


Target         : 32bit Convert It - Version x9.45.11
URL            : http://www.ElectraSoft.com/
Date           : 20/09/2002
Tools          : SoftICE (any version)
Written by     : Khan


----------------------------------------------------------------------
For educational purposes only!					
I hold no responsibility of the mis-used of this material!
----------------------------------------------------------------------


With this 32bit Unit Converter you can type in values for a unit of
measurement(Length,Area,Volume,Weight,Density,and Speed) while the 
other units dynamically change to become equal in measurement.

After installing the program,let's fire it up. A registration window 
comes up or click "register" menu. We see our name and e-mail there. 
Enter any registration number you like. Mine is :

Register Name      : khan
Registration Code  : 11112222

Now,let's set a breakpoint in softICE. I generally prefer "hmemcpy" API
call.Press "ctrl+d" and when the softICE screen appears type "bpx hmemcpy"
in the command window and press enter. Now press "ctrl+d" again to get
out of softICE.

Press "Apply" button on our registration window and softICE breaks.
Let's first disable our breakpoint so that softICE won't break again.
Type "bd *" and press enter. This command disables all breakpoints (we
had only one:)

Now it's time to trace the code but we need to come to our program's main
code window first.To do this, we will keep pressing F12 looking at the 
code window. We will stop when we see 32BC!.text (which means we are in
the 32bc.exe,our program) at the line between the code window and the
command window. Keep pressing F12 until we land here:

:00429385 EB10                    jmp 00429397
................		  ...........
:00429397 5D                      pop ebp
:00429398 C20C00                  ret 000C


Now,we will execute the program step by step pressing F10.The first 
instruction is a jump to 00429397,then pop ebp and ret (return from
this routine).And we land here:


:00409C4E A124C94600              mov eax, dword ptr [0046C924]
:00409C53 6A01                    push 00000001
:00409C55 6814A24600              push 0046A214

If we type "d 0046A214" and enter here,it means we can see what that memory 
location has. It has our name (khan). 
We can check what locations include with this command while we go step
by step.We generally look for a "compare" before a "jump", or a "call" 
before a "jump".

:00409C5A 50                      push eax
:00409C5B E8501B0000              call 0040B7B0
this call checks if our name starts with a "space" and if the length of 
ourname is less than 3 chars,shows an error then makes EAX=0.If our name's 
length 3 or more chars and doesn't start with space then EAX=1.(We can see
this if we step into this call with F8 and trace the code with F10 until we
return).Let's just step over the call and continue tracing.

:00409C60 8B2DE8244300            mov ebp, dword ptr [004324E8]
:00409C66 83C40C                  add esp, 0000000C
:00409C69 33DB                    xor ebx, ebx
:00409C6B 83F801                  cmp eax, 00000001
:00409C6E 7465                    je 00409CD5

Because our name is more than 3 chars,EAX=1 and we jump to 00409CD5.
Otherwise there won't be a jump and we will end up with a "name correction
dialog box".

:00409CD5 6A51                    push 00000051
.........			  .............
:00409CF3 68C0A14600              push 0046A1C0		
:00409CF8 51                      push ecx
:00409CF9 E8421B0000              call 0040B840
this call chaecks if we entered a valid e-mail address.If not, it shows an
error and makes EAX=0. (d 0046A1C0=our e-mail)

:00409CFE 83C40C                  add esp, 0000000C
:00409D01 83F801                  cmp eax, 00000001
:00409D04 7465                    je 00409D6B

Because we entered a valid e-mail,EAX=1 and we jump to 00409D6B.
Otherwise there won't be a jump and we will end up with a "e-mail correction
dialog box".

:00409D6B 53                      push ebx
.........			  .........

If we keep tracing pressing F10 , we will see 2 "stosd" and
1 "scasb" instructions,then a "cmpsb" instruction, oh that's good :) Because 
the "cmpsb" instruction compares ESI to EDI and sets the processor flags 
accordingly.So it probably compares our fake serial to correct serial.The code
will be generated beforehand but let's go directly there to check:

:00409DE2 BF28B04600              mov edi, 0046B028 
d edi=303437333435 (must be the registration code :)

:00409DE7 BE68A24600              mov esi, 0046A268
d esi=11112222 (our fake serial)

:00409DEC 33D2                    xor edx, edx
:00409DEE F3                      repz
:00409DEF A6                      cmpsb		
:00409DF0 5D                      pop ebp
:00409DF1 0F85B2000000            jne 00409EA9

Let's get out of softICE and try that code above. YESSSS, it works :) 

As i told above, cmpsb compares two strings (EDI and ESI)
If two strings in EDI (correct serial) and ESI (fake serial) are not equal, we
will jump to BAD BOY section.If they are equal,there won't be a jump at 00409DF1
and we will get the "thank you" message if we keep tracing the code a lil bit 
more.

That's all for now.
See you next time.

Khan

Contact me:

khanxir@hotmail.com