daemon
December 25th, 2000, 21:59
I've got a question and forgive me if it's rather stupid but here goes. I've read thru Goatass's tutorial on cracking l0phtcrack 2.5.2
<snippet of tut>
Run
the
program and you should see a nag screen showing you how many days you have
left (15 days total) and there is also a "Register" button. Click the
"Register" button and you should see a dialog box with a grayed out box
with
the pre-assigned serial number and below it there will be a box for your
unlock code. The unlock code is alphnumeric but that doesn't matter right
now. Go ahead and put any number you like, I used 12345678.
Now go into SoftICE (Ctrl+D) and set a breakpoint on GetWindowTextA (BPX
GetWindowTextA). The approach here is to break right after the program
reads
your unlock code and then uses it along with the pre-assigned serial
number
to generate and compare the good unlock code. Now get out of SoftICE (X)
and
click the OK button. SoftICE breaks, press F11 to return to the calling
function, that reads in the pre-assigned serial number. Now press F5 to
read
your unlock code, SoftICE breaks a second time, press F11 again and now
you
are in the program's code. Trace through the code until you get to this
part:
:00406345 MOV EAX, [EBX] <-- if you type D EAX you will see the code you
entered.
:00406347 LEA ECX, [ESP+1C] <-- here is the 1st unlock code, D ECX to view
it.
</snippet of tut>
How did he know to go to 00406345 ?? I've followed thru w/this using SoftICE on my machine and I don't see any hints that referance this.
If anyone's interested I performed roughly the same crack w/W32dsm...
<snippet of tut>
Run
the
program and you should see a nag screen showing you how many days you have
left (15 days total) and there is also a "Register" button. Click the
"Register" button and you should see a dialog box with a grayed out box
with
the pre-assigned serial number and below it there will be a box for your
unlock code. The unlock code is alphnumeric but that doesn't matter right
now. Go ahead and put any number you like, I used 12345678.
Now go into SoftICE (Ctrl+D) and set a breakpoint on GetWindowTextA (BPX
GetWindowTextA). The approach here is to break right after the program
reads
your unlock code and then uses it along with the pre-assigned serial
number
to generate and compare the good unlock code. Now get out of SoftICE (X)
and
click the OK button. SoftICE breaks, press F11 to return to the calling
function, that reads in the pre-assigned serial number. Now press F5 to
read
your unlock code, SoftICE breaks a second time, press F11 again and now
you
are in the program's code. Trace through the code until you get to this
part:
:00406345 MOV EAX, [EBX] <-- if you type D EAX you will see the code you
entered.
:00406347 LEA ECX, [ESP+1C] <-- here is the 1st unlock code, D ECX to view
it.
</snippet of tut>
How did he know to go to 00406345 ?? I've followed thru w/this using SoftICE on my machine and I don't see any hints that referance this.
If anyone's interested I performed roughly the same crack w/W32dsm...