AKoff Guitar Assistant

Kro_ baR Serial Number !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

AKoff Guitar Assistant...version 1.01

The program..........AKoff Guitar Assistant...version 1.01......get it at http://www.download.com

The tools................Softice.... I using version 4.

AKoff Guitar Assistant can assist in visually tuning your guitar with a microphone or an electric guitar connected to your PC's sound card. It analyzes in real time a stream of audio signals from the WAV input of your sound card and then calculates the main frequency. This frequency is shown by a pointer on the graphic guitar signature stamp (frets), comparing it to the proper frequency. Tuning a string now simply means centering the pointer on the appropriate graphic fret. This trial version has a nag screen. The registered version sells for $19.

Start program, click register, and put in email address and any shit number.

Ctrl D into softice, and set breakpoint...bpx GETDLGITEMTEXTA. F5 out of sice and click register...and ....back into softice .

Now push F5 again, to get to the serial routine, then F11 to get out of the call, and disable breakpoint...bd00. You should have landed in the program code, on a call:


* Reference To: user32.GetDlgItemTextA, Ord:00E5h
                                  |
:004019F5 E8D29E0100              Call 0041B8CC
:004019FA E87DFAFFFF              call 0040147C <-LAND HERE
:004019FF 833D14E2410000          cmp dword ptr [0041E214], 00000000
:00401A06 741C                    je 00401A24
:00401A08 E863FCFFFF              call 00401670
:00401A0D 68A1114000              push 004011A1
:00401A12 6A00                    push 00000000
:00401A14 6A0C                    push 0000000C
:00401A16 FF3518E24100            push dword ptr [0041E218]

Now remember!! Quite often we looking for a call, closely followed by a cmp/test, then a je or jne, and shit, looks like that here!!

So F8 into the call at 004019FA and you'll land here:

* Referenced by a CALL at Addresses:
|:004011CD   , :004019FA   
|
:0040147C 55                      push ebp <-LAND HERE
:0040147D 89E5                    mov ebp, esp
:0040147F 83EC18                  sub esp, 00000018
:00401482 57                      push edi
:00401483 8A057B144000            mov al, byte ptr [0040147B]
:00401489 8845EC                  mov byte ptr [ebp-14], al
:0040148C 8D45ED                  lea eax, dword ptr [ebp-13]
:0040148F 6A13                    push 00000013
:00401491 6A00                    push 00000000
:00401493 50                      push eax

* Reference To: crtdll.memset, Ord:01ADh
                                  |
:00401494 E86F660100              Call 00417B08
:00401499 83C40C                  add esp, 0000000C
:0040149C 8D7DEC                  lea edi, dword ptr [ebp-14]
:0040149F 57                      push edi
:004014A0 E8DBFDFFFF              call 00401280
:004014A5 31D2                    xor edx, edx
:004014A7 88D0                    mov al, dl
:004014A9 FC                      cld
:004014AA B9FFFFFFFF              mov ecx, FFFFFFFF
:004014AF F2                      repnz
:004014B0 AE                      scasb
:004014B1 83C404                  add esp, 00000004
:004014B4 83F9F2                  cmp ecx, FFFFFFF2
:004014B7 7512                    jne 004014CB
:004014B9 BF10E14100              mov edi, 0041E110
:004014BE FC                      cld
:004014BF B9FFFFFFFF              mov ecx, FFFFFFFF
:004014C4 F2                      repnz
:004014C5 AE                      scasb
:004014C6 83F9F2                  cmp ecx, FFFFFFF2
:004014C9 7402                    je 004014CD

I think somewhere around here we going to find the serial, so it really a case of dumping whats in memory as we F10 down, and see if we can locate it. Now we see the call at 004014A0. If we F8 into this, we'll find ourselves in what appears to be the serial routine. We'll see our email address we entered getting mucked around with, and we'll find ourselves in a couple of loops. When we eventually reach a ret, and exit that routine, we'll be at the next line after the call we just entered...here:


:004014A0 E8DBFDFFFF              call 00401280
:004014A5 31D2                    xor edx, edx <-HERE
:004014A7 88D0                    mov al, dl
:004014A9 FC                      cld
:004014AA B9FFFFFFFF              mov ecx, FFFFFFFF
:004014AF F2                      repnz
:004014B0 AE                      scasb
:004014B1 83C404                  add esp, 00000004
:004014B4 83F9F2                  cmp ecx, FFFFFFF2
:004014B7 7512                    jne 004014CB
:004014B9 BF10E14100              mov edi, 0041E110
:004014BE FC                      cld
:004014BF B9FFFFFFFF              mov ecx, FFFFFFFF
:004014C4 F2                      repnz
:004014C5 AE                      scasb
:004014C6 83F9F2                  cmp ecx, FFFFFFF2
:004014C9 7402                    je 004014CD

and at address 004014A5 XOR EDX, EDX if you type d edx, the correct number should be displayed in the data window.

F5 out of softice and poke this number where it belongs. You dont get any thanks but instead of displaying unregistered, you'll now be using the registered version.