Dark Heaven - Tutorial: Registration of Download Butler Program: Download Butler v1.5d - 32 bit Description: Internet-Tool Author: (C) 1995, 1998 Lincoln Beach Software Size: 819.200 Bytes (BUTLER.EXE) Used Tool: - W32DASM v8.93 1. First, we must find out which kind of protection use this program. To this we start "Download Butler" and searching for a point to register it. Well, "Download Butler" use a Serial-Number as protection ! To get a clue about our Serial now, write down any data on the Registrations Menu now. e.g. Name: Dark Heaven Code: 1122334455 Special: 123456789 Noticing the appearing error message absolutely !!! 2. Leave the program and Load W32DASM89 3. Now, you should disassemble the BUTLER.EXE (to be on the safe side, save the code) and run the program via the Debugger [Debug/Load Process]. 4. Look for the error message "Invalid Key!" via [Refs/String Data References]. The corresponding lines are shown on the listing by double clicks. We find the reference(s) at the address(es) : 00497B2B. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00497A65(C) | :00497B20 6A00 push 00000000 ; <- searching JUMP to this point :00497B22 668B0D687B4900 mov cx, word ptr [00497B68] :00497B29 B201 mov dl, 01 * Possible StringData Ref from Code Obj ->"Invalid Key!" | :00497B2B B8307C4900 mov eax, 00497C30 ; <- the ERROR message :00497B30 E8BBD8F9FF call 004353F0 SNIP 5. Now we must find the Jump to the Error message.Therefore we choose the menu [Goto] and the menu option [Goto Code Location] and enter the address 00497A65. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0049799C(C) | :00497A03 90 nop :00497A04 55 push ebp :00497A05 8BEC mov ebp, esp :00497A07 33C9 xor ecx, ecx :00497A09 51 push ecx :00497A0A 51 push ecx :00497A0B 51 push ecx :00497A0C 51 push ecx :00497A0D 51 push ecx :00497A0E 51 push ecx :00497A0F 51 push ecx :00497A10 53 push ebx :00497A11 56 push esi :00497A12 57 push edi :00497A13 8BD8 mov ebx, eax :00497A15 33C0 xor eax, eax :00497A17 55 push ebp :00497A18 68587B4900 push 00497B58 :00497A1D 64FF30 push dword ptr fs:[eax] :00497A20 648920 mov dword ptr fs:[eax], esp :00497A23 8D55FC lea edx, dword ptr [ebp-04] :00497A26 8B83C4010000 mov eax, dword ptr [ebx+000001C4] :00497A2C E877F6F7FF call 004170A8 :00497A31 8B45FC mov eax, dword ptr [ebp-04] :00497A34 50 push eax :00497A35 8D55F8 lea edx, dword ptr [ebp-08] :00497A38 8B83B8010000 mov eax, dword ptr [ebx+000001B8] :00497A3E E865F6F7FF call 004170A8 :00497A43 8B45F8 mov eax, dword ptr [ebp-08] :00497A46 50 push eax :00497A47 8D55F4 lea edx, dword ptr [ebp-0C] :00497A4A 8B83B4010000 mov eax, dword ptr [ebx+000001B4] :00497A50 E853F6F7FF call 004170A8 :00497A55 8B55F4 mov edx, dword ptr [ebp-0C] :00497A58 A1C01C4B00 mov eax, dword ptr [004B1CC0] :00497A5D 59 pop ecx :00497A5E E8C141FFFF call 0048BC24 ; <- Execute Call :00497A63 84C0 test al, al :00497A65 0F84B5000000 je 00497B20 ; <- Jump to ERROR message :00497A6B 6A00 push 00000000 :00497A6D 668B0D687B4900 mov cx, word ptr [00497B68] :00497A74 B202 mov dl, 02 SNIP 6. We follow the CALL at address 00497A5E via [Execute Text/Execute Call]. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0048BBBD(C) | :0048BC24 55 push ebp :0048BC25 8BEC mov ebp, esp :0048BC27 83C4F4 add esp, FFFFFFF4 :0048BC2A 53 push ebx :0048BC2B 56 push esi :0048BC2C 57 push edi :0048BC2D 33DB xor ebx, ebx :0048BC2F 895DF4 mov dword ptr [ebp-0C], ebx :0048BC32 894DF8 mov dword ptr [ebp-08], ecx :0048BC35 8955FC mov dword ptr [ebp-04], edx :0048BC38 8BF0 mov esi, eax :0048BC3A 8B45FC mov eax, dword ptr [ebp-04] :0048BC3D E8667DF7FF call 004039A8 :0048BC42 8B45F8 mov eax, dword ptr [ebp-08] :0048BC45 E85E7DF7FF call 004039A8 :0048BC4A 8B4508 mov eax, dword ptr [ebp+08] :0048BC4D E8567DF7FF call 004039A8 :0048BC52 33C0 xor eax, eax :0048BC54 55 push ebp :0048BC55 684FBD4800 push 0048BD4F :0048BC5A 64FF30 push dword ptr fs:[eax] :0048BC5D 648920 mov dword ptr fs:[eax], esp :0048BC60 33DB xor ebx, ebx :0048BC62 8D55F4 lea edx, dword ptr [ebp-0C] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0048BBF4(C) | :0048BC65 8B45FC mov eax, dword ptr [ebp-04] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0048BC01(C) | :0048BC68 E857AEF7FF call 00406AC4 :0048BC6D 8B45F4 mov eax, dword ptr [ebp-0C] :0048BC70 E87F7BF7FF call 004037F4 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0048BC0E(C) | :0048BC75 85C0 test eax, eax * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0048BC06(C) | :0048BC77 0F8EAF000000 jle 0048BD2C :0048BC7D 8D55F4 lea edx, dword ptr [ebp-0C] :0048BC80 8B45F8 mov eax, dword ptr [ebp-08] :0048BC83 E83CAEF7FF call 00406AC4 :0048BC88 8B45F4 mov eax, dword ptr [ebp-0C] :0048BC8B E8647BF7FF call 004037F4 :0048BC90 85C0 test eax, eax :0048BC92 0F8E94000000 jle 0048BD2C :0048BC98 8D55F4 lea edx, dword ptr [ebp-0C] :0048BC9B 8B4508 mov eax, dword ptr [ebp+08] :0048BC9E E821AEF7FF call 00406AC4 :0048BCA3 8B45F4 mov eax, dword ptr [ebp-0C] :0048BCA6 E8497BF7FF call 004037F4 :0048BCAB 85C0 test eax, eax :0048BCAD 7E7D jle 0048BD2C :0048BCAF 68FF3F0000 push 00003FFF :0048BCB4 6800000080 push 80000000 :0048BCB9 6A00 push 00000000 :0048BCBB 8D45F4 lea eax, dword ptr [ebp-0C] :0048BCBE E82DBEF7FF call 00407AF0 :0048BCC3 8B55F4 mov edx, dword ptr [ebp-0C] :0048BCC6 8B86B0020000 mov eax, dword ptr [esi+000002B0] :0048BCCC 83C04C add eax, 0000004C :0048BCCF E8FC79F7FF call 004036D0 :0048BCD4 8B9EB0020000 mov ebx, dword ptr [esi+000002B0] :0048BCDA C6433C02 mov [ebx+3C], 02 :0048BCDE 8D432C lea eax, dword ptr [ebx+2C] :0048BCE1 8B5508 mov edx, dword ptr [ebp+08] :0048BCE4 E8E779F7FF call 004036D0 :0048BCE9 8B86B0020000 mov eax, dword ptr [esi+000002B0] :0048BCEF 83C020 add eax, 00000020 :0048BCF2 8B55FC mov edx, dword ptr [ebp-04] :0048BCF5 E8D679F7FF call 004036D0 :0048BCFA 8B86B0020000 mov eax, dword ptr [esi+000002B0] :0048BD00 83C040 add eax, 00000040 :0048BD03 8B55F8 mov edx, dword ptr [ebp-08] :0048BD06 E8C579F7FF call 004036D0 :0048BD0B 8B86B0020000 mov eax, dword ptr [esi+000002B0] :0048BD11 E8365BFFFF call 0048184C :0048BD16 3C04 cmp al, 04 :0048BD18 0F94C3 sete bl :0048BD1B 84DB test bl, bl :0048BD1D 740D je 0048BD2C :0048BD1F 8B45F8 mov eax, dword ptr [ebp-08] :0048BD22 E8E174FFFF call 00483208 :0048BD27 8BD8 mov ebx, eax :0048BD29 80F301 xor bl, 01 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0048BC77(C), :0048BC92(C), :0048BCAD(C), :0048BD1D(C) | :0048BD2C 33C0 xor eax, eax :0048BD2E 5A pop edx :0048BD2F 59 pop ecx :0048BD30 59 pop ecx :0048BD31 648910 mov dword ptr fs:[eax], edx :0048BD34 6856BD4800 push 0048BD56 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0048BD54(U) | :0048BD39 8D45F4 lea eax, dword ptr [ebp-0C] :0048BD3C BA03000000 mov edx, 00000003 :0048BD41 E85A79F7FF call 004036A0 :0048BD46 8D4508 lea eax, dword ptr [ebp+08] ; <- here we set a Breakpoint :0048BD49 E83279F7FF call 00403680 :0048BD4E C3 ret 7. At address 0048BD46 we must set a breakpoint via [F2]. Then we change to "Download Butler" and enter our name and a dummy code : e.g. Name : Dark Heaven Code : 1122334455 Special: 123456789 8. After entering our datas WDASM will break at our Breakpoint.Now we can take a look at the contents of the register address [edx]. EDX = 00C57110: EDX+00000000 = Dark Heaven EDX-00000018 = 1122334455 EDX+00000018 = 1122334455 EDX+00000030 = 2b5c8013 ( Code ?, no ) EDX+00000048 = 2a4b1823 ( Code ?, yes ) EDX+00000064 = 567656-2b5c8013-V12345678900- ( intern ? ) 9. Now we can register "Download Butler" with the serial we have found. As result we will get the message "Thank you for registering Download Butler,please exit and restart.". e.g. Name : Dark Heaven Code : 2a4b1823 Special: 123456789 10. Note : After the successful registration, "Download Butler" writes down our datas into the registry. The datas can be found under the following key. [HKEY_CURRENT_USER\Software\Lincoln Beach Software\Butler\Registration] I hope you have fun with cracking! Dark Heaven 31.01.1999