|
Reverse
Code Engineering - Command Line97
Finding Correct Serial Numbers Author: Volatility Please Read The Disclaimer Before Continuing.
Prepare To Crack: Run the program, and click on the "REGISTER" button. You'll see a box to enter your name, and one to enter your serial number. Enter some dummy data... mine's "VOLATILITY [ID]", and "272727". Now we must find the import the routine uses, and breakpoint on it in Soft-Ice. With your dummy data entered, press Cntrl+D to enter Soft-Ice. The two most common imports for registrations in 32 bit Windoze programs are "GetWindowTextA", and "GetDlgItemTextA". So, let's go for the obvious... Set a breakpoint on GetWindowTextA like so: BPX GetWindowTextA Press X to return to the program. Click "Ok"... Hmmm....wrong registration number......let's try again. Press Cntrl+D to get back into Soft-Ice. Clear your breakpoint by typing BC * Let's try GetDlgItemTextA. Set your breakpoint like so: BPX GetDlgItemTextA. Press X to return to the program and click on "Ok". Bingo! Soft-Ice breaks. You can clear your breakpoint now "BC *". We Need to press F11 to get into the code. You've landed inside the following code:
Let's see... We don't see anything interesting on the highlighted line, so We'll press F10 to step through the code line by line. After pressing F10 twice, you'll be on the line "0137:00402565 PUSH 00". Notice that up in the registers window, "EDI=00410B30" is now highlighted (your values may be different)... this looks interesting to us, so check the value of DI like so: ? EDI. Hmm... nothing useful. Let's try to display DI like so: d EDI. Killer! The name we entered... we must be close! We press F10 four times, until we get to the following line "0137:00402573 MOV ECX,FFFFFFFF". Notice that up in the registers window, "EAX=00042957" is now highlighted (your values may be different)... this looks interesting to us, so we check the value of AX like so: ? EAX. Killer! The serial we entered! Now we must be even closer! Ok... we've found where we originally entered our name and serial, but that doesn't tell us anything really... just interesting, and good to know that we could at least find that much! Press the F10 key some more, until you land on the line "MOV [0040A550],ECX". Notice that up in the registers window "ECX=001720CC" is now highlighted (your values may be different). This looks interesting to us, so check the value of CX like so: ? ECX. Hmm... could it be? maybe... write this code down! (mine was 1515724 - it will be 7 characters long). I wasn't ready to stop just yet, it's useful to check a little further, so I kept pressing F10, and kept checking values when a register became highlighted. Our first check still seemed to me to be the most promising though, because of the line itself "MOV [0040A550],ECX" - store a value from CX to 0040A550. Press X or Cntrl+D to return back to the program. Leave your user name the same, but let's try the new registration codes. Bingo! We were right! The first code works like a charm! Command Line97 is registered! If you'd like to unregister the program so you can do this again for practice, you'll need to edit the Registry. The program stores the values in "HKEY_LOCAL_MACHINE" - "SOFTWARE" - "SealesWare" - "Command Line97". Just delete the name you entered at the "RegName" key.
|