Promax - Tutorial: Registration of Hexenküche Program: Hexenküche v3.0 Description: Collection of cool recipes. Author: (c)1998/99 Software-Factory Size: 958.976 Bytes (Hexe3.exe) Used Tool: - W32DSM89 1. First, we must find out which kind of protection use this program. To this we start "Hexenküche" and searching for a point to register it. Well, "Hexenküche" use a Serial-Number as protection ! To get a clue about our Serial now, write down any data on the Registrations Menu now. e.g. Name: Promax Serial: 1122334455 Noticing the appearing error message absolutely !!! 2. Leave the program and Load W32DASM89 3. Now, you should disassemble the Hexe3.EXE (to be on the safe side, save the code) and run the program via the Debugger [Debug/Load Process]. 4. Look for the error message "Falsches Passwort!" via [Refs/String Data References]. The corresponding lines are shown on the listing by double clicks. We find the reference(s) at the address(es) : 004A773D. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004A76BB(C) | :004A7732 6A00 push 00000000 :004A7734 668B0D90774A00 mov cx, word ptr [004A7790] :004A773B B202 mov dl, 02 * Possible StringData Ref from Code Obj ->"Falsches Passwort!" | :004A773D B8EC774A00 mov eax, 004A77EC :004A7742 E881BCFAFF call 004533C8 Ok ! Now we must find the Jump to the Error message.Therefore we choose the menu [Goto] and the menu option [Goto Code Location] and enter the address 004A76BB. :004A76B9 3BF7 cmp esi, edi ; -> Compare if Wrong or True serial :004A76BB 7575 jne 004A7732 ; -> here we set a Breakpoint The entered serial will be compared with the right one here. If [esi] and [edi] not the same > jumps to the error message at [004A7732]. 5. At address 004A76BB we must set a breakpoint via [F2]. Then we change to "Hexenküche" and enter our name and a dummy code : e.g. Name : Promax Serial : 1122334455 6. After entering our datas WDASM will break at our Breakpoint.Now we can take a look at the contents of the register address [edi] and [esi]. esi : 42E576F7 (h) -> 1122334455 (d) -> Wrong PWD edi : 08BC6422 (h) -> 146564130 (d) -> Wright PWD 7. Here is a part of the comparison routine. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004A7667(U) | :004A7689 8B45F8 mov eax, dword ptr [ebp-08] :004A768C E8EF15F6FF call 00408C80 :004A7691 8D0480 lea eax, dword ptr [eax+4*eax] :004A7694 8945DC mov dword ptr [ebp-24], eax :004A7697 DB45DC fild dword ptr [ebp-24] :004A769A E86DB4F5FF call 00402B0C :004A769F 8BF8 mov edi, eax :004A76A1 8D55F4 lea edx, dword ptr [ebp-0C] :004A76A4 8B83DC020000 mov eax, dword ptr [ebx+000002DC] :004A76AA E88596F8FF call 00430D34 :004A76AF 8B45F4 mov eax, dword ptr [ebp-0C] :004A76B2 E8C915F6FF call 00408C80 :004A76B7 8BF0 mov esi, eax :004A76B9 3BF7 cmp esi, edi :004A76BB 7575 jne 004A7732 ; <- Jump to ERROR message :004A76BD 8D55F4 lea edx, dword ptr [ebp-0C] : : bla bla bla : :004A771D 668B0D90774A00 mov cx, word ptr [004A7790] :004A7724 B202 mov dl, 02 * Possible StringData Ref from Code Obj ->"Die Vollversion ist freigeschaltet, " ->"bitte starten Sie das Programm " ->"neu." | :004A7726 B89C774A00 mov eax, 004A779C :004A772B E898BCFAFF call 004533C8 :004A7730 EB15 jmp 004A7747 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004A76BB(C) | :004A7732 6A00 push 00000000 :004A7734 668B0D90774A00 mov cx, word ptr [004A7790] :004A773B B202 mov dl, 02 * Possible StringData Ref from Code Obj ->"Falsches Passwort!" | :004A773D B8EC774A00 mov eax, 004A77EC ; <- the ERROR message :004A7742 E881BCFAFF call 004533C8 8. Now we can register "Hexenküche" with the serial we have found. e.g. Name : Promax Serial : 146564130 9. Note : After the successful registration, "Hexenküche" writes down our datas encrypted into the file "Hexe.hid" in the "Hexenküche"- directory ! I hope you have fun with cracking! Promax [DOOM] 23.01.1999