Hello frieds!
I've found registration piece of code (I think ) and ask you "Where I'm have to dig further?"


It is from Olly:
----------------------------------------------------------------------------

004664D0 /. 55 PUSH EBP
004664D1 |. 8BEC MOV EBP,ESP
004664D3 |. 6A 00 PUSH 0
004664D5 |. 6A 00 PUSH 0
004664D7 |. 53 PUSH EBX
004664D8 |. 8BD8 MOV EBX,EAX
004664DA |. 33C0 XOR EAX,EAX
004664DC |. 55 PUSH EBP
004664DD |. 68 B9654600 PUSH someprog.004665B9
004664E2 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004664E5 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004664E8 |. 8D4D FC LEA ECX,[LOCAL.1]
004664EB |. BA D0654600 MOV EDX,someprog.004665D0 ; ASCII "Please enter the registration key"
004664F0 |. B8 FC654600 MOV EAX,someprog.004665FC ; ASCII "Registration"
004664F5 |. E8 8E93FEFF CALL someprog.0044F888
004664FA |. 84C0 TEST AL,AL
004664FC |. 0F84 9C000000 JE someprog.0046659E ; ** no any MessageBox ???
00466502 |. 8D55 F8 LEA EDX,[LOCAL.2] ; ** in EDX 0
00466505 |. 8B45 FC MOV EAX,[LOCAL.1] ; ** in EAX addr of user KEY in memdump
00466508 |. E8 2B1CFAFF CALL someprog.00408138 ; ** ????
0046650D |. 8B55 F8 MOV EDX,[LOCAL.2] ; ** in EDX add of user KEY in memdump
00466510 |. 8D45 FC LEA EAX,[LOCAL.1] ; ** in EAX user KEY from stack
00466513 |. E8 E8D6F9FF CALL someprog.00403C00 ; ** ????
00466518 |. 8B45 FC MOV EAX,[LOCAL.1] ; ** in EAX addr of user KEY in memdump
0046651B |. E8 C4010000 CALL someprog.004666E4 ; ** ????
00466520 |. A2 544A4900 MOV BYTE PTR DS:[494A54],AL
00466525 |. 803D 544A4900>CMP BYTE PTR DS:[494A54],0 ; ** in AL cannot be 0
0046652C 74 5B JE SHORT someprog.00466589 ; ** "NOT valid serial key" MessageBox
0046652E |. B8 584A4900 MOV EAX,someprog.00494A58
00466533 |. 8B55 FC MOV EDX,[LOCAL.1]
00466536 |. E8 81D6F9FF CALL someprog.00403BBC
0046653B |. BA 14664600 MOV EDX,someprog.00466614 ; ASCII "Continue"
00466540 |. 8B83 D0020000 MOV EAX,DWORD PTR DS:[EBX+2D0]
00466546 |. E8 3567FCFF CALL someprog.0042CC80

0046654B |. B2 01 MOV DL,1
0046654D |. 8B83 D0020000 MOV EAX,DWORD PTR DS:[EBX+2D0]
00466553 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
00466555 |. FF51 5C CALL DWORD PTR DS:[ECX+5C]
00466558 |. 33D2 XOR EDX,EDX
0046655A |. 8B83 D8020000 MOV EAX,DWORD PTR DS:[EBX+2D8]
00466560 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
00466562 |. FF51 5C CALL DWORD PTR DS:[ECX+5C]
00466565 |. 33D2 XOR EDX,EDX
00466567 |. 8B83 D4020000 MOV EAX,DWORD PTR DS:[EBX+2D4]
0046656D |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
0046656F |. FF51 5C CALL DWORD PTR DS:[ECX+5C]
00466572 |. 6A 00 PUSH 0 ; /Arg1 = 00000000
00466574 |. 66:8B0D 20664>MOV CX,WORD PTR DS:[466620] ; |
0046657B |. B2 02 MOV DL,2 ; |
0046657D |. B8 2C664600 MOV EAX,someprog.0046662C ; |ASCII "Application is successfully registered."
00466582 |. E8 E591FEFF CALL someprog.0044F76C ; \someprog.0044F76C
00466587 |. EB 15 JMP SHORT someprog.0046659E
00466589 |> 6A 00 PUSH 0 ; /Arg1 = 00000000
0046658B |. 66:8B0D 20664>MOV CX,WORD PTR DS:[466620] ; |
00466592 |. 33D2 XOR EDX,EDX ; |
00466594 |. B8 5C664600 MOV EAX,someprog.0046665C ; |ASCII "The registration key is not valid. Application is not registered."
00466599 |. E8 CE91FEFF CALL someprog.0044F76C ; \someprog.0044F76C
0046659E |> 33C0 XOR EAX,EAX
004665A0 |. 5A POP EDX
004665A1 |. 59 POP ECX
004665A2 |. 59 POP ECX
004665A3 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004665A6 |. 68 C0654600 PUSH someprog.004665C0
004665AB |> 8D45 F8 LEA EAX,[LOCAL.2]
004665AE |. BA 02000000 MOV EDX,2
004665B3 |. E8 D4D5F9FF CALL someprog.00403B8C
004665B8 \. C3 RETN

-----------------------------------------------------
Any helping words will be appreciated.

You need to edit your post immediately and remove the labels that identify your target software.

What you've highlighted in blue (and 004664F5 onwards) appears to be calls to the code that prepares and validates the registration information. Patching the jumps in the code you've posted will likely only skip the registration validation and display a "valid serial" good-boy message box, it's unlikely to actually defeat the protection. You'll need to dig further into the calls to find the code that actually registers the program, probably in the call at 0046651B.

You seem to be on the right track, keep going!

Thank you for quick answer.
Target software name renamed - I am newbie in forums too

As I understood first of all I have to make deep look in CALL wich is nearest to final CMP ?

Ok, I will try

Thank you again

You got it right: CALL someprog.004666E4 return 1 in AL when good boy and 0 in AL in bad boy.

AND it stores it on a GLOBAL variable

MOV BYTE PTR DS:[494A54]

if [494A54] equal 1 you are registered.


TRY this: Force AL to be 1 and let it store it at
[494A54], by changing the instructions

00466518 |. 8B45 FC MOV EAX,[LOCAL.1]
0046651B |. E8 C4010000 CALL someprog.004666E4

to

XOR EAX,EAX
INC EAX

NOP
NOP
NOP
NOP
NOP (as many nops as it takes to fill the instructions)

so the CALL someprog.004666E4 is never called

see if it makes you registered.

Otherwise, find areas in the program that read to and write to the global memory place [494A54]

and make sure no other place in the code writes a 0 to it. I would guess that it will keep you in a "registered" status.

just a suggestion

I'd just take the easy way and NOP the red jump to see what happens. Only delve deeper into the protection if you want to keygen it, otherwise just do the easiest edit. If NOP'ing the jump doesn't help, then I'd go ahead and kill most of the blue code too.

I'm nice surprised to have many answers from you, sincerely thanks you all !

What I've find out:

I make changes from naides - hammer in EAX 1 and NOP's check procedure. It was Ok - I saw good boy MessageBox and program start in full functionality. The user KEY (I was enter 123456789) was written into registry.
It is all Ok - but for only one start under Olly.

I 've find out when program starts it reads KEY from registry (123456789 in this case) and make CALL to exactly same check procedure. Of course KEY is wrong and I have register promt window again:

00480F0C > PUSH EBP ; ** after restart Olly stops here (begin main ?)
00480F0D MOV EBP,ESP
00480F0F ADD ESP,-0C
00480F12 MOV EAX,someprog.00480C1C
00480F17 CALL someprog.004063EC
00480F1C MOV EAX,DWORD PTR DS:[493564]
00480F21 MOV EAX,DWORD PTR DS:[EAX]
00480F23 CALL someprog.0044B094
00480F28 MOV EAX,DWORD PTR DS:[493564]
00480F2D MOV EAX,DWORD PTR DS:[EAX]
00480F2F MOV EDX,someprog.00480F58 ; ASCII "Some Program caption"
00480F34 CALL someprog.0044AC98
00480F39 CALL someprog.0047F4D0 ; ** couple CALL's reaches check procedure
....

someprog.0047F4D0:

0047F4D0 /$ 55 PUSH EBP ; ** begin
0047F4D1 |. 8BEC MOV EBP,ESP
0047F4D3 |. 6A 00 PUSH 0
0047F4D5 |. 6A 00 PUSH 0
0047F4D7 |. 33C0 XOR EAX,EAX
0047F4D9 |. 55 PUSH EBP
0047F4DA |. 68 A3F54700 PUSH someprog.0047F5A3
0047F4DF |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0047F4E2 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0047F4E5 |. A1 5C364900 MOV EAX,DWORD PTR DS:[49365C]
0047F4EA |. E8 5D76FEFF CALL someprog.00466B4C
....

someprog.00466B4C:

00466B4C /$ 55 PUSH EBP
00466B4D |. 8BEC MOV EBP,ESP
00466B4F |. 83C4 F4 ADD ESP,-0C
00466B52 |. 53 PUSH EBX
00466B53 |. 56 PUSH ESI
00466B54 |. 33D2 XOR EDX,EDX
00466B56 |. 8955 FC MOV [LOCAL.1],EDX
00466B59 |. 8BF0 MOV ESI,EAX
00466B5B |. 33C0 XOR EAX,EAX
00466B5D |. 55 PUSH EBP
00466B5E |. 68 4C6C4600 PUSH someprog.00466C4C
00466B63 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00466B66 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00466B69 |. E8 FEBDF9FF CALL someprog.0040296C
00466B6E |. 8D4D FC LEA ECX,[LOCAL.1]
00466B71 |. 8B46 14 MOV EAX,DWORD PTR DS:[ESI+14]
00466B74 |. BA 01000080 MOV EDX,80000001
00466B79 |. E8 E6FCFFFF CALL someprog.00466864 ; this CALL reads my KEY "123456789" from registry
00466B7E |. 8B55 FC MOV EDX,[LOCAL.1]
00466B81 |. A1 F4344900 MOV EAX,DWORD PTR DS:[4934F4]
00466B86 |. E8 31D0F9FF CALL someprog.00403BBC
00466B8B |. A1 F4344900 MOV EAX,DWORD PTR DS:[4934F4]
00466B90 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00466B92 |. E8 4DFBFFFF CALL someprog.004666E4 ; CALL to check procedure
....


I must say it was my first familiarity with Olly, disassembling, assembler, opcodes ...
It is really intresting adventure . For now I think I must learn more about assembler language, programming methods and strategies because I cannot go further with problems described above.

Thak you all again

IF it calls the same procedure for validating, alter it as:
MOV EAX, 1
RET (+stack parameters size if not cdecl)
so that all the times it is called to validate, it get back the good value...
And YES, learn assembler well... very well...

I crack my first program (save $19.95).

Thank you all for all help.

I think from now I cannot live without it

I will drink "Lvivs'ke 1715" beer today at last !

Oh I see......

You dont have any money for software but you have money for beer.


Woodmann

Priorities are Priorities!

A piece of Software is something that you have and buy every day,
but a Beer, a Beer!
You only purchase once in a life time!!!!

uhmm, , , How was that, Did I get it right?

uhm... I thought it were the opposite...

Two more rabbits shot down ...

First - with methods above.
Second - dully, because (suddenly ascertained) some programs save "secret" code hardcopy within its additional dll - simple and dull comparison.

HAND