|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
|
|
|
|
:00477D6B CALL 0044AC2A
<- Is registration number legit?
F8 into this call. F10 until you reach:
:0044AC3F CALL 004C3CE0
<- Get length of Name
The routine starting at :004C3CE0 determines the length of whatever
is PUSHed just before the call to this routine. If you look at the instruction
just before this call, you'll see that your name is being pushed onto the
stack.
F10 over this call (unless you want to trace through it to see
how it works).
Notice that EAX now holds the length of the name that you had entered.
F10 until:
:0044AC59 CALL 004C3CE0 <- Get length of Organization
F10 over this call. EAX now holds the length of the Organization
that you had entered.
F10 until:
:0044AC9D CALL 00496A04 <- Copies Name to another location in memory
F10 over this call. EAX now holds the new location of the Name
that you had entered. To prove this to yourself, type d EAX
F10 until:
:0044ACAC CALL 00496A04 <- Copies Organization to another location in memory
F10 over this call. EAX now holds the new location of the Organization
that you had entered.
F10 until:
:0044ACBB CALL 00496A04 <- Copies fake reg number to another location
F10 over this call. EAX now holds the new location of the fake
reg number that you had entered.
F10 until:
:0044ACC8 CALL 00496A74 <- Get length of fake reg number at new location
F10 over this call (you can F8 into this call to see how it works,
if you want to). EAX now holds the length of the fake reg number.
F10 until:
:0044ACDD CALL 004C3CE0 <- Get length of Name
F10 over this call. EAX now holds the length of the Name that
you had entered.
F10 until:
:0044ACF2 CALL 004C3CE0 <- Get length of Organization
F10 over this call. As usual, EAX now holds the length of the
Organization that you had entered. Are you starting to realize how convoluted
this code is? Imagine if you had traced each and every call (as I did,
just out of curiosity)!
F10 until:
:0044AD04 CALL 0044AE54
F8 into this call (about time, eh?).
F10 until:
:0044AE63
CALL 004C3CE0 <- Get length of fake
reg number
:0044AE68
CMP EAX, 0C <- Is fake
reg number 12 characters long?
:0044AE6B
POP ECX
:0044AE6C
JNZ 0044AEA7 <- No? Then jump.
F10 over the call at :0044AE63. EAX now holds the length of the
fake reg number.
F10 until:
:0044AE73 CALL 004C3E00 <- Copy fake reg number to new location
F10 over this call. EAX now holds the new location of the fake
reg number.
F10 until:
:0044AE7E CALL 0044AE01
F8 into this call.
F10 until:
:0044AE32 CALL 0044AD81
F8 into this call.
F10 until you get to this interesting section of code:
:0044ADB1 MOV ECX, [EBP+0C]
:0044ADB4 MOV [ECX], ESI
Now would be a good time to type d ecx in Softice. You might
want to leave the data window here and not dump any other memory
locations. *wink*
F10 and keep on hitting F10...*twiddling my thumbs, here*
Sooner or later, you're going to notice that the first 4 characters
of your fake registration number (if you made your reg number 12 characters
long, that is) are in the data window with 8 other characters following.
Did you notice that the whole garbled mess is 12 characters long? My own
data window (set to ECX, as your's should be) shows: CracCqtGvDPL
That is the REAL registration number.
Clear your breakpoints by typing bc *
Now, type X to return to the program, and click on "Ok" (well,
did you NOT expect a message box to pop up? *grin*). Now enter your name,
organization and REAL registration number in the registration dialog box
(if you have trouble finding the box, Click on Help and then click
on Register Opera...). Got it? Good. Now, click on Register.
Program cracked.
|
|
|
|
My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end
of the tunnel.
|
|
| [ Return ] |