Dedication

Intoduction & Protection

iNTROdUCTION :

hi there and wellcome to another tutorial ...
Sometimes apperance can be Deceiving , and sometimes ppl that u know best and trust , shows u the ugly side , and man talking about getting ugly !! , they became monsters just like the ones they used to talk about and hate , now , they become like them . i guess it is true when someone said , people don't change they just become more themselfes ....

pROTEcTION :

o.k this prog. needs a password to register , and like allways in my tutorials we will learn how to find the password ...

The Essay

o.k after u install the program , run it to take a look at it , now click on the about button , then click on enter password , now before u enter anything as a password , read the note under the registration code text filed , it says

hmm !! that is nice , so there is 2 type of passwords , one is the temp. and one is the full !! , so let's begin the serach , now enter anything in the registration code text box , in my case i wrote :

Registration code : 1234567890

o.k now before u click on the o.k button set a breakpoint like this one :

bpx hmemcpy

then press the F5 button , to exit softice , then click on the o.k button , softice will break , press the F11 button once then press the F12 button for 11 times and u will land on this code :

:0045E38A 837DFC00                cmp dword ptr [ebp-04], 00000000 <-- we land here
:0045E38E 7423                    je 0045E3B3
:0045E390 8D55FC                  lea edx, dword ptr [ebp-04]
:0045E393 8B83C4020000            mov eax, dword ptr [ebx+000002C4]
:0045E399 E8B6FCFCFF              call 0042E054
:0045E39E 8B45FC                  mov eax, dword ptr [ebp-04] <-- eax has our dummy code
:0045E3A1 8D55F8                  lea edx, dword ptr [ebp-08]
:0045E3A4 E83FFFFFFF              call 0045E2E8 <-- we step into this call

o.k kool !! , now when u are at address 0045E3A4 press the F8 button , then trace with the F10 command until u reach this code :

:0045E328 8A541AFF                mov dl, byte ptr [edx+ebx-01] <-- dl has a char from our code
:0045E32C 4A                      dec edx <-- subtract it by one
:0045E32D 885418FF                mov byte ptr [eax+ebx-01], dl <-- store it back in its place
:0045E331 43                      inc ebx
:0045E332 4E                      dec esi
:0045E333 75E8                    jne 0045E31D <-- if not equal take the next char.

hmm !! this kinda of masking for our code , it takes a char. from our code , subtract it by one then store it back in it's place so at the end of this loop we will have a coded registration code , now trace with the F10 button after u finish the loop and we will get back to this code after executing 2 RET :

:0045E3A9 8B55F8                  mov edx, dword ptr [ebp-08] <-- edx has our coded reg. code
:0045E3AC 8BC3                    mov eax, ebx
:0045E3AE E8C1FDFFFF              call 0045E174 <-- we step into this call

o.k when u r at address 0045E3AE press the F8 button , then trace until this code :

:0045E195 8B45FC                  mov eax, dword ptr [ebp-04] <-- eax has our coded reg. code
:0045E198 BAB4E24500              mov edx, 0045E2B4 <-- edx has string = "khfgsxdkknv"
:0045E19D E88A5EFAFF              call 0040402C <-- compare the two strings
:0045E1A2 7536                    jne 0045E1DA <-- jump if not equal

... trace with the F10 button until

:0045E1DA 8B45FC                  mov eax, dword ptr [ebp-04] <-- eax has our coded reg. code
:0045E1DD BADCE24500              mov edx, 0045E2DC <-- edx has string = "cddofqddm"
:0045E1E2 E8455EFAFF              call 0040402C <-- compare the two strings
:0045E1E7 7547                    jne 0045E230 <-- jump if not equal

o.k !! , now we are almost at the end .... o.k when we are at address 0045E195 eax has our coded reg. code , u can see that by writing 'd eax', now at address 0045E198 edx has the string "khfgsxdkknv" which is the real password u can see that by writing 'd edx', then the prog compare the two strings and see if they are equal , now here comes our job , we know that the prog coded our dummy code by subtracting 1 from each char . so if we want to know what is the string "khfgsxdkknv" we take each char and add one to it , so :

k h f g s x d k k n v
- - - - - - - - - - -
1 1 1 1 1 1 1 1 1 1 1

l i g h t y e l l o w <-- our 1st password

now when we are at address 0045E1DA we do the same thing and ...

c d d o f q d d m
- - - - - - - - -
1 1 1 1 1 1 1 1 1

d e e p g r e e n <-- our 2nd password

now remeber that note at the begining of the tut , now one of these password is the temp. and the other one is the full , now try the first one "lightyellow" , then close the prog , run it again , click on about and u will see the Enter password button is enabled , so it is the 2nd one try it and ...

Final WordZ