
                Cracking for newbies #3 - by woody^drn

How to crack WinAmp Skin Maker v1.2 at http://members.tripod.com/ajie_g/

Now this is a very easy task :) First run the program and lets check
what it says. About->Register. I write woody and 111666111 as my serial.

Now it says "Wrong registration number!", hmmm doesn't look like a
messagebox so it's probably a dialogbox. I'm gonna try breaking on
getdlgitemtexta in softice.

Write my name and serial again, enter ... *Boom* we're in softice.
okay .. F11 to get the caller. and we land here:

* Reference To: USER32.GetDlgItemTextA, Ord:00F5h
                                  |
:00406D7A 8B3D74254300            mov edi, dword ptr [00432574]
:00406D80 56                      push esi
:00406D81 FFD7                    call edi
:00406D83 8D442438                lea eax, dword ptr [esp+38]

Right there .. well take a look at eax, ebx, ecx, edx and the other.
nothing special there .. well F10 to walk further.

:00406D87 6A29                    push 00000029
:00406D89 50                      push eax

* Possible Reference to Dialog: DialogID_008A, CONTROL_ID:03FD, ""
                                  |
:00406D8A 68FD030000              push 000003FD
:00406D8F 56                      push esi
:00406D90 FFD7                    call edi

A call .. hmm don't wanna step into a call first time .. it's like
having sex the first date you have with a girl .. I don't do that ..
okay well I do but ... next line.

:00406D92 8D44240C                lea eax, dword ptr [esp+0C]
:00406D96 50                      push eax
:00406D97 E894100000              call 00407E30

A call .. just walk over it .. check eax, ebx and the other. Anything
special ? naah.

:00406D9C 83C404                  add esp, 00000004
:00406D9F 8BD8                    mov ebx, eax
:00406DA1 8D442438                lea eax, dword ptr [esp+38]
:00406DA5 50                      push eax
:00406DA6 E8550F0000              call 00407D00

Something special ?? year .. type "? eax" and we'll see our serial.
Okay we're close now ..

:00406DAB 83C404                  add esp, 00000004
:00406DAE 8BF8                    mov edi, eax
:00406DB0 85FF                    test edi, edi
:00406DB2 7537                    jne 00406DEB

It moves eax into edi .. moves our serial into edi, and jumps ..

:00406DEB 3BFB                    cmp edi, ebx
:00406DED 7535                    jne 00406E24
:00406DEF 8D44240C                lea eax, dword ptr [esp+0C]

Compares edi with ebx ... hmmm what's in ebx "? ebx" and it will write
2865835. Guess what ?? that's the real serial .. easy huh ?

Clear our break points and press F5 and write the new serial and WOW
registered!

That's all ... 

-wOODY^dRN

