Dark Heaven - Tutorial: Registrierung von WinInBlack 99

Programm: 	WinInBlack 99 v2.1sG   Build 294
Beschreibung: 	nderung von Windows 95/98 Systemeinstellungen
Autor: 		(C) 1997-99 BaqSoft Software Labs
Groesse: 	3.080.704 Bytes (WIB99.EXE)


Werkzeug: - W32DASM v8.93


1. Lade WININBLACK 99 und anschlieend W32DASM.


2. Deassembliere WIB99.EXE ber [Debug/Attach to an Active Process].


3. Suche nun mittels [Refs/String Data References] nach der Fehlermeldung
   "Achtung falsche Daten!". Mit einem Doppelklick auf die Referenz wird die 
   zugehrige Zeile im Listing angezeigt: 004B1232.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B110A(C)
|
:004B121D 8B45FC                  mov eax, dword ptr [ebp-04] ; <- Sprung suchen
:004B1220 8B9810020000            mov ebx, dword ptr [eax+00000210]

* Possible StringData Ref from Code Obj ->"Registrierung"
                                  |
:004B1226 BAF4124B00              mov edx, 004B12F4
:004B122B 8BC3                    mov eax, ebx
:004B122D E86E22FFFF              call 004A34A0

* Possible StringData Ref from Code Obj ->"Achtung falsche Daten!"
                                  |
:004B1232 BA24144B00              mov edx, 004B1424      ; <- gefundene Referenz
:004B1237 8BC3                    mov eax, ebx
:004B1239 E8FE21FFFF              call 004A343C
:004B123E 8B1550154B00            mov edx, dword ptr [004B1550]
:004B1244 8BC3                    mov eax, ebx
:004B1246 E8C522FFFF              call 004A3510
:004B124B 8BC3                    mov eax, ebx
:004B124D E8B220FFFF              call 004A3304
:004B1252 6683F802                cmp ax, 0002


4. Um den Sprungbefehl zur Fehlermeldung zu finden, suchen wir mittels [Search/
   Find Text] nach der Adresse 004B121D.

:004B1030 55                      push ebp
:004B1031 8BEC                    mov ebp, esp
:004B1033 81C4E4FEFFFF            add esp, FFFFFEE4
:004B1039 53                      push ebx
:004B103A 56                      push esi
:004B103B 57                      push edi
:004B103C 33C9                    xor ecx, ecx
:004B103E 898DECFEFFFF            mov dword ptr [ebp+FFFFFEEC], ecx
:004B1044 898DE8FEFFFF            mov dword ptr [ebp+FFFFFEE8], ecx
:004B104A 898DE4FEFFFF            mov dword ptr [ebp+FFFFFEE4], ecx
:004B1050 894DF4                  mov dword ptr [ebp-0C], ecx
:004B1053 894DF0                  mov dword ptr [ebp-10], ecx
:004B1056 8945FC                  mov dword ptr [ebp-04], eax
:004B1059 33C0                    xor eax, eax
:004B105B 55                      push ebp
:004B105C 6881124B00              push 004B1281
:004B1061 64FF30                  push dword ptr fs:[eax]
:004B1064 648920                  mov dword ptr fs:[eax], esp
:004B1067 8D85F0FEFFFF            lea eax, dword ptr [ebp+FFFFFEF0]
:004B106D 8B55F4                  mov edx, dword ptr [ebp-0C]
:004B1070 B9FF000000              mov ecx, 000000FF
:004B1075 E88E2CF5FF              call 00403D08
:004B107A 8D95F0FEFFFF            lea edx, dword ptr [ebp+FFFFFEF0]
:004B1080 B8581B4D00              mov eax, 004D1B58
:004B1085 B114                    mov cl, 14
:004B1087 E8281AF5FF              call 00402AB4
:004B108C 8D85F0FEFFFF            lea eax, dword ptr [ebp+FFFFFEF0]
:004B1092 8B55F0                  mov edx, dword ptr [ebp-10]
:004B1095 B9FF000000              mov ecx, 000000FF
:004B109A E8692CF5FF              call 00403D08
:004B109F 8D95F0FEFFFF            lea edx, dword ptr [ebp+FFFFFEF0]
:004B10A5 B8701B4D00              mov eax, 004D1B70
:004B10AA B114                    mov cl, 14
:004B10AC E8031AF5FF              call 00402AB4
:004B10B1 8D95ECFEFFFF            lea edx, dword ptr [ebp+FFFFFEEC]
:004B10B7 8B45FC                  mov eax, dword ptr [ebp-04]
:004B10BA 8B8008020000            mov eax, dword ptr [eax+00000208]
:004B10C0 E877FDF6FF              call 00420E3C
:004B10C5 8B85ECFEFFFF            mov eax, dword ptr [ebp+FFFFFEEC]
:004B10CB 50                      push eax
:004B10CC 8D95E8FEFFFF            lea edx, dword ptr [ebp+FFFFFEE8]
:004B10D2 8B45FC                  mov eax, dword ptr [ebp-04]
:004B10D5 8B800C020000            mov eax, dword ptr [eax+0000020C]
:004B10DB E85CFDF6FF              call 00420E3C
:004B10E0 8B85E8FEFFFF            mov eax, dword ptr [ebp+FFFFFEE8]
:004B10E6 50                      push eax
:004B10E7 8D95E4FEFFFF            lea edx, dword ptr [ebp+FFFFFEE4]
:004B10ED 8B45FC                  mov eax, dword ptr [ebp-04]
:004B10F0 8B8004020000            mov eax, dword ptr [eax+00000204]
:004B10F6 E841FDF6FF              call 00420E3C
:004B10FB 8B85E4FEFFFF            mov eax, dword ptr [ebp+FFFFFEE4]
:004B1101 5A                      pop edx
:004B1102 59                      pop ecx
:004B1103 E824FEFFFF              call 004B0F2C                ; <- Execute Call
:004B1108 84C0                    test al, al
:004B110A 0F840D010000            je 004B121D      ; <- Sprung zur Fehlermeldung
:004B1110 B201                    mov dl, 01
:004B1112 A1D0914400              mov eax, dword ptr [004491D0]
:004B1117 E84882F9FF              call 00449364
:004B111C 8945F8                  mov dword ptr [ebp-08], eax
:004B111F 33C0                    xor eax, eax
:004B1121 55                      push ebp
:004B1122 68D0114B00              push 004B11D0
:004B1127 64FF30                  push dword ptr fs:[eax]
:004B112A 648920                  mov dword ptr fs:[eax], esp
:004B112D BA01000080              mov edx, 80000001
:004B1132 8B45F8                  mov eax, dword ptr [ebp-08]
:004B1135 E8BE82F9FF              call 004493F8
:004B113A B101                    mov cl, 01


5. Wir finden den gesuchten Sprungbefehl zur Fehlermeldung (je 004B121D) in
   Zeile 004B110A. Dem darberstehenden Funktionsaufruf (call 004B0F2C) folgen
   wir mittels [Execute Text/Execute Call].

* Referenced by a CALL at Address:
|:004B1103   
|
:004B0F2C 55                      push ebp                ; <- von call 004B0F2C
:004B0F2D 8BEC                    mov ebp, esp
:004B0F2F 83C4F0                  add esp, FFFFFFF0
:004B0F32 53                      push ebx
:004B0F33 56                      push esi
:004B0F34 33DB                    xor ebx, ebx
:004B0F36 895DF0                  mov dword ptr [ebp-10], ebx
:004B0F39 894DF4                  mov dword ptr [ebp-0C], ecx
:004B0F3C 8955F8                  mov dword ptr [ebp-08], edx
:004B0F3F 8945FC                  mov dword ptr [ebp-04], eax
:004B0F42 8B45FC                  mov eax, dword ptr [ebp-04]
:004B0F45 E8962FF5FF              call 00403EE0
:004B0F4A 8B45F8                  mov eax, dword ptr [ebp-08]
:004B0F4D E88E2FF5FF              call 00403EE0
:004B0F52 8B45F4                  mov eax, dword ptr [ebp-0C]
:004B0F55 E8862FF5FF              call 00403EE0
:004B0F5A 33C0                    xor eax, eax
:004B0F5C 55                      push ebp
:004B0F5D 6821104B00              push 004B1021
:004B0F62 64FF30                  push dword ptr fs:[eax]
:004B0F65 648920                  mov dword ptr fs:[eax], esp
:004B0F68 33DB                    xor ebx, ebx
:004B0F6A 837DF800                cmp dword ptr [ebp-08], 00000000
:004B0F6E 0F8492000000            je 004B1006
:004B0F74 837DF400                cmp dword ptr [ebp-0C], 00000000
:004B0F78 0F8488000000            je 004B1006
:004B0F7E 8D4DF0                  lea ecx, dword ptr [ebp-10]
:004B0F81 8B55F4                  mov edx, dword ptr [ebp-0C]
:004B0F84 8B45F8                  mov eax, dword ptr [ebp-08]
:004B0F87 E80CFEFFFF              call 004B0D98

* Possible StringData Ref from Code Obj ->"8462"
                                  |
:004B0F8C A19CDB4C00              mov eax, dword ptr [004CDB9C]
:004B0F91 0FB600                  movzx eax, byte ptr [eax]
:004B0F94 8B4DF0                  mov ecx, dword ptr [ebp-10]
:004B0F97 8A4C01CF                mov cl, byte ptr [ecx+eax-31]
:004B0F9B 8B75FC                  mov esi, dword ptr [ebp-04]
:004B0F9E 3A4C06CF                cmp cl, byte ptr [esi+eax-31]
:004B0FA2 7562                    jne 004B1006            ; <- Breakpoint setzen

* Possible StringData Ref from Code Obj ->"8462"
                                  |
:004B0FA4 A19CDB4C00              mov eax, dword ptr [004CDB9C]
:004B0FA9 33D2                    xor edx, edx
:004B0FAB 8A5001                  mov dl, byte ptr [eax+01]
:004B0FAE 8B45F0                  mov eax, dword ptr [ebp-10]
:004B0FB1 8A4410CF                mov al, byte ptr [eax+edx-31]
:004B0FB5 8B4DFC                  mov ecx, dword ptr [ebp-04]
:004B0FB8 3A4411CF                cmp al, byte ptr [ecx+edx-31]
:004B0FBC 7548                    jne 004B1006

* Possible StringData Ref from Code Obj ->"8462"
                                  |
:004B0FBE A19CDB4C00              mov eax, dword ptr [004CDB9C]
:004B0FC3 0FB64002                movzx eax, byte ptr [eax+02]
:004B0FC7 8B55F0                  mov edx, dword ptr [ebp-10]
:004B0FCA 8A4402CF                mov al, byte ptr [edx+eax-31]

* Possible StringData Ref from Code Obj ->"8462"
                                  |
:004B0FCE 8B159CDB4C00            mov edx, dword ptr [004CDB9C]
:004B0FD4 0FB65202                movzx edx, byte ptr [edx+02]
:004B0FD8 8B4DFC                  mov ecx, dword ptr [ebp-04]
:004B0FDB 3A4411CF                cmp al, byte ptr [ecx+edx-31]
:004B0FDF 7525                    jne 004B1006

* Possible StringData Ref from Code Obj ->"8462"
                                  |
:004B0FE1 A19CDB4C00              mov eax, dword ptr [004CDB9C]
:004B0FE6 0FB64003                movzx eax, byte ptr [eax+03]
:004B0FEA 8B55F0                  mov edx, dword ptr [ebp-10]
:004B0FED 8A4402CF                mov al, byte ptr [edx+eax-31]

* Possible StringData Ref from Code Obj ->"8462"
                                  |
:004B0FF1 8B159CDB4C00            mov edx, dword ptr [004CDB9C]
:004B0FF7 0FB65203                movzx edx, byte ptr [edx+03]
:004B0FFB 8B4DFC                  mov ecx, dword ptr [ebp-04]
:004B0FFE 3A4411CF                cmp al, byte ptr [ecx+edx-31]
:004B1002 7502                    jne 004B1006
:004B1004 B301                    mov bl, 01


6. In Zeile 004B0F9E finden wir den ersten Vergleich. Wir setzen hier also einen
   Breakpoint [F2], wechseln zu WININBLACK 99 und geben beliebige Registrier-
   daten ein:

   z.B. Benutzer : Dark Heaven
        Firma/ID : DH
        Schlssel: 1122334455


7. Nach der Eingabebesttigung wird W32DASM beim Breakpoint aktiv und wir knnen 
   uns den Inhalt der einzelnen Register anschauen.

   EDX = 00FD02C0: EDX+00000000 = Dark Heaven
   ESI = 00FD2A84: ESI+00000000 = 1122334455
   ECX = 00FF954C: ECX-00000010 = PDLFCZ33ZREP ( der gesuchte Schlssel )


8. Mit dem gefundenen Schlssel knnen wir nun WININBLACK 99 registrieren und
   erhalten die Erfolgsmeldung "Vielen Dank fr Ihre Registrierung".

   z.B. Benutzer : Dark Heaven
        Firma/ID : DH
        Schlssel: PDLFCZ33ZREP


9. Nach der Registrierung trgt WININBLACK 99 folgenden Schlsel in die
   Registry:

   [HKEY_CURRENT_USER\Software\BaqSoft\WinInBlack98\Register]
   "Company"="Dark Heaven"
   "User"="DH"
   "Key"="PDLFCZ33ZREP"



Viel Spa beim CRACKEN!
Dark Heaven
06.03.1999


