Software Reverse Engineering - DocClear v1.9.1 - Finding Correct Serials
Copyright (c) 1998 Volatility
Document Courtesy of The Immortal Descendants - http://pages.prodigy.net/volatility

	This method is still relatively simple, but gives you another approach to finding 
correct serial numbers using the HMEMCPY function, a function that you may not know where to
find the routine in without a little guidance.

---------------------------------------------------------------------------------------------
Target:  DocClear v1.9.1 - (docclear.zip) 135,017 bytes.  Download this at:

	            http://www.sitedev.com/files/DocClear.zip

Tools Needed:  	WDASM - recommended (or disassembler of your choice)
                SOFT-ICE (any version)
---------------------------------------------------------------------------------------------

Prepare To Crack:

	Run the program, and find the registration screen (right click on the icon in your
system tray - "Register DocClear".  Enter some test data (Cracked By Volatility [ID] and
272727 for mine).

	Write down the error message, and let's disassemble it with Wdasm.  Once disassembled,
look at the String Data References - "Refs", "String Data References".  We see many 
interesting strings here.  I clicked on a few of them, found the register routine, and patched
it.  I went to the registration screen again and entered my data.  The program says it's 
registered!  When I went to the "About" screen though, still says "Unregistered".  Sux!

	If you've read any of my other tutorials, you know this usually means the code is
stored in a configuration file, or the registry, and you also know I hate messing with the
registry.  So, let's take the (hopefully) easy way out, and find a correct serial number.  

Making The Crack:
	
	NOTE: I'm not going to go into much detail on functions, and coding in this 
              tutorial.  If you don't know much about softice, windows messages, and
              assembly, you'll need to get this information in tutorials elsewhere.

	We need to Cntrl+D to get into Soft-Ice and set a breakpoint.  You can look under
"Functions", "Imports" in Wdasm to see if we can find any functions to break on.  The most
common breakpoints in 32-bit programs are "GetDlgItemTextA" and "GetWindowTextA".  We see
GetWindowTextA here.  To save you time, GetWindowTextA doesn't work, neither do various
other ones I tried.  I decided to try HMEMCPY... a function I've had limited success with,
but in this case, you'll see it works just fine.

	Set a breakpoint on HMEMCPY in Soft-Ice (BPX HMEMCPY).  Cntrl+D again to exit out
of Soft-Ice and click the "Ok" button on the Registration screen (you should have some test
data entered in).  Soft-Ice breaks, and we need to press F11 to get into the code.  You'll
see the text "USER(0A)" on the line above the command window.  We don't need to be here, so
let's step through the code using F10.  You'll have to press F10 MANY times, going through
KERNEL32!_FREQASM until we see "DOCCLEAR!CODE".

	Now, if we slowly step through the code, and display some registers (EAX, ECX, EDX),
we'll see that we find our name and code we entered... but this is only the routine that 
manipulates our user name, so we need to press F10 MANY more times, and go through the same
functions, until we get to DOCCLEAR!CODE again.  Now we're in the routine that manipulates
our serial number.

	We want to find the place where our code is tested with the correct one, so step 
through the code slowly, until you get here:

---------------------------------------------------------------------------------------------
CALL     00412B64
MOV      EDX,[EBP+FFFFFDF6]   ------------.
LEA      EAX,[EBP+FFFFFDFC]               |-- We know from these two lines that our serial
MOV      ECX,000000FF                     |   is stored in the EDX register.
CALL     00403960                         |
LEA      EDX,[EBP+FFFFFDFC]   ------------'
MOV      EAX,[EBX+000001CC]
POP      ECX
CALL     0042D940
TEST     EAX,EAX              <compare our serial with the correct one
JNZ      00431076             <jump to registered if correct 
---------------------------------------------------------------------------------------------

	Now that we know where our serial is compared with the correct one, press F10 until
you're on that line.  And, now that we know our serial is stored in the EDX register, all we
have to do is display it (d EAX).  You'll see the name and serial you entered, but scroll
down using ALT + down arrow just a couple lines, and you'll see a really goofy looking 
string... your serial!  Mine's $5C6E8FA3g.

-Volatility-