Flash v3.08
Written by anTiHerO
Introduction |
Released: January
2001
Protection: Time-limit
and registration
*Flash
32 is a 32 bit software running under Windows 95, Windows 98, Windows NT 4 and
2000 used to capture and save Windows screens (or parts of screens), images
from files, images from Internet
WebCams, images from the Internet Explorer cache.
*Flash
32 installs itself as a tray icon in
the tray bar of Windows.
*The
captures can be saved with several graphic formats, modified, printed...
*Flash
32 also allows the creation of icons, cursors,
animations (ANI, AVI, FLI, FLC and GIF), wallpapers, logos...
*A
screen capture can be saved or printed without interaction with the user.
*When
you click on its icon, Flash 32 displays two menus:
*:right
click: setup menu, help and about
*·left
click: particular captures (clipboard, webcam, animations)
Tools required |
Target's URL |
http://www.logipole.com
Essay |
*Before we dive in,
just a few things…….I am fairly new to code reversing, so my methods may not be
the easiest or correct ones, but they work!!! Anyway, the first thing we need
to do is fire up Flash32. You will see
a small camera-shaped icon, if we right click on this we can see a registration
option, click this, and we see the reg box with three empty fields, I filled
them in as follows:
Name: HerO
First
Name: anTi
Serial: 123456789
*Right, press OK, and
we get the expected “invalid key”
message box. Write this down. Fire up W32Dasm and disassemble Flash32. I’m
assuming your familiar with W32Dasm, so open up the String Data References,
double click on our string, scroll up a few lines and we should see:
*Hehe,
this looks like it isn’t going to be too difficult. We look four lines up, an
see a conditional jump, JE. This is preceeded by a compare instruction, which
compares eax and ecx! Should we try something which could save us a lot of
tracing through code? What should we
do?
*Our
compare instruction at 00421E67, is comparing two values, and if they are equal
it jumps ( we haven’t looked where to yet! ), if not, it carries on through to
our “invalid key” portion of code. Ah-ha! Could the compare instruction be
comparing our “fake” serial against the correct serial? Well, there is a quick
and easy way to find out! Write down
the address of the compare instruction; 00421E67 ,and now we want to run
our debugger , and load up Flash32.
Boomph! , up pops your softice window, but we know we want the program
to brake at location 00421E67, so we type:
:bpx 421e67
*You should know this means that the program will break when it executes this line of code. Press ctrl+D ( or type x and hit enter if you are using TRW2000) to close your debugger window. We now go to our registration box again and type in again:
Name: HerO
First
Name: anTi
Serial: 123456789
*Hit
OK, and WALLOP!, up pops our debugger window bang on;
:00421E67 3BC1 cmp eax, ecx
*Right, hit F10 once,
so that our jump command line is highlighted. We want to see what is being
compared in the eax and ecx registers don’t we? So type;
? eax , what do we see? OUR FAKE REG NUMBER! Contain your excitement! What if we type;
? ecx , whats this? –610844068 ? Could this be our real reg number? Write it down!
*Now type bc* ( or
just bc in TRW) to clear all breakpoints, and close our debugger. OK, the
moment of truth! Go back to our registration box and type in our details with
our new value from the ecx register;
Name: HerO
First
Name: anTi
Serial: -610844068
*Hit
OK, hmm , no “bugger off cracker” message! Right click on the taskbar icon and
select About…. : WOOHOO!!! Registered to anTiHerO ! Job done!
We
could have easily set about tracing through code with our debugger from the
start, but this way cuts out all that. This method doesn’t always work, but
when it does!!!!!!!!
Notes:
Final Notes |