Reverse Code Engineering - Software By Design Software
Finding Correct Serial Numbers
Author: Volatility

Please Read The Disclaimer Before Continuing.

Target AL Software By Design Software
Location http://www.execpc.com/~sbd/
Protection(s) User Name/Organization/Serial Number
Tools Needed NuMega Soft-Ice (Any Version)
Level (X) Beginner ( ) Intermediate ( ) Advanced ( ) Expert

The programs I've cracked here so far, all work with this method, so I'm assuming they all will.

Gregory Braun puts out some damn good, useful and innovative software, so please pay for these programs.  Don't be a lamer and use my registration info either.

All the programs I've seen have a registration screen that looks like this:

Software By Design

So, we have a User Name, Organization, and Serial Number to enter.  Judging by this, we could get more easily lost trying to patch, than we could just hunting for a correct serial number. 

The program we'll use for this example is "RGB Editor".  The first method I tried for this target was the HmemCpy function in Soft-Ice, and it works just fine.  So, Type some dummy data into the text boxes (Cracked by Volatility [ID], Immortal Descendants and 272727 for mine). 

Making The Crack: 

With your dummy data entered, press Cntrl+D to enter Soft-Ice.  Set a breakpoint on HmemCpy (BPX HMEMCPY).  Press Cntrl+D or X to exit back to the program, and click "OK". 

Soft-Ice will pop up.  Now, we could step through the code, but if we think about it, the procedure will be called THREE times... once for your user name, once for your organization, and a final time for the serial number.  So, press Cntrl+D two times, so that we're at the third occurence. 

Press F11 once to exit the code, and you should be here:
  
177F:0B40  9A189E1701           CALL    KERNEL!HMEMCPY
177F:0B45  FF35                 PUSH    WORD PTR [DI]
177F:0B47  9AB0011F01           CALL    KERNEL!LOCALUNLOCK
177F:0B4C  8BC6                 MOV     AX,SI
177F:0B4E  5E                   POP     SI
177F:0B4F  5F                   POP     DI
177F:0B50  C9                   LEAVE
177F:0B51  C20A00               RET     000A

If you look on the line above the command window, you'll see "USER(0A)".  This isn't where we need to be, so step through the code using F10, until you see "RGB!.text" on the line... now we're in the program code. 

Step through the code several more times to look for the place where our serial number is calculated.  You'll find it here: 
  
0137:0040687B  8BE8             MOV     EBP,EAX 
0137:0040687D  53               PUSH    EBX             :organization
0137:0040687E  56               PUSH    ESI             :user name
0137:0040687F  E89C2C0000       CALL    00409520        :calculate our serial number
0137:00406884  83C408           ADD     ESP,08 
0137:00406887  3BC5             CMP     EAX,EBP 
0137:00406889  741E             JZ      004068A9 
0137:0040688B  68CFEA0000       PUSH    0000EAC

We can display our organization by stepping through the line "PUSH    EBX", and typing d ebx.  We can display our user name by stepping through the line "PUSH    ESI", and typing d esi.  But now how do we display our serial number?  We don't really... if we step through the line "CALL    00409520", we can get the value of EAX by typing ? eax.  There's your serial number!  Mine was 3727125845 .

*** Disclaimer ***
This Essay Is For Knowledge Purposes Only. Neither We, Our ISP, Nor Any Persons Mentioned Shall Be Held Liable For Any Damages Improper Usage May Cause To Your Machine.

If You Successfully Crack A Program, You Must Delete It Immediately. If You Want To Keep The Program, Please BUY It! Support Shareware, This Is Our Learning Tool!

It Is Illegal To Continue To Use Cracked/Patched Software.

Copyright © 1999 Volatility And The Immortal Descendants. All Rights Reserved.