D86
MOV ECX, [EBP+10]
<- fake registration code
:00449D89
PUSH FF
:00449D8B
CALL 004430CA
:00449D90
JMP 00449D9D
F10 over the call at 00449D8B (you can
F8 into it, but it is not very interesting).
F10 until:
:004246D2 PUSH DWORD PTR [ESI+000000DD]
If you type d esi+dd you'll see this in your data window:
:006FFA2D 1C 2B D3 00 50 41 00 .....
Do you see the first 3 pairs of numbers (1C 2B
D3)? Reverse them and type:
d D32B1C
Ahhh...your fake registration code.
Below this PUSH instruction you'll find:
:004246D8
CALL 0042A960
:004246DD
MOV EBP, EAX
:004246DF
MOV EAX, [00484C5C]
:004246E4
ADD ESP, 0C
:004246E7
CMP [EAX+0000029F], BL
:004246ED
JZ 0042482A
Doesn't look very interesting, does it? No dramatic test of EAX right after the call, etc...
This call, therefore, most likely does not check
the fake registration code against the real registration code.
F10 over the call at 004246D8
Just out of curiosity, check out EAX by typing
? EAX
Look at the decimal value of EAX. Ahhh....the
fake registration code.
F10 until:
:004246F3 CMP EBP, EBX
If you type ? EBP you'll see that it holds
the hex value of the fake registration code. EBX holds nothing.
F10 some more until:
:004246FC PUSH DWORD PTR [ESI+000000D5]
If you check the value at this location (00D32AEC), you'll see the name that you had entered. So, the next instruction:
:00424702 CALL 00424FAF
must do something with your name, eh? Perhaps
it calculates the real registration code?
Right after the call at 00424702 is something
very interesting: a CMP instruction.
:00424707 CMP EBP, EAX
F10 until you reach this CMP instruction
(:00424707).
If you type ? EBP you'll see that it holds
the hex value of your fake registration code.
Notice that EBP is being compared with EAX. I
wonder what EAX holds?
Type ? EAX
See the decimal value of EAX? Write it down.
That's the real registration code.
Type X to return to the program.
Now, click on "OK" (nasty message box!).
Ready? Enter in the number that you had written
down and click on "OK".
Congratulations!
Program cracked.
|
|
My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end
of the tunnel.
|
[ Return ] |