Dark Heaven - Tutorial: Registration of Applet Menu Wizard v1.0

Program: 	Applet Menu Wizard v1.0
Description: 	Creating of HTML-Menus
Author: 	(C) 1998 Source Tec Software Co. Ltd
Size: 		414.208 Bytes (APPLETMENUWIZARD.EXE)


Used Tool(s): - W32DASM v8.93


1. First, we must find out which kind of protection use this program.
   To this we start "Applet Menu Wizard" and searching for a point to register it. 
   
   Well, "Applet Menu Wizard" use a Serial-Number as protection !

   To get a clue about our Serial now, write down any data on the Registrations Menu now.
   e.g. Name: Dark Heaven Serial: 1122334455
  
   Noticing the appearing error message absolutely !!!

2. Leave the program and Load W32DASM89

3. Now, you should disassemble the APPLETMENUWIZARD.EXE (to be on the safe side, save 
   the code) and run the program via the Debugger [Debug/Load Process].

4. Look for the error message "Sorry, that is not a valid register code"
   via [Refs/String Data References]. The corresponding lines are shown on the 
   listing by double clicks. 
   We find the reference(s) at the address(es) : 0040C7AB.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C726(C)
|
:0040C7A7 6A00                    push 00000000       			; <- searching JUMP to this point
:0040C7A9 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"Sorry, that is not a valid register "
                                        ->"code."
                                  |
:0040C7AB 68D0FC4300              push 0043FCD0          		; <- the ERROR message
:0040C7B0 E82DD20100              call 004299E2
:0040C7B5 8D4C240C                lea ecx, dword ptr [esp+0C]
:0040C7B9 C7442418FFFFFFFF        mov [esp+18], FFFFFFFF
:0040C7C1 E8688E0100              call 0042562E
:0040C7C6 8B4C2410                mov ecx, dword ptr [esp+10]
:0040C7CA 5F                      pop edi
:0040C7CB 5E                      pop esi
:0040C7CC 33C0                    xor eax, eax
:0040C7CE 64890D00000000          mov dword ptr fs:[00000000], ecx
:0040C7D5 5D                      pop ebp
:0040C7D6 83C410                  add esp, 00000010
:0040C7D9 C20800                  ret 0008

SNIP

5. Now we must find the Jump to the Error message.Therefore we choose the menu [Goto] 
   and the menu option [Goto Code Location] and enter the address 0040C726.

* Referenced by a CALL at Address:
|:0040C8F0   
|
:0040C6B0 6AFF                    push FFFFFFFF
:0040C6B2 68A02B4300              push 00432BA0
:0040C6B7 64A100000000            mov eax, dword ptr fs:[00000000]
:0040C6BD 50                      push eax
:0040C6BE 64892500000000          mov dword ptr fs:[00000000], esp
:0040C6C5 51                      push ecx
:0040C6C6 55                      push ebp
:0040C6C7 56                      push esi
:0040C6C8 8BF1                    mov esi, ecx
:0040C6CA 57                      push edi
:0040C6CB 8D4C240C                lea ecx, dword ptr [esp+0C]
:0040C6CF E80F8E0100              call 004254E3
:0040C6D4 8B7C2420                mov edi, dword ptr [esp+20]
:0040C6D8 83C614                  add esi, 00000014
:0040C6DB 56                      push esi
:0040C6DC 8D442424                lea eax, dword ptr [esp+24]
:0040C6E0 57                      push edi
:0040C6E1 50                      push eax
:0040C6E2 C744242400000000        mov [esp+24], 00000000
:0040C6EA E801A0FFFF              call 004066F0
:0040C6EF 83C40C                  add esp, 0000000C
:0040C6F2 50                      push eax
:0040C6F3 8D4C2410                lea ecx, dword ptr [esp+10]
:0040C6F7 C644241C01              mov [esp+1C], 01
:0040C6FC E826900100              call 00425727
:0040C701 8D4C2420                lea ecx, dword ptr [esp+20]
:0040C705 C644241800              mov [esp+18], 00
:0040C70A E81F8F0100              call 0042562E
:0040C70F 8B6C2424                mov ebp, dword ptr [esp+24]
:0040C713 8B4C240C                mov ecx, dword ptr [esp+0C]
:0040C717 51                      push ecx
:0040C718 8B5500                  mov edx, dword ptr [ebp+00]
:0040C71B 52                      push edx
:0040C71C E8CF4E0000              call 004115F0           		; <- here we set a Breakpoint
:0040C721 83C408                  add esp, 00000008
:0040C724 85C0                    test eax, eax
:0040C726 757F                    jne 0040C7A7     			; <- Jump to ERROR message
:0040C728 E8BF320200              call 0042F9EC
:0040C72D 8B7004                  mov esi, dword ptr [eax+04]

6. At address 0040C71C we must set our first breakpoint via [F2].
   Then we change to "Applet Menu Wizard" and enter our name and a dummy code :

   e.g. Email Adress : Dark Heaven
        Register Code: 1122334455

7. After entering our datas WDASM will break at our Breakpoint.Now we can 
   take a look at the contents of the register addresses [edx] and [ecx].

   EDX = 007C0F7C: EDX-00000020 = Dark Heaven
                   EDX+00000000 = 1122334455
   ECX = 007C152C: ECX+00000000 = 44DD9FF9816152E0 ( the searched key )

8. Now we can register "Applet Menu Wizard" with the serial we have found.
   As result we will get the message "Thank you! Please restart".

   e.g. Email Adress : Dark Heaven
        Register Code: 44DD9FF9816152E0



I hope you have fun with cracking!
Dark Heaven
01.02.1999