Reverse Code Engineering For Beginners

Solution By - meRlin

Date:- 5th July 2000

 

 

    Home           Tools           About Target        FAQ            Essay          About Us          Contact Us         

 

 

Hi Newbies!

                This tutorial is dedicated to all the newbies. We always try to give as much information as we could so that it would be easy for you guys to understand what the program is doing. If you wanna become a Cracker then you must always Read.. Read.. Read. and at the same time you must practise. There comes the time when you feel like "Phew.. I can't crack. Cracking is not in my blood." Don't give up! When you feel angry and mad that you are not getting in to cracking; then go outside of your home, have a cold cola "Coke Recommended" and don't think about computer at all. Then come back after some hours or may be a day. Relax.! Free your mind and body and then start cracking. But this time look at the ASM Code very carefully and try to understand it. This time you will definitely crack it. 

                To crack and to become a very good cracker you must have "Patience" without which you will never reach your destination. You will never become a cracker over night. It's not that easy! You must do hard work and believe in yourself. Your brain is as good as any other people's out there. The only to thing is you have to do some sharpening and there you have what it takes to be a good cracker. Hope this will help you.

                You can find our tutorials on Snake's Page.(http://snakepage.cjb.net Thanks dude!). Check frequently for our new tutorials. We try to release a new tutorial after every 15 days. 

                Don't use pirated softwares. Software's Authors deserve your support. Support them if you wanna see newer versions with much more functions and bugs free.

[Note: Newbies, please read FAQ first and try to crack the software on your own. Don't go straight to ESSAY.]

Best Of Luck!

Goto Top

Tools:

Search For Tools On These Sites:

http://www.crackstore.com

http://protools.cjb.net

For Regmon And Filemon:

http://www.sysinternals.com

Goto Top

About Target:

Project No: 4

This File Escaped From: "Learn Cracking In New Style."

Target: EZClean 4.0

Download From: http://www.bkedv.de/website/download/EZClean4.EXE (Size: 1,003 KB)

Tools Used: SoftICE, W32Dasm and Filemon (Any version will do. I think!)

Rating: It's easy when you know how.

Remember This:  It is easy to destroy but hard to create. Software authors work hard to give us good quality software so support shareware. If your intension is of pirating this software then stop reading..... and delete this file immediately. It's better you look for it in some WAREZ sites.

About The Program: EasyClean is a powerful application deinstallation tool. It can monitor and register virtually all changes made to your system by installation programs, enabling you remove applications very thoroughly. 

EasyClean is designed for Windows® 95, 98, 2000 and NT 4 and has been tested extensively on all these systems. It is particularly effective at monitoring and handling changes to the Windows registry. This means that with EasyClean, your registry will no longer be a bottomless pit full of data garbage!

About Protection Scheme: When this application is registered there is a encrypted key in your %windowsdir% the key name is Ezclean4.key. To register the program goto Help and click Register.

Goto Top 

FREQUENTLY     ASKED     QUESTIONS

FAQ contains some of the questions and their answer asked while cracking software by a Newbie. All the questions and the answers are AS IT. No modification has been done. They are just a series of questions which might not look like a question. You know what I mean?

1). Let's fire Wdasm: any interesting Strings ? Er, not really... so it's S-ice now.

Bpx on GetWindowTexta => nothing happens
Bpx on GetWindowTextLengthA => nothing happens
Bpx on HmemCpy => Ah ! Breaks !

So I trace with F10 and then F8 into 015F:004CABAA CALL 0049886C then F10 and then F8 into
015F:00498882 CALL 004988B0 then F10 and then F8 into 015F:0049892B CALL 00497590 then F10 and then F8 into 015F:004975F4 CALL 0045C6FC then F10 and at 015F:0045C806 there appears a dialog box whose title is "easyClean Error" but nothing is written inside. I have to wait until I reach 015F:0045C84A CALL 00460244 to see the contents of the dialog box being displayed: "Invalid key or name. Please try again. Case sensitive !"

Argh ! I have obviously gone too far ! My problem is that I don't see where I should have stopped. When I traced with F10 and suddenly the "Invalid key" box appeared, I traced again and hit F8 right on the CALL that caused the "invalid key" box to appear. I'm afraid that is all I can find today. In other words, I'm stuck. But I'm also aware that what you are going to tell me will be very important for me to understand how to use S-Ice better.

 

Ans=> Actually, I did not dead list the program. I directly went for S-ICE. But it's better to prepare dead listing first. Hey, you only tried two BPX before going for HMEMCPY. Remember what I had told you, only use HMEMCPY when all the other fails. First you should have used these too;

 

GetDlgItemTextA

GetMessageBoxA

 

Anyway both of these doesn't work. The only breakpoints work here are ShowWindow and HMEMCPY. Other may work. Don't use ShowWindow, you'll get lost in the codes. It's better to use HMEMCPY. I used the same.

 

You've done all the useless work. It only waist your time. I think you have a misunderstanding of CALL. I think you did not understand what you should look for while cracking. Don't worry after you read this you'll be able to understand what you should look for while cracking.

 

Let me first clarify you here. After you didn't find anything interesting in W32Dasm, you started to look for some info on S-ICE. Now, I find that you step into every CALL before "BAD GUY" message. Well, it's not what you should do. All those CALLs that you have mentioned above are useless. Forget all those CALLs and look for something like;

 

This is an example only;

 

CALL 03345678 ------------- CALL the validation Routine, return 0 or 1 depending upon serial no. entered.

 

TEST eax, eax ------------- Test eax with eax. Now in the place of TEST; it could be CMP. After all, they both are same.

 

JZ 34739748 --------------- Jump if Zero to "BAD GUY" message.

 

Now, in this type of case, the CALL 03345678 is important because it's check valid serial no. with our fake one. So while cracking only look for;

 

CALL

CMP/TEST

JUMP ------- If this jump leads to "Bad Guy" message then only the above CALL is important else useless.

 

So in the CALL that you have mentioned above, did you find anything similar as above. NO! So all of them are use less. So look for this kind of info on the S-ICE. If you find one; first let the program JUMP. If it JUMPed to the "BAD GUY" message then in the second time don't let the program JUMP by typing "R FL Z" in the S-ICE and see if the program returns "GOOD GUY" message. If it returned the "GOOD GUY" message then step inside the CALL before that JUMP and see how your fake serial no. is compared with the Valid one. You'll find the valid Algorithm there.

 

Enter a name and fake serial no. in the registration box. Then put BPX HMEMCPY. Press F12 until you reach at program's routine. There you'll find lots of RET so press F10 until you get out of all the RETs and reached to some clean place. Then look for CALL, TEST/CMP and JUMP and see where does it lead. If it leads to "BAD GUY" message then step inside the CALL before the JUMP and try to understand the ASM CODES. I bet you'll find the valid serial no. there.

 

 

2). In other words, that CALL and what follows are located
at:
015F:004CAA9 CALL
015F:004CAAAE TEST EAX,EAX
015F:004CAAB0 JNZ

So it seems that the proggie can be cracked by either patching the JNZ at 004CAAB0 and changing it into a JZ or, better, by patching the TEST EAX,EAX just before and replacing it with a XOR EAX,EAX. So far, so good, but I still have not sniffed my valid serial number.

What I did notice though is that as early as 0049D9F4 the proggie stored my name in EDX and my fake serial number in ECX. I have also noticed that it put both my name and my serial number in ESP at 0049DA43. I saw these things by hitting "d edx, d ecx and then d esp".

Does that help ? I realise that I have found the checking routine but I don't understand it very much at this stage. Can you help me again ?

 

ANS=> OK! Till now you are going straight to the main algorithm. But you are still missing something. You only did d edx, d ecx and d esp. Do you think you're gonna find the real serial no. just by hitting d edx and that sort of thing. Well, you're wrong.
 
    Let me again help you here. Now, you know that where is the validation routine and which is the CALL that checks the fake serial no. with the valid one. After this you step inside the CALL and you're lost. You thought that you're gonna see the real serial no. in some register. But you should not directly look for real serial no. after you step inside the CALL. Look here:
 
015F:004CAA9 CALL ---------------- Check the fake serial no. with the real one if it is not right; then return EAX=1

015F:004CAAAE TEST EAX,EAX ------- EAX contains 1

015F:004CAAB0 JNZ ---------------- Jump If Not Zero to "Bad Guy" message.
 
   In order to register the software EAX must contain 0 which is decided by CALL above it. Here ask yourself a question, why does CALL returns EAX=1 why not 0? So, right after you step inside the CALL look for some ASM codes which forces the EAX register to contain 1. You'll get answers of your questions right there.
 
    In here, I did not tell you which ASM code makes EAX to contain 1. The reason is that I want you to find it yourself; if you could not find it then I'll tell me in the next mail.


To get the clear view of the Algorithm, fire Wdasm and press GOTO/Goto Code Location, enter the address of the main CALL which is 004CAAA9 and press OK! Then step inside the CALL by pressing Execute CALL. Then you'll be inside the main validation routine. Now look through the Code until the RET code. You know that EAX contains 1 is the serial no. is wrong so try to look through the code that has 1 or which forces EAX to contain 1.

3.) Here is what I have found.

At 0049DA7F there is a mov esi,00000001 and more a little later, at 0049DA8B there is a mov eax,esi

This means that 1 is moved into esi and then into eax: thus eax=1

Now the question is how can we bypass that mov esi,00000001 ?

By looking at the code in Wdsam, I saw that at 0049DA50 there was a test al, al that was followed by a je 0049DA7F which jumps to the location of the mov esi, 00000001

Now if, at location 0049DA50, "al" is not equal to "al", then the JE at location 0049DA52 is not executed and that means that the rest of the code is executed until line 0049DA7D where the program jumps directly to 0049DA8B without having the line where 00000001 is moved into esi.

Is that a good answer ?

Then the next step is to find how "al" can be made to
be different from "al"... and I don't know more...

ANS=> Here again you made a simple mistake. You thought about how you can bypass that mov esi,00000001 but instead you should have asked yourself this; why al is equals to al why not different? If it would have been different then you might have registered the program.
 
    So who is the master mind behind this whole shit? Think about it.
 
    Yes! you're absolutely right. The CALL 0049D97C at 0049DA4B.
 
0049DA4B CALL 0049D97C --------------- Checks whether al is equal to al or not.
0049DA50 Test al, al   --------------- Test al with al
0049DA52 JE 0049DA7F   --------------- If equal then set the value of esi=1 and then move the value of esi to eax. Thus EAX now contains 1 and shows you "BAD GUY' message.
 
     I think you now know what to do next. So step inside ........ and find out what it does?

4.) Well, I stepped into 0049DA4B CALL 0049D97C

It seems that, inside that CALL, line 0049D9D0 is interesting as it contains a SETE AL which means "set AL if Zero (zero flag =1). That's the only line that I found which influences AL.

Now the question is "what can set the Zero flag ?" It seems to me that the zero flag is set or not in the CALL just before the SETE instruction, i.e. 0049D9CB CALL 00403434.

So I had a look at that and I think that the JNE at line 00403484 may set the zero flag. That JNE depends on the line before, which is 00403481 CMP CL, BYTE PTR [edx+02].

But then again I'm lost because I don't know anything about such things as "BYTE PTR".

I don't know if I'm right, Please let me know.

ANS=> Till now you've done what a cracker must do find a valid serial no. Did you not find any compare above it? I suggest you to look at the codes more carefully with WDasm. You are just about to crack the program. In most of the software, EAX contains the valid serial no. Hunt down the right serial no. When you are inside the CALL before Sete AL; the right serial no. is looking at you. All you have to do now is you have to find the right place.
 

Conclusion: You are right ! I should have looked at the code more carefully, and especially at line 00403444 JNE 0040348B, because that JNE, if it is executed, goes beyond the RET, which means that the comparison of serial numbers must be done BEFORE !

And that's it, because we have that CMP right before:
00403442 CMP ecx,ebx.

Well, I found my serial two lines before, in 0040343E, lying right in EAX.

Goto Top

Essay:

Let's start;


            A quick look in FileMon show you this:

Easyclean Open C:\Windir\EZCLEAN3.KEY NOTFOUND OPENEXISTING READWRITE DENYNONE 
Easyclean Open C:\Windir\EZCLEAN4.KEY NOTFOUND OPENEXISTING READWRITE DENYNONE 
Easyclean FindOpen C:\Windir\EZCLEAN.KEY NOTFOUND
Easyclean FindOpen C:\Windir\EZCLEAN3.KEY NOTFOUND 
Easyclean FindOpen C:\PROGRAM FILES\EASYCLEAN\OLDCFG.ECD NOTFOUND
Easyclean FindOpen C:\PROGRAM FILES\EASYCLEAN\NEWCFG.ECD NOTFOUND

            When this application is registered there is a encrypted key in your %windowsdir% the key name is Ezclean4.key. If the key file is named Ezclean3.key you will get a message telling you that this version requires a separate keyfile, you can as registered owner get one for a special price! And that some functions is disabled!

            Here is one way to crack this application. Do some patching at the places that I marked for you, then you don't need the keyfile. Nop them away and the program "think's" it registered to:UNREGISTERED :) How I came up with this? Peek at your deadlisting! (a keyfile, a windowsdir)BPX GetWindowsDirectory do nothing the first time softice break's, push F5 one time and when it break the second time push F11 to return from the call and F12 1 time, you land at :004C2D9A.
Look down 30 lines-> mov byte ptr [eax], 04---This is the Ezclean4.key


* Reference To: kernel32.GetWindowsDirectoryA, Ord:0000h
|
:004C2D95 E86E57F4FF         Call 00408508
:004C2D9A 8BD8               mov ebx, eax---------------------You land here!
:004C2D9C 8D45EC             lea eax, dword ptr [ebp-14]
:004C2D9F 8BD3               mov edx, ebx
:004C2DA1 E8021FF4FF         call 00404CA8
:004C2DA6 8D45EC             lea eax, dword ptr [ebp-14]
:004C2DA9 E8EA710100         call 004D9F98
:004C2DAE 8B45FC             mov eax, dword ptr [ebp-04]
:004C2DB1 8B804C040000       mov eax, dword ptr [eax+0000044C]
:004C2DB7 BABC3A4C00         mov edx, 004C3ABC
:004C2DBC E867A8FDFF         call 0049D628
:004C2DC1 8D85A4FEFFFF       lea eax, dword ptr [ebp+FFFFFEA4]
:004C2DC7 8B55FC             mov edx, dword ptr [ebp-04]
:004C2DCA 8B9A4C040000       mov ebx, dword ptr [edx+0000044C]
:004C2DD0 8D9334020000       lea edx, dword ptr [ebx+00000234]
:004C2DD6 E83D1BF4FF         call 00404918
:004C2DDB 8B85A4FEFFFF       mov eax, dword ptr [ebp+FFFFFEA4]
:004C2DE1 8D95A8FEFFFF       lea edx, dword ptr [ebp+FFFFFEA8]
:004C2DE7 E8AC81F4FF         call 0040AF98
:004C2DEC 8B8DA8FEFFFF       mov ecx, dword ptr [ebp+FFFFFEA8]
:004C2DF2 8D85ACFEFFFF       lea eax, dword ptr [ebp+FFFFFEAC]
:004C2DF8 8B55EC             mov edx, dword ptr [ebp-14]
:004C2DFB E8C01BF4FF         call 004049C0
:004C2E00 8B95ACFEFFFF       mov edx, dword ptr [ebp+FFFFFEAC]
:004C2E06 8D85B0FEFFFF       lea eax, dword ptr [ebp+FFFFFEB0]
:004C2E0C B9FF000000         mov ecx, 000000FF
:004C2E11 E83A1BF4FF         call 00404950
:004C2E16 8D95B0FEFFFF       lea edx, dword ptr [ebp+FFFFFEB0]
:004C2E1C 8BC3               mov eax, ebx
:004C2E1E E885A8FDFF         call 0049D6A8
:004C2E23 A144E74D00         mov eax, dword ptr [004DE744]
:004C2E28 C60004             mov byte ptr [eax], 04------------Here is the key


:004C2E2B A144E74D00         mov eax, dword ptr [004DE744]
:004C2E30 C60000             mov byte ptr [eax], 00
:004C2E33 8B45FC             mov eax, dword ptr [ebp-04]
:004C2E36 8B804C040000       mov eax, dword ptr [eax+0000044C]
:004C2E3C E85BADFDFF         call 0049DB9C
:004C2E41 85C0               test eax, eax
:004C2E43 7508               jne 004C2E4D
:004C2E45 A144E74D00         mov eax, dword ptr [004DE744]
:004C2E4A C60003             mov byte ptr [eax], 03--This is the old registration Ezclean3.key 

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C2E43(C)
|
:004C2E4D 8B45FC             mov eax, dword ptr [ebp-04]
:004C2E50 8B804C040000       mov eax, dword ptr [eax+0000044C]
:004C2E56 BACC3A4C00         mov edx, 004C3ACC
:004C2E5B E874A7FDFF         call 0049D5D4
:004C2E60 8B45FC             mov eax, dword ptr [ebp-04]
:004C2E63 8B804C040000       mov eax, dword ptr [eax+0000044C]
:004C2E69 BAD83A4C00         mov edx, 004C3AD8
:004C2E6E E8B5A7FDFF         call 0049D628
:004C2E73 8D85A0FEFFFF       lea eax, dword ptr [ebp+FFFFFEA0]

* Possible StringData Ref from Code Obj ->"EZCLEAN4.KEY"
|
:004C2E79 B9F03A4C00         mov ecx, 004C3AF0
:004C2E7E 8B55EC             mov edx, dword ptr [ebp-14]
:004C2E81 E83A1BF4FF         call 004049C0
:004C2E86 8B95A0FEFFFF       mov edx, dword ptr [ebp+FFFFFEA0]
:004C2E8C 8D85B0FEFFFF       lea eax, dword ptr [ebp+FFFFFEB0]
:004C2E92 B9FF000000         mov ecx, 000000FF
:004C2E97 E8B41AF4FF         call 00404950
:004C2E9C 8D95B0FEFFFF       lea edx, dword ptr [ebp+FFFFFEB0]
:004C2EA2 8B45FC             mov eax, dword ptr [ebp-04]
:004C2EA5 8B804C040000       mov eax, dword ptr [eax+0000044C]
:004C2EAB E8F8A7FDFF         call 0049D6A8
:004C2EB0 8B45FC             mov eax, dword ptr [ebp-04]
:004C2EB3 8B804C040000       mov eax, dword ptr [eax+0000044C]
:004C2EB9 E8DEACFDFF         call 0049DB9C
:004C2EBE 85C0               test eax, eax
:004C2EC0 0F8582000000       jne 004C2F48--------Change this so it won't jump

:004C2EC6 8D9598FEFFFF       lea edx, dword ptr [ebp+FFFFFE98]
:004C2ECC B8880C4C00         mov eax, 004C0C88
:004C2ED1 E8E243F4FF         call 004072B8
:004C2ED6 FFB598FEFFFF       push dword ptr [ebp+FFFFFE98]
:004C2EDC 8D9560FEFFFF       lea edx, dword ptr [ebp+FFFFFE60]
:004C2EE2 8B45FC             mov eax, dword ptr [ebp-04]
:004C2EE5 8B804C040000       mov eax, dword ptr [eax+0000044C]
:004C2EEB E8ECAAFDFF         call 0049D9DC
:004C2EF0 8D9560FEFFFF       lea edx, dword ptr [ebp+FFFFFE60]
:004C2EF6 8D8594FEFFFF       lea eax, dword ptr [ebp+FFFFFE94]
:004C2EFC E8171AF4FF         call 00404918
:004C2F01 FFB594FEFFFF       push dword ptr [ebp+FFFFFE94]
:004C2F07 68083B4C00         push 004C3B08
:004C2F0C 8D859CFEFFFF       lea eax, dword ptr [ebp+FFFFFE9C]
:004C2F12 BA03000000         mov edx, 00000003
:004C2F17 E8181BF4FF         call 00404A34
:004C2F1C 8B959CFEFFFF       mov edx, dword ptr [ebp+FFFFFE9C]
:004C2F22 8B45FC             mov eax, dword ptr [ebp-04]
:004C2F25 8B8054040000       mov eax, dword ptr [eax+00000454]
:004C2F2B E89486F7FF         call 0043B5C4
:004C2F30 8B55FC             mov edx, dword ptr [ebp-04]
:004C2F33 8B45FC             mov eax, dword ptr [ebp-04]
:004C2F36 E889650000         call 004C94C4
:004C2F3B A144E74D00         mov eax, dword ptr [004DE744]
:004C2F40 C60004             mov byte ptr [eax], 04 -Here is the "sign" to tell that we have a key named EZCLEAN4.KEY

:004C2F43 E9D9040000         jmp 004C3421-go ahead nice guy

--End of this code-


\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
\\Dump the real serial for your name.\\\
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

:0049D9CB E8645AF6FF         call 00403434-------------------checking is inside this call

:0049D9D0 0F94C0             sete al-----------return with result 0 or 1(1 is preffered!)

:0049D9D3 83C44C             add esp, 0000004C
:0049D9D6 5F                 pop edi
:0049D9D7 5E                 pop esi
:0049D9D8 5B                 pop ebx
:0049D9D9 C3                 ret -------------------To :0049DA50 then return to this place:
:0049DA4B E82CFFFFFF         call 0049D97C
:0049DA50 84C0               test al, al-------------Equal to 1?
:0049DA52 742B               je 0049DA7F-------------If not! Jump away bad number

:0049DA54 33F6               xor esi, esi---------else go on nice guy!

:0049DA56 8D8338030000       lea eax, dword ptr [ebx+00000338]
:0049DA5C 8D54240A           lea edx, dword ptr [esp+0A]
:0049DA60 B132               mov cl, 32
:0049DA62 E81959F6FF         call 00403380
:0049DA67 8D836B030000       lea eax, dword ptr [ebx+0000036B]
:0049DA6D 8BD4               mov edx, esp
:0049DA6F B109               mov cl, 09
:0049DA71 E80A59F6FF         call 00403380
:0049DA76 C6837C03000001     mov byte ptr [ebx+0000037C], 01-----This is what we want

:0049DA7D EB0C               jmp 0049DA8B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049DA52(C)
|
:0049DA7F BE01000000         mov esi, 00000001
:0049DA84 C6837C03000000     mov byte ptr [ebx+0000037C], 00-----No no!!

 

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049DA7D(U)
|
:0049DA8B 8BC6               mov eax, esi
:0049DA8D 83C440             add esp, 00000040
:0049DA90 5F                 pop edi
:0049DA91 5E                 pop esi
:0049DA92 5B                 pop ebx
:0049DA93 C3                 ret


place to dump your real serial is here, check ecx or dump eax (it's the same).
    
:0040343E 8B08               mov ecx, dword ptr [eax]----Real serial
:00403440 8B1A               mov ebx, dword ptr [edx]----Fake serial
:00403442 39D9               cmp ecx, ebx---compare then. ECX=Real number and EBX=Fake no. Only first 3 digits.


:00403444 7545               jne 0040348B----------------jump away wrong number

:00403446 4E                 dec esi
:00403447 7415               je 0040345E
:00403449 8B4804             mov ecx, dword ptr [eax+04]-move forward 4 digits real serial

:0040344C 8B5A04             mov ebx, dword ptr [edx+04]-move forward 4 digits fake serial 

:0040344F 39D9               cmp ecx, ebx-------------compare them. ECX=real no and EBX=fake no. Last remaining digits.


:00403451 7538               jne 0040348B----------------jump away wrong number

:00403453 83C008             add eax, 00000008
:00403456 83C208             add edx, 00000008
:00403459 4E                 dec esi
:0040345A 75E2               jne 0040343E------------are we finish yet?
:0040345C EB06               jmp 00403464----------------Ok to go on
:0040345E 83C004             add eax, 00000004
:00403461 83C204             add edx, 00000004

look at this by yourself an try to figure out whats happen here!
(not that hard I think! as you already know the other stuff about it!)


:00403464 5E                 pop esi
:00403465 83E603             and esi, 00000003
:00403468 7436               je 004034A0
:0040346A 8A08               mov cl, byte ptr [eax]
:0040346C 3A0A               cmp cl, byte ptr [edx]
:0040346E 7530               jne 004034A0
:00403470 4E                 dec esi
:00403471 7413               je 00403486------------go on nice guy!
:00403473 8A4801             mov cl, byte ptr [eax+01]
:00403476 3A4A01             cmp cl, byte ptr [edx+01]
:00403479 7525               jne 004034A0
:0040347B 4E                 dec esi
:0040347C 7408               je 00403486------------go on nice guy!
:0040347E 8A4802             mov cl, byte ptr [eax+02]
:00403481 3A4A02             cmp cl, byte ptr [edx+02]
:00403484 751A               jne 004034A0
:00403486 31C0               xor eax, eax-----------clear eax
:00403488 5E                 pop esi
:00403489 5B                 pop ebx
:0040348A C3                 ret--------------------to nice buyer
:0040348B 5E                 pop esi
:0040348C 38D9               cmp cl, bl
:0040348E 7510               jne 004034A0
:00403490 38FD               cmp ch, bh
:00403492 750C               jne 004034A0
:00403494 C1E910             shr ecx, 10
:00403497 C1EB10             shr ebx, 10
:0040349A 38D9               cmp cl, bl
:0040349C 7502               jne 004034A0
:0040349E 38FD               cmp ch, bh

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00403468(C), :0040346E(C), :00403479(C), :00403484(C), :0040348E(C)
|:00403492(C), :0040349C(C)
|
:004034A0 5E                 pop esi
:004034A1 5B                 pop ebx
:004034A2 C3                 ret----------------to bad number

The End

 

Goto Top

 

About Us:    We are newly born Cracking Group. Cracking is our Hobby and we take it as a Challenge. We don't distribute cracks and serials, so don't ask for it. Comments are welcome. 

How You Can Help Us:     We are knowledge hungry people, so if you see anything interesting while surfing the net next time do let us know. The information can be related to anything such as: hacking, cracking, mp3, e-books, etc. Of course.. it should be FREE as our tutorials are. Don't e-mail us telling about "Get Paid To Surf" or other such types of "Referral" programs. If by any means, we registered to those types of referral program we'll not include your name as a "Referrer." BTW, we hate spammers. 

Our Goal: To spread knowledge and help newbie in "Reverse Code Engineering" by writing Tutorials. :-).

Our Thanks And Gratitude Goes To:- 

+Sandman for all his Great Tutorials and Magnificent Newbie Forum.

The Snake For hosting this file on his Website.

And all the people out there in "+Sandman Newbie Cracking Forum"

Members:

Founder/Tutorial: e-nigma

Crackers: blacksword, Jim, meRlin, nachtigall, pupp6969, redovens

Goto Top

© 2000 "Learn Cracking In New Style". All Rights Reversed.