|
Program Information |
 |
|
Program : 3D Gif Designer
Version : 2.2 Company : PY Soft Website : http://www.pysoft.com |
|
|
Tutorial Information |
|
|
Author : daPope
|
Serialsniffing 3D Gif Designer v2.2
|
Program Information |
|
|
Program : 3D Gif Designer
Version : 2.2 Company : PY Soft Website : http://www.pysoft.com |
|
|
Tutorial Information |
|
|
Author : daPope
|
| How hard is it to beat the protectionscheme ? |
[ x ] It's a piece of cake [ ] An average IQ is needed [ ] You got to be the next Einstein |
Hi there. Today I'm going to show you how to find the correct serial for PY Soft's 3D Gif Designer. To beat the protectioscheme of this program takes less than a minute. The only tool needed is NuMega's SoftIce.
Start the program and open the registrationbox.
Now enter !HMEMCPY as name and 989898 as a fake regkey.
If you press Ok a nasty little messagebox will appear.
Press OK to get rid of the box. Now you're back at the registration dialog. Luckily our name and regkey are still there so there's no need for retyping. In order to trace the serial you need to set a breakpoint. Press Ctrl-D to enter softice (SI) and type "bpx hmemcpy" (without the quotes) and press enter. Press Ctrl-D once more to leave SI. Now you can press Ok. Back in SI. You are now deep into the hmemcpy API call. Press F12 12 times to leave hmemcpy and to return to the caller which of course is our targetprogram. It then should look like this:
015F:004E9004 CALL 004316C0 <- This is the call 015F:004E9009 MOV EAX,[EBP-020C] <- And you land here. Your username will be stored in EAX
If you continue to examine the rest of the code by tracing with F10 you will soon find where the correct serial is being calculated.
015F:004E900F LEA EDX,[EBP-0208] 015F:004E9015 CALL 004CC62C <- Calculate serial using the username 015F:004E901A MOV EAX,[EBP-0208] <- And save it 015F:004E9020 PUSH EAX <- on the stack 015F:004E9021 LEA EDX,[EBP-020C] 015F:004E9027 MOV EAX,[EBX+000002D0] 015F:004E902D CALL 004316C0 <- Read fake serial 015F:004E9032 MOV EDX,[EBP-020C] <- and put it in edx 015F:004E9038 POP EAX <- Load real serial in eax 015F:004E9039 CALL 00403F1C <- Compare the serials 015F:004E903E JZ 004E9097 <- If equal, jump to 004E9097
So all you have to do is to press F10 4 times and the do a 'd eax' and the correct regkey will be displayed. Now register with with !HMEMCPY and the correct regkey. No confirmation that you entered the right regkey but take a look in the About box.
Finale notes:
If you want to make a keygen trace the call at 4E9015. The registration result is being stored in the registry.
There are two ways to make the program unregistered again. The hard way is to delete the Reg_Name key in the registry. The easy way is to run the registrationprocedure once again, but using a non working regkey.
Thats it.
/daPope