HOW TO REGISTER ANIMAGIC GIF 1.03 

Tutorial by UmE

Introduction: finally guys here is my first tutorial about the Code Reverse Engeneering in 
which I will try to explain you how to register Animagic Gif 1.03.

Necessary tools: W32Dasm version 8.9, an hex editor (I've used Winhex 8.0).

Program description: Animagic version 1.03, animagic32.exe, 536.576 bytes.

Let's start!!!

Step 1: as before thing after having installed the program we start the application from the 
start menu or clicking twice on the lines animagic32.exe. As you will observe  an annoying nag 
screen will appear telling us that we have used the program for N days and that after 30 days 
some functions will be disabled. As continuation is possible to record ourselves on-line, to 
compile a form for the recording via e-mail or to continue shareware. Let's click on 
"Continue" and the program will shows us his main window. We now go on the "Help" menu and we 
select the voice "Enter name and password"; we write our name and a number of recording that 
naturally it will result wrong, and in fact the program will communicate that the inserted 
number is not valid ("Registration failed: Ivalid password").

Step 2: let's open W32Dasm and let's dissasemble the program that we want to unprotect 
(animagic32.exe). We go on the Refs menu, we select the voice String Data Reference and we 
search for the string that Animagic Gif has returned us when we have inserted the wrong code. 
At this point click 2 times on the found string and W32Dasm will brings us in the section of 
code to which it makes reference. We will find in fact:

: 0042045A  83C414		add esp, 0000014
: 0042045D  EB3D			jmp 0042049C

* Referenced by a  (U)nconditional or  (C)onditional Jump at Address:
|  :  004203ED (C)
|
* Possible StringData Ref from Data obj -> "Registration failed: Invalid Password"

: 00420465  680B954600		push 0046950B

This means that the program jumps to the address 00420465 according to the result of the 
conditioned jump (C) that is located at the address 004203ED.  
Always on W32Dasm we go on the menù "Goto", we select the voice "Goto code location" and we 
insert the address 004203ED to see so what determines the jump to the address 00420465.  

W32Dasm bring us once more to the requested address and this time the visualized code will be 
the following:


: 004203E1   A2D1334700		mov byte ptr [004733D1], al
: 004203E6   803DD133470000		cmp byte ptr [004733D1], 00
: 004203ED   7470				je  0042045F

The first instruction moves the content of al in the cell of memory 004733D1, the second 
instruction compares this value with 0 and the third  jumps to the instruction 0042045F (wrong 
registration number!!!) if the two values are equal. This lets think that the program set the 
value of al second that is registered or less: 0 = not registered, 1 = registered. Is necessary 
therefore to do in way that al should be always equal to 1, but where is the al value decided? 
If we scroll a little with the up arrow key on the code departing from the instruction at the 
address 004203ED we will notice that a little before there is a call to a function that is 
really what determines the value of al.

: 004203DB   E81DD3FFFF		call 0041D6FD

Let's enter in the function, and scrolling down we will see:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|  : 0041D75E (C)
|
: 0041D767   B001			mov al, 01
: 0041D769   EB09			jmp 0041D774

The first instruction is the one that set the value of al = 1 (registered), while the second 
is jumping to the final part of the function that brings to the call. Also in this case the 
instruction at 0041D767 is referenced to a conditioned jump located at the address 0041D75E. 
We go to discover what there is at that address.

: 0041D757  3B45FC			cmp eax, dword ptr [ebp-04]
: 0041D75A  750F				jne 0041D76B
: 0041D75C  85DB				test ebx, ebx
: 0041D75E  7507				jne 0041D767

In way thatt the program follows the correct flow and performs the instruction at the 
address 0041D767 is necessary to change the instruction jne 0041D76B in je 0041D76B (all it 
takes is changing with an hex editor the byte 75 in 74) and the  jne 0041D767 in jmp 0041D767 
(all it takes is changing the byte 75 in EB). Once effected the change let's restart Animagic 
Gif....et voilà!! The nag screen brings the writing "Registered to: ...". and it is possible 
to disable it for the next times when the program will be executed.

That's all for now, I hope this tutorial will be useful for someone!!!

For corrections and suggestions contact me at ume15@hotmail.com

Thanks to Volatitlity and all the Immortal Descendants.

UmE