Vanor - Tutorial: Registration of CDRCue v1.0b Program: CDRCue v1.0b Description: CueSheet Editor Author: (c)1997-1999 DC Software Design, Inc. Size: 495.616 Bytes (CDRCue.exe) Used Tools: - W32DSM89 1. First, we must find out which kind of protection use this program. To this we start "CDRCue" and go into the menu "File", an option "Unlock" already can be seen there, too. Well, we click on "Unlock" and a window opens where we can enter Name and Serial. Well, "CDRCue" uses a Serial-Number as protection ! To get a clue about our Serial now, write down any data on the Registrations Menu now. e.g. Name: DOOM 1999 Serial: 112233445566778899 Noticing the appearing error message absolutely !!! 2. Leave the program and Load W32DASM89 3. Now, you should disassemble the CDRCue.EXE (to be on the safe side, save the code) and run the program via the Debugger [Debug/Load Process]. 4. Look for the error message "The Name does not match the Personal Unlock Code..." via [Refs/String Data References]. The corresponding lines are shown on the listing by double clicks. We find the reference(s) at the address(es) :0041D344. :0041D33A 6830000100 push 00010030 * Possible StringData Ref from Data Obj ->"Please try again" :0041D33F 685CAA4600 push 0046AA5C * Possible StringData Ref from Data Obj ->"The Name does not match the Personal " ->"Unlock Code." :0041D344 6870AA4600 push 0046AA70 :0041D349 6A00 push 00000000 SNIP Yeah! Now, we scroll upwards and take a look where the error message is called or where it is gone round. That's at 0041D2FF and 0041D338. Well, we search upwards for 0041D2FF. Now, we are in the following area: SNIP :0041D2E3 50 push eax :0041D2E4 E86C060000 call 0041D955 ; Calculation Routine ??? :0041D2E9 83C408 add esp, 00000008 :0041D2EC 8B4DFC mov ecx, dword ptr [ebp-04] ; set Breakpoint :0041D2EF 898190010000 mov dword ptr [ecx+00000190], eax :0041D2F5 8B55FC mov edx, dword ptr [ebp-04] :0041D2F8 83BA9001000000 cmp dword ptr [edx+00000190], 00000000 :0041D2FF 7550 jne 0041D351 ; if not equal -> No Error :0041D301 8B45FC mov eax, dword ptr [ebp-04] :0041D304 8B8898010000 mov ecx, dword ptr [eax+00000198] :0041D30A 83C101 add ecx, 00000001 :0041D30D 8B55FC mov edx, dword ptr [ebp-04] :0041D310 898A98010000 mov dword ptr [edx+00000198], ecx :0041D316 8B45FC mov eax, dword ptr [ebp-04] :0041D319 33C9 xor ecx, ecx :0041D31B 83B89801000003 cmp dword ptr [eax+00000198], 00000003 :0041D322 0F9DC1 setnl cl :0041D325 8B55FC mov edx, dword ptr [ebp-04] :0041D328 898A94010000 mov dword ptr [edx+00000194], ecx :0041D32E 8B45FC mov eax, dword ptr [ebp-04] :0041D331 83B89401000000 cmp dword ptr [eax+00000194], 00000000 :0041D338 7517 jne 0041D351 ; if not equal -> No Error SNIP To see, if we are right with our assumption, we go over to point 5. 5. We put a breakpoint [F2] in front of the corresponding line and start "CDRCue". As Name we take "DOOM 1999" and as Serial "112233445566778899". Now, we click on [Unlock]. Wow !!! The program stops. We take a look at the contents of the register addresses via the data display, but we will find nothing :( Our last chance is the register [edx]. Yeah, we found following: Contents of edx : e9431d64-18872fe7-cee90c1f-f547d463 -> Right Serial ? 6. To test, if CDRCue can be registered with the Serial we have found, we deactivate all breakpoints and run the program once again. Now, we enter following data: Name : DOOM 1999 Personal Unlock Code : e9431d64-18872fe7-cee90c1f-f547d463 Yes, we are a "registered user" of CDRCue. 7. Note : After the successful registration, CDRCue writes down our datas into the file "Cdrcue.dat" in the "CDRCue"-Directory. I hope you have fun with cracking! Vanor [DOOM] 07.04.1999