|
|

ITS ME AGAIN :) 

I hope you bl00dyBastard  have allright install Domainexpert and be ready to crack ;)
Start DomainExpert and turn to the Registrationdialog.

E-Mail:  nukem@nukem.com
Serial:  121212

BPX HMEMCPY
Oh and if you hit the OK Button you be back in Softice.
1 x F5 , 1 x F11
Step into the code of the Programm by pressing  fiew times F12.
Now look for your dummy Serial , s 0 l ffffffff "121212"
found at 0197:00C384F4

Set a Breakpoint on it bpm 0197:00C384F4  , clear the hmemcpy bc0
check if all right bl  0) BPMB #0197:00C384F4
Ok then Run the Programm again by F5 and the next line you can read, 
break due to BPMB #0197:00C384F4 RW DR3 (ET = 3.23 milliseconds)
ok 

:0047C9F5 46                      inc esi

:0047C9F6 80FB20                  cmp bl, 20

:0047C9F9 74F8                    je 0047C9F3

:0047C9FB B500                    mov ch, 00

:0047C9FD 80FB2D                  cmp bl, 2D

:0047CA00 7469                    je 0047CA6B

:0047CA02 80FB2B                  cmp bl, 2B

:0047CA05 7466                    je 0047CA6D

:0047CA07 80FB24                  cmp bl, 24

:0047CA0A 7466                    je 0047CA72

:0047CA0C 80FB78                  cmp bl, 78

:0047CA0F 7461                    je 0047CA72

:0047CA11 80FB58                  cmp bl, 58

:0047CA14 745C                    je 0047CA72

:0047CA16 80FB30                  cmp bl, 30

:0047CA19 7513                    jne 0047CA2E

:0047CA1B 8A1E                    mov bl, byte ptr [esi]

:0047CA1D 46                      inc esi

:0047CA1E 80FB78                  cmp bl, 78

:0047CA21 744F                    je 0047CA72

:0047CA23 80FB58                  cmp bl, 58

:0047CA26 744A                    je 0047CA72

:0047CA28 84DB                    test bl, bl

:0047CA2A 7420                    je 0047CA4C

:0047CA2C EB04                    jmp 0047CA32



* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:

|:0047CA19(C), :0047CA70(U)

|

:0047CA2E 84DB                    test bl, bl

:0047CA30 7434                    je 0047CA66



* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:

|:0047CA2C(U), :0047CA4A(C)

|

:0047CA32 80EB30                  sub bl, 30

:0047CA35 80FB09                  cmp bl, 09

:0047CA38 772C                    ja 0047CA66

:0047CA3A 39F8                    cmp eax, edi

:0047CA3C 7728                    ja 0047CA66

:0047CA3E 8D0480                  lea eax, dword ptr [eax+4*eax]

:0047CA41 01C0                    add eax, eax

:0047CA43 01D8                    add eax, ebx

:0047CA45 8A1E                    mov bl, byte ptr [esi]

:0047CA47 46                      inc esi

:0047CA48 84DB                    test bl, bl

:0047CA4A 75E6                    jne 0047CA32


the brown colored part be a small loop so trace over it , and some lines later you`ll land here:


004299F7 3318                    xor ebx, dword ptr [eax]

:004299F9 8D450C                  lea eax, dword ptr [ebp+0C]

:004299FC 33D2                    xor edx, edx

:004299FE E801390700              call 0049D304

:00429A03 3BD8                    cmp ebx, eax  // compare of you dummy serial and the valid one

:00429A05 7548                    jne 00429A4F

:00429A07 B001                    mov al, 01

:00429A09 8BCE                    mov ecx, esi

:00429A0B 50                      push eax


look into ebx and eax and what you think you`ll see ? 

? ebx  = 000128443571     \\ maybe the valid one ;) 
? eax  = 000000121212     // our dummy serial

try it and you `ll see that it be the valid one for the email adress nukem@nukem.com.

cya  NUKEM

Greets to:

ploppy, Manycracker, DYCUS, FuzzyCat, draXXter, Mr.White[WKT], fREaKaZoiD, rAidri, gloryx, Kylock, Kelly, cELTICa, figugegl, notice!, Milhouse, WAHNS, Hamst,
Cassandra, +fravia, PlAyEr, Satanic_Brain, ManKind, Savatage, |NEO|, uzZi, SiNa, |-SHI-|, Shockwave, s@nDOk@n, ScareByte, VandalJax, pHAT_tEQ, dazm, viruz666,
KeNkAnIfF.