SuperBlade Pro

Taking the Edge Off

 
Date 11/22/00
by Sojourner
 
 
There is a crack, a crack in everything. That's how the light gets in.
 
Rating
(x)Beginner ( )Intermediate ( )Advanced ( )Expert
 


Thoughtful searching produces excellent looks.


 

Introduction

 


Tools required

w32dasm 8.x--your choice of flavors

hex editor needed- UltraEdit 7.xx or whatever you want to use

Target's URL/FTP

www.flamingpear.com

Just go to this site and then download what you need.

To Do List
What to do -
1. Make prog registered 

Essay
Ah, good to be back in the saddle again. This is a fun little project and it involves 
a nifty plug for your favorite photo editor. I use Corel Photopaint. You won't believe
how very easy it was to register this baby, but you do have to do a little looking 
around, as usual. Go ahead and disaasemble it now. As you may suspect, we will do the
fixing on this in a static mode. What I mean by that is that we will not be actually 
running the program when we do this. We will actually only use w32dasm to  peruse the
disassembled file looking for clues, then go in with our hex editor to make the 
necessary changes, then run the plug through our photo editor to see that we have
indeed succeeded in our journey.
One thing you must learn is to look for relevant strings scattered about in the prog.
Of course, w32dasm is excellent in this respect. Sometimes a resource editor is 
superior in this job category, although we won't need one on this trip. Oftentimes
the word "Thanks" or "Thankyou" or "Thank You," may lead you to a starting point. 
Today it's going to be "Thankyou." So now do a search and you will end up here: 
Look carefully this code and meet me at the bottom.



* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10015E22(C), :10015E34(C)
|
:10015EA0 8B4604                  mov eax, dword ptr [esi+04]
:10015EA3 8B500C                  mov edx, dword ptr [eax+0C]
:10015EA6 8B12                    mov edx, dword ptr [edx]
:10015EA8 8B9224010000            mov edx, dword ptr [edx+00000124]
:10015EAE 89542410                mov dword ptr [esp+10], edx
:10015EB2 8B500C                  mov edx, dword ptr [eax+0C]
:10015EB5 8B12                    mov edx, dword ptr [edx]
:10015EB7 8B9228010000            mov edx, dword ptr [edx+00000128]
:10015EBD 89542414                mov dword ptr [esp+14], edx
:10015EC1 8B500C                  mov edx, dword ptr [eax+0C]
:10015EC4 8B12                    mov edx, dword ptr [edx]
:10015EC6 8B922C010000            mov edx, dword ptr [edx+0000012C]
:10015ECC 8954240C                mov dword ptr [esp+0C], edx
:10015ED0 8B400C                  mov eax, dword ptr [eax+0C]
:10015ED3 8B00                    mov eax, dword ptr [eax]
:10015ED5 8B902C010000            mov edx, dword ptr [eax+0000012C]
:10015EDB 52                      push edx
:10015EDC 8B9028010000            mov edx, dword ptr [eax+00000128]
:10015EE2 8B8024010000            mov eax, dword ptr [eax+00000124]
:10015EE8 52                      push edx
:10015EE9 8B5624                  mov edx, dword ptr [esi+24]
:10015EEC 50                      push eax
:10015EED 8B4620                  mov eax, dword ptr [esi+20]
:10015EF0 52                      push edx
:10015EF1 50                      push eax
:10015EF2 51                      push ecx
:10015EF3 E8B8F4FFFF              call 100153B0
:10015EF8 83C418                  add esp, 00000018
:10015EFB 3C01                    cmp al, 01
:10015EFD 0F85A9000000            jne 10015FAC
:10015F03 8B4E04                  mov ecx, dword ptr [esi+04]
:10015F06 8B510C                  mov edx, dword ptr [ecx+0C]
:10015F09 8D4C240C                lea ecx, dword ptr [esp+0C]
:10015F0D 51                      push ecx
:10015F0E 8D4C2414                lea ecx, dword ptr [esp+14]
:10015F12 8B02                    mov eax, dword ptr [edx]
:10015F14 8D542418                lea edx, dword ptr [esp+18]
:10015F18 52                      push edx
:10015F19 51                      push ecx
:10015F1A 8B902C010000            mov edx, dword ptr [eax+0000012C]
:10015F20 8B8828010000            mov ecx, dword ptr [eax+00000128]
:10015F26 52                      push edx
:10015F27 8B9024010000            mov edx, dword ptr [eax+00000124]
:10015F2D 8B4624                  mov eax, dword ptr [esi+24]
:10015F30 51                      push ecx
:10015F31 8B4E20                  mov ecx, dword ptr [esi+20]
:10015F34 52                      push edx
:10015F35 8B561C                  mov edx, dword ptr [esi+1C]
:10015F38 50                      push eax
:10015F39 51                      push ecx
:10015F3A 52                      push edx
:10015F3B E8E0F5FFFF              call 10015520
:10015F40 8B4604                  mov eax, dword ptr [esi+04]
:10015F43 56                      push esi
:10015F44 8B480C                  mov ecx, dword ptr [eax+0C]
:10015F47 8B442438                mov eax, dword ptr [esp+38]
:10015F4B 8B11                    mov edx, dword ptr [ecx]
:10015F4D 898224010000            mov dword ptr [edx+00000124], eax
:10015F53 8B4E04                  mov ecx, dword ptr [esi+04]
:10015F56 8B510C                  mov edx, dword ptr [ecx+0C]
:10015F59 8B4C243C                mov ecx, dword ptr [esp+3C]
:10015F5D 8B02                    mov eax, dword ptr [edx]
:10015F5F 898828010000            mov dword ptr [eax+00000128], ecx
:10015F65 8B5604                  mov edx, dword ptr [esi+04]
:10015F68 8B420C                  mov eax, dword ptr [edx+0C]
:10015F6B 8B542434                mov edx, dword ptr [esp+34]
:10015F6F 8B08                    mov ecx, dword ptr [eax]
:10015F71 89912C010000            mov dword ptr [ecx+0000012C], edx
:10015F77 E894EEFEFF              call 10004E10

* Possible StringData Ref from Data Obj ->"***"
                                  |
:10015F7C 688CC30210              push 1002C38C

* Possible StringData Ref from Data Obj ->"**"
                                  |
:10015F81 68A8C10210              push 1002C1A8

* Possible StringData Ref from Data Obj ->"*"
                                  |
:10015F86 68A4C10210              push 1002C1A4

* Possible StringData Ref from Data Obj ->"SuperBladePro"
                                  |
:10015F8B 687CC30210              push 1002C37C
:10015F90 E86B5DFFFF              call 1000BD00

* Possible StringData Ref from Data Obj ->"THANKYOU" <--HERE Return
                                  |
:10015F95 6860C30210              push 1002C360
:10015F9A E8B162FFFF              call 1000C250
:10015F9F 83C43C                  add esp, 0000003C
:10015FA2 5F                      pop edi
:10015FA3 5E                      pop esi
:10015FA4 5D                      pop ebp
:10015FA5 81C410010000            add esp, 00000110
:10015FAB C3                      ret 

Ok, I see you made it. Did you see anything useful? Check out this code snippet:

:10015EF3 E8B8F4FFFF              call 100153B0
:10015EF8 83C418                  add esp, 00000018
:10015EFB 3C01                    cmp al, 01
:10015EFD 0F85A9000000            jne 10015FAC

Notice the jne here. What is happening is a comparison between the low order byte in 
the ax register and a 01. Presumably, the 01 is placed there after successfully entering
the correct serial number, else why would we get a big "Thankyou?" You see that if the
01 is not in al, then the conditional jump is taken and you won't get the thankyou that 
you need to satisfy our program. Since the jump is conditional, I've found out that it
is generally best if you can guarantee the needed condition on which the jump is based.
Since we need a 01 to be in al, there are a couple of things we could do. The tack I
followed was to go into the call 100153B0 and the important part is outlined below. If
you go into the call as I did and do a thorough analysis of what is happening, you'll 
see multiple areas where there are manipulation of numbers going on. Since it isn't
extremely clear what is being manipulated, we needs be content with the final outcome.
That is seen at 100154F4. If we are successful, we see 01 being moved into al for us.
Happy Days all!. This is our dream! Realisticaly, if you can guarantee that the code
at 100154ED and 100154EF is not executed, then you will get what you want. With that 
in mind, nop 84C0 and 740A at 100154ED and 100154EF. You are home free again. We have
completed our only "To Do" on our list. Go and enjoy! Just for your info, the other
flaming pear downloads are not this straightforward, although they are easy also.


* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:100154CF(C), :100154D7(C), :100154DC(C)
|
:100154E3 83C604                  add esi, 00000004
:100154E6 4F                      dec edi
:100154E7 75CA                    jne 100154B3
:100154E9 8A442412                mov al, byte ptr [esp+12]
:100154ED 84C0                    test al, al
:100154EF 740A                    je 100154FB
:100154F1 5F                      pop edi
:100154F2 5E                      pop esi
:100154F3 5D                      pop ebp
:100154F4 B001                    mov al, 01 <--Here
:100154F6 5B                      pop ebx
:100154F7 83C42C                  add esp, 0000002C
:100154FA C3                      ret


 
 

Final Notes

 I know this was short, but not everything in life has to be hard. Until later.

If you have any questions please feel free to contact me at jomamameister@yahoo.com


Oh Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one.