TNT!Reverse Engineering School ------------------------------ *****Tut Begins***** Program: GhostTyper98 v1.0e Build 1.0.0.14 Home Page: www.tsnsoftware.com/entries/000004be.sml or www.GhostTyper.com Size: 923KB Prog Synopsis: This prog saves repeated text amongst other things and is multi-lingual (English/German). Registration fee is 39DM. Tools needed: SoftIce W32Dasm Hiew Method: This program has a 30-day timer and a horrid nag screen that makes you wait before you can press the OK button - I hate these ;-) Before I start on this proggie, let me explain that I like (if I can) to find the 'echo' that is the correct registration number for the program by using Sice. I ran the proggie and clicked on the register button, entered my name and Reg-Code as Reg-Name jkon7 Reg-Code 12121212 Of course, I got the wrong code message. Grrr! *#$! This nag screen was really getting to me. So anyway I opened Sice, set a bpx on hmemcpy, entered my name and reg code again and Sice broke. I pressed F11, F12 (a few times 5-6) and F10 to the ret commmands until I got to the main program code. I then searched for hours and hours! pressing F10 and F8 (if there was a Call) and searched the data window for the echo. Not a trace! After hundreds of F10 and F8 key presses I just couldn't see the echo - it was driving me mad but I decided I just had to give up in the end. So lets use another method. I made a copy of the prog and fired up W32Dasm and looked at the String References and almost at the bottom you will see "WrongCode". OK double click on this and you will see: *Referenced by a (U)nconditional or (C)onditional Jump at Address :00463028 (C) 463078 push 00000000 46307A lea ecx, dword ptr [ebp-08] *Possible StringData Ref from Code Obj --> "WrongCode" Notice the Conditional jump at 00463028 which calls the "WrongCode". Lets go there. 463028 jne 00463078 ------------------------ do you see what I see ;-) 46302A call 0045BBCC 46302F push 00000000 463031 lea ecx, dword ptr [ebp-0C] *Possible StringData Ref from Code Obj --> "Registered" -------------------------- look at this ;-) It seems that if we change the jne to je we might be getting somewhere. Highlight 463028 in W32Dasm. OK fire up Hiew, locate the proggie (remember that W32Dasm is using a copy so it will not affect Hiew) and press F4 and select Decode. Look in W32Dasm at the offset of the jne you highlighted previously and you will see Offset 00062428 (ignore the 'h'). Press F5 in Hiew and enter 62428; press F3 to edit and change 75 jne to 74 je. Press F9 then F10 to exit Hiew. Now run the prog again (when will that nag be killed ;-) and register. Enter (in my case) Reg-Name jkon7 Reg-Code 12121212 and Yee Haw! We are registered. Close the program down and then re-open it. Right click on the prog in the task bar and left click on Information. Click on Register and what do you see!! I can't believe it! I see Reg-Name jkon7 Reg-Code 119524077 ------------------------- the echo! You can also see this Reg-Code in Explorer in the c:\Program Files\GhostTyper98\GhostTyp.INI file. So if you want to you can fire up Hiew again, locate offset 62428 again and change the je BACK to jne (74 back to 75) making the program exactly as it was when you downloaded it and you now know your correct Reg Code. Muhahahahah!! Hope this helps jkon7 ******Tut Ends******