Dark Heaven - Tutorial: Registration of WinInBlack 99


Program: 	WinInBlack 99 v2.1sG   Build 294
Description: 	Tuning for Windows 95/98
Author: 	C) 1997-99 BaqSoft Software Labs
Size: 		3.080.704 Bytes (WIB99.EXE)


Used Tool(s): - W32DSM89


1. First, we must find out which kind of protection use this program.
   To this we start "WinInBlack" and searching for a point to register WIB99. 
   
   Well, "WinInBlack" use a Serial-Number as protection !

   To get a clue about our Serial now, write down any data on the Registrations Menu now.
   e.g. Name: Dark Heaven Company: DH Serial: 1122334455
  
   Noticing the appearing error message absolutely !!!

2. Leave the program and Load W32DASM89

3. Now, you should disassemble the WIB99.EXE (to be on the safe side, save 
   the code) and run the program via the Debugger [Debug/Load Process].

4. Look for the error message "Achtung falsche Daten!" via [Refs/String Data References].
   The corresponding lines are shown on the listing by double clicks. 
   We find the reference(s) at the address(es) :004B1232.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B110A(C)
|
:004B121D 8B45FC                  mov eax, dword ptr [ebp-04]		; <- searching JUMP to this point
:004B1220 8B9810020000            mov ebx, dword ptr [eax+00000210]

* Possible StringData Ref from Code Obj ->"Registrierung"
                                  |
:004B1226 BAF4124B00              mov edx, 004B12F4
:004B122B 8BC3                    mov eax, ebx
:004B122D E86E22FFFF              call 004A34A0

* Possible StringData Ref from Code Obj ->"Achtung falsche Daten!"
                                  |
:004B1232 BA24144B00              mov edx, 004B1424      		; <- the ERROR message
:004B1237 8BC3                    mov eax, ebx
:004B1239 E8FE21FFFF              call 004A343C
:004B123E 8B1550154B00            mov edx, dword ptr [004B1550]
:004B1244 8BC3                    mov eax, ebx
:004B1246 E8C522FFFF              call 004A3510
:004B124B 8BC3                    mov eax, ebx
:004B124D E8B220FFFF              call 004A3304
:004B1252 6683F802                cmp ax, 0002

5. Now we must find the Jump to the Error message.Therefore we choose the menu [Goto] 
   and the menu option [Goto Code Location] and enter the address 004B110A.

:004B1030 55                      push ebp
:004B1031 8BEC                    mov ebp, esp
:004B1033 81C4E4FEFFFF            add esp, FFFFFEE4
:004B1039 53                      push ebx
:004B103A 56                      push esi
:004B103B 57                      push edi
:004B103C 33C9                    xor ecx, ecx
:004B103E 898DECFEFFFF            mov dword ptr [ebp+FFFFFEEC], ecx
:004B1044 898DE8FEFFFF            mov dword ptr [ebp+FFFFFEE8], ecx
:004B104A 898DE4FEFFFF            mov dword ptr [ebp+FFFFFEE4], ecx
:004B1050 894DF4                  mov dword ptr [ebp-0C], ecx
:004B1053 894DF0                  mov dword ptr [ebp-10], ecx
:004B1056 8945FC                  mov dword ptr [ebp-04], eax
:004B1059 33C0                    xor eax, eax
:004B105B 55                      push ebp
:004B105C 6881124B00              push 004B1281
:004B1061 64FF30                  push dword ptr fs:[eax]
:004B1064 648920                  mov dword ptr fs:[eax], esp
:004B1067 8D85F0FEFFFF            lea eax, dword ptr [ebp+FFFFFEF0]
:004B106D 8B55F4                  mov edx, dword ptr [ebp-0C]
:004B1070 B9FF000000              mov ecx, 000000FF
:004B1075 E88E2CF5FF              call 00403D08
:004B107A 8D95F0FEFFFF            lea edx, dword ptr [ebp+FFFFFEF0]
:004B1080 B8581B4D00              mov eax, 004D1B58
:004B1085 B114                    mov cl, 14
:004B1087 E8281AF5FF              call 00402AB4
:004B108C 8D85F0FEFFFF            lea eax, dword ptr [ebp+FFFFFEF0]
:004B1092 8B55F0                  mov edx, dword ptr [ebp-10]
:004B1095 B9FF000000              mov ecx, 000000FF
:004B109A E8692CF5FF              call 00403D08
:004B109F 8D95F0FEFFFF            lea edx, dword ptr [ebp+FFFFFEF0]
:004B10A5 B8701B4D00              mov eax, 004D1B70
:004B10AA B114                    mov cl, 14
:004B10AC E8031AF5FF              call 00402AB4
:004B10B1 8D95ECFEFFFF            lea edx, dword ptr [ebp+FFFFFEEC]
:004B10B7 8B45FC                  mov eax, dword ptr [ebp-04]
:004B10BA 8B8008020000            mov eax, dword ptr [eax+00000208]
:004B10C0 E877FDF6FF              call 00420E3C
:004B10C5 8B85ECFEFFFF            mov eax, dword ptr [ebp+FFFFFEEC]
:004B10CB 50                      push eax
:004B10CC 8D95E8FEFFFF            lea edx, dword ptr [ebp+FFFFFEE8]
:004B10D2 8B45FC                  mov eax, dword ptr [ebp-04]
:004B10D5 8B800C020000            mov eax, dword ptr [eax+0000020C]
:004B10DB E85CFDF6FF              call 00420E3C
:004B10E0 8B85E8FEFFFF            mov eax, dword ptr [ebp+FFFFFEE8]
:004B10E6 50                      push eax
:004B10E7 8D95E4FEFFFF            lea edx, dword ptr [ebp+FFFFFEE4]
:004B10ED 8B45FC                  mov eax, dword ptr [ebp-04]
:004B10F0 8B8004020000            mov eax, dword ptr [eax+00000204]
:004B10F6 E841FDF6FF              call 00420E3C
:004B10FB 8B85E4FEFFFF            mov eax, dword ptr [ebp+FFFFFEE4]
:004B1101 5A                      pop edx
:004B1102 59                      pop ecx
:004B1103 E824FEFFFF              call 004B0F2C                		; <- Execute Call
:004B1108 84C0                    test al, al
:004B110A 0F840D010000            je 004B121D      			; <- Jump to ERROR message
:004B1110 B201                    mov dl, 01
:004B1112 A1D0914400              mov eax, dword ptr [004491D0]
:004B1117 E84882F9FF              call 00449364
:004B111C 8945F8                  mov dword ptr [ebp-08], eax
:004B111F 33C0                    xor eax, eax
:004B1121 55                      push ebp
:004B1122 68D0114B00              push 004B11D0
:004B1127 64FF30                  push dword ptr fs:[eax]
:004B112A 648920                  mov dword ptr fs:[eax], esp
:004B112D BA01000080              mov edx, 80000001
:004B1132 8B45F8                  mov eax, dword ptr [ebp-08]
:004B1135 E8BE82F9FF              call 004493F8
:004B113A B101                    mov cl, 01

SNIP

6. We follow the CALL at address 004B1103 via [Execute Text/Execute Call].

* Referenced by a CALL at Address:
|:004B1103   
|
:004B0F2C 55                      push ebp                		; <- from CALL at 004B0F2C
:004B0F2D 8BEC                    mov ebp, esp
:004B0F2F 83C4F0                  add esp, FFFFFFF0
:004B0F32 53                      push ebx
:004B0F33 56                      push esi
:004B0F34 33DB                    xor ebx, ebx
:004B0F36 895DF0                  mov dword ptr [ebp-10], ebx
:004B0F39 894DF4                  mov dword ptr [ebp-0C], ecx
:004B0F3C 8955F8                  mov dword ptr [ebp-08], edx
:004B0F3F 8945FC                  mov dword ptr [ebp-04], eax
:004B0F42 8B45FC                  mov eax, dword ptr [ebp-04]
:004B0F45 E8962FF5FF              call 00403EE0
:004B0F4A 8B45F8                  mov eax, dword ptr [ebp-08]
:004B0F4D E88E2FF5FF              call 00403EE0
:004B0F52 8B45F4                  mov eax, dword ptr [ebp-0C]
:004B0F55 E8862FF5FF              call 00403EE0
:004B0F5A 33C0                    xor eax, eax
:004B0F5C 55                      push ebp
:004B0F5D 6821104B00              push 004B1021
:004B0F62 64FF30                  push dword ptr fs:[eax]
:004B0F65 648920                  mov dword ptr fs:[eax], esp
:004B0F68 33DB                    xor ebx, ebx
:004B0F6A 837DF800                cmp dword ptr [ebp-08], 00000000
:004B0F6E 0F8492000000            je 004B1006
:004B0F74 837DF400                cmp dword ptr [ebp-0C], 00000000
:004B0F78 0F8488000000            je 004B1006
:004B0F7E 8D4DF0                  lea ecx, dword ptr [ebp-10]
:004B0F81 8B55F4                  mov edx, dword ptr [ebp-0C]
:004B0F84 8B45F8                  mov eax, dword ptr [ebp-08]
:004B0F87 E80CFEFFFF              call 004B0D98

* Possible StringData Ref from Code Obj ->"8462"
                                  |
:004B0F8C A19CDB4C00              mov eax, dword ptr [004CDB9C]
:004B0F91 0FB600                  movzx eax, byte ptr [eax]
:004B0F94 8B4DF0                  mov ecx, dword ptr [ebp-10]
:004B0F97 8A4C01CF                mov cl, byte ptr [ecx+eax-31]
:004B0F9B 8B75FC                  mov esi, dword ptr [ebp-04]
:004B0F9E 3A4C06CF                cmp cl, byte ptr [esi+eax-31]
:004B0FA2 7562                    jne 004B1006            		; <- here we set a Breakpoint

* Possible StringData Ref from Code Obj ->"8462"
                                  |
:004B0FA4 A19CDB4C00              mov eax, dword ptr [004CDB9C]
:004B0FA9 33D2                    xor edx, edx
:004B0FAB 8A5001                  mov dl, byte ptr [eax+01]
:004B0FAE 8B45F0                  mov eax, dword ptr [ebp-10]
:004B0FB1 8A4410CF                mov al, byte ptr [eax+edx-31]
:004B0FB5 8B4DFC                  mov ecx, dword ptr [ebp-04]
:004B0FB8 3A4411CF                cmp al, byte ptr [ecx+edx-31]
:004B0FBC 7548                    jne 004B1006

* Possible StringData Ref from Code Obj ->"8462"
                                  |
:004B0FBE A19CDB4C00              mov eax, dword ptr [004CDB9C]
:004B0FC3 0FB64002                movzx eax, byte ptr [eax+02]
:004B0FC7 8B55F0                  mov edx, dword ptr [ebp-10]
:004B0FCA 8A4402CF                mov al, byte ptr [edx+eax-31]

* Possible StringData Ref from Code Obj ->"8462"
                                  |
:004B0FCE 8B159CDB4C00            mov edx, dword ptr [004CDB9C]
:004B0FD4 0FB65202                movzx edx, byte ptr [edx+02]
:004B0FD8 8B4DFC                  mov ecx, dword ptr [ebp-04]
:004B0FDB 3A4411CF                cmp al, byte ptr [ecx+edx-31]
:004B0FDF 7525                    jne 004B1006

* Possible StringData Ref from Code Obj ->"8462"
                                  |
:004B0FE1 A19CDB4C00              mov eax, dword ptr [004CDB9C]
:004B0FE6 0FB64003                movzx eax, byte ptr [eax+03]
:004B0FEA 8B55F0                  mov edx, dword ptr [ebp-10]
:004B0FED 8A4402CF                mov al, byte ptr [edx+eax-31]

* Possible StringData Ref from Code Obj ->"8462"
                                  |
:004B0FF1 8B159CDB4C00            mov edx, dword ptr [004CDB9C]
:004B0FF7 0FB65203                movzx edx, byte ptr [edx+03]
:004B0FFB 8B4DFC                  mov ecx, dword ptr [ebp-04]
:004B0FFE 3A4411CF                cmp al, byte ptr [ecx+edx-31]
:004B1002 7502                    jne 004B1006
:004B1004 B301                    mov bl, 01

7.  At address 004B0F9E we will find the first compare.Here we must set our first breakpoint
    via [F2]. Then we change to "WinInBlack" and enter our name and our dummy code :

    e.g. User    : Dark Heaven
         Company : DH
         Key     : 1122334455

8.  After entering our datas WDASM will break at our Breakpoint.Now we can 
    take a look at the contents of the register addresses [edx],[ecx] and [esi] .
 
    EDX = 00FD02C0: EDX+00000000 = Dark Heaven
    ESI = 00FD2A84: ESI+00000000 = 1122334455
    ECX = 00FF954C: ECX-00000010 = PDLFCZ33ZREP ( the searched key )

9.  Now we can register "WinInBlack" with this password.As result we will get the
    message "Vielen Dank für Ihre Registrierung".

    e.g. User     : Dark Heaven
         Company  : DH
         Key      : PDLFCZ33ZREP

10. Note :

    After successful registration "WinInBlack" writes down our datas
    into the registry. The datas can be found under the following key :

    [HKEY_CURRENT_USER\Software\BaqSoft\WinInBlack98\Register]
    "Company"="Dark Heaven"
    "User"="DH"
    "Key"="PDLFCZ33ZREP"



I hope you have fun with cracking!
Dark Heaven
06.03.1998