dAKuRioUSCHiLD [ PC_'99 ] Tut Part Attack Angle Tools Needed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Part 5.-----------Find Serial-----------NuMega SOFTICE!!
First we need to configure your soft-ice. I use only the newest version and i run it on win95 ( WinIce ), so things'll be diferent on NT or in DOS. When you install it, it will ask to edit your "autoexec.bat", tell it no! And select the "Universal Video Driver". Once it's installed, add this line to you autoexec.bat by right-clicking on it ( it's in your C:\ directory ) and going to "Edit": IF "0"=="0" C:\PROGRA~1\NUMEGA\SOFTIC~1\WINICE.EXE add it just like that...now you can control when softice loads. If you want it to load leave both "0"'s there, if you don't want it to load make one "0" a "1". Got that, cool! Now put my winice.dat in your softice directory ( i got these settings from splatter.net, thanX guys ). Now restart your computer and softice is ready to go! Welcome Back!! Wanna see what the mighty softice looks like? Hit "ctrl+d" to toggle in & out of softice! Lots of confusing shit huh?! You'll learn. You might wanna print this, cuz when you're in softice, you're in softice! If you come back into windows, you're not where you were before and location is key! So here we go...run startcln.exe ( a clean one ) and go to register, enter the name: "KuRioUS" and the code: "00998877". Now go into softice ( "ctrl+d" ). type at the bottom: "bpx getdlgitemtexta" ( without the quotes ) ( bpx means break point on execution, getdlgitemtexta is a common way that programs get info from boxes. ) So what were telling softice to do is to stop when the program tries to get our name and code. Press "enter" to enter the command, then hit "ctrl+d" to return to windows. Now click on "OK" and BOOM! your in softice again! Now press F11, this returns you to the program's code, because right now your in the call for the text. Look at the value of eax. It's 7...the length of our name. Good, but we want to find where it compares our code with the true code. So press F5, this jumps to the next break point...the call for our code! Again we're caught in the call, so press F11 to get back to smartclean's code. Eax = 8, YEA!! the length of our code...now becareful, cuz it's easy to get lost in softice. You should see:
:004011C5 FFD6 call esi :004011C7 6830604000 push 00406030 :004011CC 6830614000 push 00406130 :004011D1 E8AA000000 call 00401280 :004011D6 8D442418 lea eax, dword ptr [esp+18] :004011DA 83C408 add esp, 00000008 :004011DD 50 push eax :004011DE 6830604000 push 00406030 :004011E3 FF1520924000 Call dword ptr [KERNEL32!lstrcmpA] :004011E9 85C0 test eax, eax :004011EB 0F8580000000 jne 00401271
Now we need to think what the program does...it takes what we entered and the correct code, compares them, then depending on the outcome it jumps or not. Well looking at the code, i see a jne...the jump. Above that i see a call to lstrcmpA ( just like in smartcheck from part 4 ) and a test eax, eax...that's the compare. Above that i see to push's... one for our code, one for the true code ( think of it as the program pushing the 2 codes in to KERNEL32!lstrcmpA to be compared ). So press F10, this is the trace button, you'll run the program one command at a time. Press it untill the lstrcmpA line is high- -lighted. Now type "d eax" and hit "enter" ( d means "dump", dump basicly means "dump that code location in front of the (ab)user"... ). You'll see "00998877" in the middle frame at the top of the right column. So far so good! Now type "d 00406030" and hit "enter". You'll see "1422-13266-1827-361" where "00998877" was just before! Do you think that could be the correct code...i think so! You could enter that code to register the program now! Hmm... now that we know where the program stores the correct code, we could make startclean it's own keygenerator!! ONTO Part 6!