Hi,

Iīve got a question, about the places in Memory, where informations about registration are stored. In many shareware programs, there is place in the memory, that is used, to check, if the program is registred or not.

For example: cmp [00494858],01
je 04483834

Just like that. Thats easy to crack, because all I would have to do here is searching all places in the code, where the memory 00494858 is changed to 0 and make all this places put a 01 into the memory place.

But in many programs it is like that:

cmp [esi+4808],01
je 08768878

This is more difficult because I donīt know the value of esi.
My question is: Are all [esi+4808] variables for the same place in memory or could it be, that the variable is set in a line like [esi+5875] just with an other value for esi???


Thanks

In my experience, if there is a flag comparison cmp [esi+4808],0 the reg flag will remain in this same place in memory throughout the duration of the program though it may be checked multiple times. Because of this you can search and bpm it the same way as the direct memory location. I don't think you would normally see another [esi+5875] pointing to the same memory location with just a different esi value. The esi is most likely a base memory location for where some of the variables the program uses are stored and the 4808 is an offset from that base location. IMHO, it seems unlikely that the base location for the variable would arbitrarily change like that...most likely it is determined during run-time by the computer and would have nothing to do with deliberate programmer obsfucation.

Regards :-)
Clandestiny