Software Reverse Engineering - DocClear v1.9.1 - Finding Correct Serials Copyright (c) 1998 Volatility Document Courtesy of The Immortal Descendants - http://pages.prodigy.net/volatility This method is still relatively simple, but gives you another approach to finding correct serial numbers using the HMEMCPY function, a function that you may not know where to find the routine in without a little guidance. --------------------------------------------------------------------------------------------- Target: DocClear v1.9.1 - (docclear.zip) 135,017 bytes. Download this at: http://www.sitedev.com/files/DocClear.zip Tools Needed: WDASM - recommended (or disassembler of your choice) SOFT-ICE (any version) --------------------------------------------------------------------------------------------- Prepare To Crack: Run the program, and find the registration screen (right click on the icon in your system tray - "Register DocClear". Enter some test data (Cracked By Volatility [ID] and 272727 for mine). Write down the error message, and let's disassemble it with Wdasm. Once disassembled, look at the String Data References - "Refs", "String Data References". We see many interesting strings here. I clicked on a few of them, found the register routine, and patched it. I went to the registration screen again and entered my data. The program says it's registered! When I went to the "About" screen though, still says "Unregistered". Sux! If you've read any of my other tutorials, you know this usually means the code is stored in a configuration file, or the registry, and you also know I hate messing with the registry. So, let's take the (hopefully) easy way out, and find a correct serial number. Making The Crack: NOTE: I'm not going to go into much detail on functions, and coding in this tutorial. If you don't know much about softice, windows messages, and assembly, you'll need to get this information in tutorials elsewhere. We need to Cntrl+D to get into Soft-Ice and set a breakpoint. You can look under "Functions", "Imports" in Wdasm to see if we can find any functions to break on. The most common breakpoints in 32-bit programs are "GetDlgItemTextA" and "GetWindowTextA". We see GetWindowTextA here. To save you time, GetWindowTextA doesn't work, neither do various other ones I tried. I decided to try HMEMCPY... a function I've had limited success with, but in this case, you'll see it works just fine. Set a breakpoint on HMEMCPY in Soft-Ice (BPX HMEMCPY). Cntrl+D again to exit out of Soft-Ice and click the "Ok" button on the Registration screen (you should have some test data entered in). Soft-Ice breaks, and we need to press F11 to get into the code. You'll see the text "USER(0A)" on the line above the command window. We don't need to be here, so let's step through the code using F10. You'll have to press F10 MANY times, going through KERNEL32!_FREQASM until we see "DOCCLEAR!CODE". Now, if we slowly step through the code, and display some registers (EAX, ECX, EDX), we'll see that we find our name and code we entered... but this is only the routine that manipulates our user name, so we need to press F10 MANY more times, and go through the same functions, until we get to DOCCLEAR!CODE again. Now we're in the routine that manipulates our serial number. We want to find the place where our code is tested with the correct one, so step through the code slowly, until you get here: --------------------------------------------------------------------------------------------- CALL 00412B64 MOV EDX,[EBP+FFFFFDF6] ------------. LEA EAX,[EBP+FFFFFDFC] |-- We know from these two lines that our serial MOV ECX,000000FF | is stored in the EDX register. CALL 00403960 | LEA EDX,[EBP+FFFFFDFC] ------------' MOV EAX,[EBX+000001CC] POP ECX CALL 0042D940 TEST EAX,EAX