Dark Heaven - Tutorial: Registration of WinInBlack 99 Program: WinInBlack 99 v2.1sG Build 294 Description: Tuning for Windows 95/98 Author: C) 1997-99 BaqSoft Software Labs Size: 3.080.704 Bytes (WIB99.EXE) Used Tool(s): - W32DSM89 1. First, we must find out which kind of protection use this program. To this we start "WinInBlack" and searching for a point to register WIB99. Well, "WinInBlack" use a Serial-Number as protection ! To get a clue about our Serial now, write down any data on the Registrations Menu now. e.g. Name: Dark Heaven Company: DH Serial: 1122334455 Noticing the appearing error message absolutely !!! 2. Leave the program and Load W32DASM89 3. Now, you should disassemble the WIB99.EXE (to be on the safe side, save the code) and run the program via the Debugger [Debug/Load Process]. 4. Look for the error message "Achtung falsche Daten!" via [Refs/String Data References]. The corresponding lines are shown on the listing by double clicks. We find the reference(s) at the address(es) :004B1232. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004B110A(C) | :004B121D 8B45FC mov eax, dword ptr [ebp-04] ; <- searching JUMP to this point :004B1220 8B9810020000 mov ebx, dword ptr [eax+00000210] * Possible StringData Ref from Code Obj ->"Registrierung" | :004B1226 BAF4124B00 mov edx, 004B12F4 :004B122B 8BC3 mov eax, ebx :004B122D E86E22FFFF call 004A34A0 * Possible StringData Ref from Code Obj ->"Achtung falsche Daten!" | :004B1232 BA24144B00 mov edx, 004B1424 ; <- the ERROR message :004B1237 8BC3 mov eax, ebx :004B1239 E8FE21FFFF call 004A343C :004B123E 8B1550154B00 mov edx, dword ptr [004B1550] :004B1244 8BC3 mov eax, ebx :004B1246 E8C522FFFF call 004A3510 :004B124B 8BC3 mov eax, ebx :004B124D E8B220FFFF call 004A3304 :004B1252 6683F802 cmp ax, 0002 5. Now we must find the Jump to the Error message.Therefore we choose the menu [Goto] and the menu option [Goto Code Location] and enter the address 004B110A. :004B1030 55 push ebp :004B1031 8BEC mov ebp, esp :004B1033 81C4E4FEFFFF add esp, FFFFFEE4 :004B1039 53 push ebx :004B103A 56 push esi :004B103B 57 push edi :004B103C 33C9 xor ecx, ecx :004B103E 898DECFEFFFF mov dword ptr [ebp+FFFFFEEC], ecx :004B1044 898DE8FEFFFF mov dword ptr [ebp+FFFFFEE8], ecx :004B104A 898DE4FEFFFF mov dword ptr [ebp+FFFFFEE4], ecx :004B1050 894DF4 mov dword ptr [ebp-0C], ecx :004B1053 894DF0 mov dword ptr [ebp-10], ecx :004B1056 8945FC mov dword ptr [ebp-04], eax :004B1059 33C0 xor eax, eax :004B105B 55 push ebp :004B105C 6881124B00 push 004B1281 :004B1061 64FF30 push dword ptr fs:[eax] :004B1064 648920 mov dword ptr fs:[eax], esp :004B1067 8D85F0FEFFFF lea eax, dword ptr [ebp+FFFFFEF0] :004B106D 8B55F4 mov edx, dword ptr [ebp-0C] :004B1070 B9FF000000 mov ecx, 000000FF :004B1075 E88E2CF5FF call 00403D08 :004B107A 8D95F0FEFFFF lea edx, dword ptr [ebp+FFFFFEF0] :004B1080 B8581B4D00 mov eax, 004D1B58 :004B1085 B114 mov cl, 14 :004B1087 E8281AF5FF call 00402AB4 :004B108C 8D85F0FEFFFF lea eax, dword ptr [ebp+FFFFFEF0] :004B1092 8B55F0 mov edx, dword ptr [ebp-10] :004B1095 B9FF000000 mov ecx, 000000FF :004B109A E8692CF5FF call 00403D08 :004B109F 8D95F0FEFFFF lea edx, dword ptr [ebp+FFFFFEF0] :004B10A5 B8701B4D00 mov eax, 004D1B70 :004B10AA B114 mov cl, 14 :004B10AC E8031AF5FF call 00402AB4 :004B10B1 8D95ECFEFFFF lea edx, dword ptr [ebp+FFFFFEEC] :004B10B7 8B45FC mov eax, dword ptr [ebp-04] :004B10BA 8B8008020000 mov eax, dword ptr [eax+00000208] :004B10C0 E877FDF6FF call 00420E3C :004B10C5 8B85ECFEFFFF mov eax, dword ptr [ebp+FFFFFEEC] :004B10CB 50 push eax :004B10CC 8D95E8FEFFFF lea edx, dword ptr [ebp+FFFFFEE8] :004B10D2 8B45FC mov eax, dword ptr [ebp-04] :004B10D5 8B800C020000 mov eax, dword ptr [eax+0000020C] :004B10DB E85CFDF6FF call 00420E3C :004B10E0 8B85E8FEFFFF mov eax, dword ptr [ebp+FFFFFEE8] :004B10E6 50 push eax :004B10E7 8D95E4FEFFFF lea edx, dword ptr [ebp+FFFFFEE4] :004B10ED 8B45FC mov eax, dword ptr [ebp-04] :004B10F0 8B8004020000 mov eax, dword ptr [eax+00000204] :004B10F6 E841FDF6FF call 00420E3C :004B10FB 8B85E4FEFFFF mov eax, dword ptr [ebp+FFFFFEE4] :004B1101 5A pop edx :004B1102 59 pop ecx :004B1103 E824FEFFFF call 004B0F2C ; <- Execute Call :004B1108 84C0 test al, al :004B110A 0F840D010000 je 004B121D ; <- Jump to ERROR message :004B1110 B201 mov dl, 01 :004B1112 A1D0914400 mov eax, dword ptr [004491D0] :004B1117 E84882F9FF call 00449364 :004B111C 8945F8 mov dword ptr [ebp-08], eax :004B111F 33C0 xor eax, eax :004B1121 55 push ebp :004B1122 68D0114B00 push 004B11D0 :004B1127 64FF30 push dword ptr fs:[eax] :004B112A 648920 mov dword ptr fs:[eax], esp :004B112D BA01000080 mov edx, 80000001 :004B1132 8B45F8 mov eax, dword ptr [ebp-08] :004B1135 E8BE82F9FF call 004493F8 :004B113A B101 mov cl, 01 SNIP 6. We follow the CALL at address 004B1103 via [Execute Text/Execute Call]. * Referenced by a CALL at Address: |:004B1103 | :004B0F2C 55 push ebp ; <- from CALL at 004B0F2C :004B0F2D 8BEC mov ebp, esp :004B0F2F 83C4F0 add esp, FFFFFFF0 :004B0F32 53 push ebx :004B0F33 56 push esi :004B0F34 33DB xor ebx, ebx :004B0F36 895DF0 mov dword ptr [ebp-10], ebx :004B0F39 894DF4 mov dword ptr [ebp-0C], ecx :004B0F3C 8955F8 mov dword ptr [ebp-08], edx :004B0F3F 8945FC mov dword ptr [ebp-04], eax :004B0F42 8B45FC mov eax, dword ptr [ebp-04] :004B0F45 E8962FF5FF call 00403EE0 :004B0F4A 8B45F8 mov eax, dword ptr [ebp-08] :004B0F4D E88E2FF5FF call 00403EE0 :004B0F52 8B45F4 mov eax, dword ptr [ebp-0C] :004B0F55 E8862FF5FF call 00403EE0 :004B0F5A 33C0 xor eax, eax :004B0F5C 55 push ebp :004B0F5D 6821104B00 push 004B1021 :004B0F62 64FF30 push dword ptr fs:[eax] :004B0F65 648920 mov dword ptr fs:[eax], esp :004B0F68 33DB xor ebx, ebx :004B0F6A 837DF800 cmp dword ptr [ebp-08], 00000000 :004B0F6E 0F8492000000 je 004B1006 :004B0F74 837DF400 cmp dword ptr [ebp-0C], 00000000 :004B0F78 0F8488000000 je 004B1006 :004B0F7E 8D4DF0 lea ecx, dword ptr [ebp-10] :004B0F81 8B55F4 mov edx, dword ptr [ebp-0C] :004B0F84 8B45F8 mov eax, dword ptr [ebp-08] :004B0F87 E80CFEFFFF call 004B0D98 * Possible StringData Ref from Code Obj ->"8462" | :004B0F8C A19CDB4C00 mov eax, dword ptr [004CDB9C] :004B0F91 0FB600 movzx eax, byte ptr [eax] :004B0F94 8B4DF0 mov ecx, dword ptr [ebp-10] :004B0F97 8A4C01CF mov cl, byte ptr [ecx+eax-31] :004B0F9B 8B75FC mov esi, dword ptr [ebp-04] :004B0F9E 3A4C06CF cmp cl, byte ptr [esi+eax-31] :004B0FA2 7562 jne 004B1006 ; <- here we set a Breakpoint * Possible StringData Ref from Code Obj ->"8462" | :004B0FA4 A19CDB4C00 mov eax, dword ptr [004CDB9C] :004B0FA9 33D2 xor edx, edx :004B0FAB 8A5001 mov dl, byte ptr [eax+01] :004B0FAE 8B45F0 mov eax, dword ptr [ebp-10] :004B0FB1 8A4410CF mov al, byte ptr [eax+edx-31] :004B0FB5 8B4DFC mov ecx, dword ptr [ebp-04] :004B0FB8 3A4411CF cmp al, byte ptr [ecx+edx-31] :004B0FBC 7548 jne 004B1006 * Possible StringData Ref from Code Obj ->"8462" | :004B0FBE A19CDB4C00 mov eax, dword ptr [004CDB9C] :004B0FC3 0FB64002 movzx eax, byte ptr [eax+02] :004B0FC7 8B55F0 mov edx, dword ptr [ebp-10] :004B0FCA 8A4402CF mov al, byte ptr [edx+eax-31] * Possible StringData Ref from Code Obj ->"8462" | :004B0FCE 8B159CDB4C00 mov edx, dword ptr [004CDB9C] :004B0FD4 0FB65202 movzx edx, byte ptr [edx+02] :004B0FD8 8B4DFC mov ecx, dword ptr [ebp-04] :004B0FDB 3A4411CF cmp al, byte ptr [ecx+edx-31] :004B0FDF 7525 jne 004B1006 * Possible StringData Ref from Code Obj ->"8462" | :004B0FE1 A19CDB4C00 mov eax, dword ptr [004CDB9C] :004B0FE6 0FB64003 movzx eax, byte ptr [eax+03] :004B0FEA 8B55F0 mov edx, dword ptr [ebp-10] :004B0FED 8A4402CF mov al, byte ptr [edx+eax-31] * Possible StringData Ref from Code Obj ->"8462" | :004B0FF1 8B159CDB4C00 mov edx, dword ptr [004CDB9C] :004B0FF7 0FB65203 movzx edx, byte ptr [edx+03] :004B0FFB 8B4DFC mov ecx, dword ptr [ebp-04] :004B0FFE 3A4411CF cmp al, byte ptr [ecx+edx-31] :004B1002 7502 jne 004B1006 :004B1004 B301 mov bl, 01 7. At address 004B0F9E we will find the first compare.Here we must set our first breakpoint via [F2]. Then we change to "WinInBlack" and enter our name and our dummy code : e.g. User : Dark Heaven Company : DH Key : 1122334455 8. After entering our datas WDASM will break at our Breakpoint.Now we can take a look at the contents of the register addresses [edx],[ecx] and [esi] . EDX = 00FD02C0: EDX+00000000 = Dark Heaven ESI = 00FD2A84: ESI+00000000 = 1122334455 ECX = 00FF954C: ECX-00000010 = PDLFCZ33ZREP ( the searched key ) 9. Now we can register "WinInBlack" with this password.As result we will get the message "Vielen Dank für Ihre Registrierung". e.g. User : Dark Heaven Company : DH Key : PDLFCZ33ZREP 10. Note : After successful registration "WinInBlack" writes down our datas into the registry. The datas can be found under the following key : [HKEY_CURRENT_USER\Software\BaqSoft\WinInBlack98\Register] "Company"="Dark Heaven" "User"="DH" "Key"="PDLFCZ33ZREP" I hope you have fun with cracking! Dark Heaven 06.03.1998