
*****Tut Begins*****

Program:	ImageWolf v1.04 Build 003

Homepage:	www.trellian.com

Size:		978KB

Prog Synopsis:	A prog that searches the net for pictures and movie files.  Registration fee is approx. $25.

Tools needed:	SoftIce (of course!)

Method:

OK fire up the proggie and click on Help-Register and put in your name and serial number.

	Registration Name:	jkon7

	Serial Number:		12121212

As you can guess it didn't work. Grrr! *#%!

OK lets do it again but don't press OK yet.  Ctrl-D in Sice and bpx hmemcpy.  Press OK and Sice fires up.  We need to get into the proggie itself so F11 to get us just below the hmemcpy call and then F12 (8 times) to get us into the prog at

		404A00 lea edx, [ESP+0C]

I like to put a bpx a little further up from where we land so I put a bpx on 4049D8 (just double-click it in Sice and don't forget to disable your bpx on hmemcpy).  Press F5 and OK and then press OK again and Sice will break at 4049D8.  Now looking down the code you will see a few calls but just F10 down until you land on

		404A36  call 00411580	------------ follow this code by pressing F8

You arrive at

		411580  move eax, [ESP+08]
		411584  sub esp, 30
		411587	test eax, eax
		411589  push ebx
		41158A	push edi
		41158B	jz 004116F9
		411591  mov edi, [ESP+3C]
		411595	test edi, edi
		411597	jz 004116F9
		41159D	cmp byte ptr [EAX], 49  ----------------------look at this!  49h is ASCII for "I"
		4115A0	jnz 004116F9  ----------------------beggar off, cracker!
		4115A6	cmp byte ptr [EAX+01], 57  -------------------look at this!  57h is ASCII for "W"
		4115AA	jnz 004116F9  ----------------------beggar off, cracker!
		4115B0	push 14
		4115B2	push eax
		4115B3	lea eax, [ESP+18]
		4115B7	push eax
		4115B8	call 0040AB40
		4115BD	lea ecx, [ESP+1C]
		4115C1	push 2D -----------------------------look at this!  2Dh is the ASCII for "-"

So we have to start our serial number with "IW" and also there probably is a hyphen in there.  OK lets restart the proggie.  I noticed whilst I was looking at the data window once that I saw a "2-" so I thought I would put this ie

		IW2-12121212

OK this seems to get past the above code but there follows a lot of checking loops so to avoid keep pressing F10 (more than 100 times - I need a new F10 keyboard key :-) I found where they finished and put a bpx on 411692.

We arrive at:

		411692	push ecx
		411693	push 0041CC0C
		411698	lea ecx, [ESP+30C]
		41169C	push 14  ---------------------anyone know what the hell that does?
		41169E	push eax
		41169F	call 00411C78
		4116A4	add esp, 10  ---------------------------F10 down to here

When you land on 4116A4 type d ecx in Sice and a number appears in the data window - in my case 930576.  Perfecto!!

Write this number down, F5 out of Sice, press OK.

Enter:

		Registration Name:  	jkon7

		Serial Number:		IW2-930576

and job done.  Yee haw!!

Hope this helps.

jkon7

******Tut Ends******


Best wishes

jkon7