SB (6) the R FL Z “ Instruction

By +Jonathan

2002-8-24

 

  Name: Gold limit Soft® HickWall 1.0 <<trial version>>

  Price:  $ 35

  Download: http://www.goldlimit.com/product/hickwall10eng.exe    (2.84 MB)

  License: Entering the serial number, otherwise 15-days trial (with function limit)

  Usage: It is a system, API, and Software debugger (I hate people sell debugger, don’t they know that the people who buy it is, most of the time, a reverse engineer. How can they do such a foolish protection. Actually there does not exist any protection ^_^)

 

  Once again a silly software company decides to use a SN based program. ~~~~~ super stupid. Let us reverse it:

 

  Ctrl + D call softIce:

  Do a BPX GetWindowTextA

  Now Press F-5 And fill out the SN: 12345678  (you Can Not enter the name, it use the computer’s name as default)

  Press [OK] and SOFT-ICE pop up

  Press F-12 “6th times display “Wrong Serial Number” so next time stop at 5th time. When you stop at the fifth times, you discover that there are no “test “or “cmp” which tells you that you have to stop at the 4th times.

 

 After you stop at the 4th time, you see a few test-instructions. But how can you know which “test” is important? It is easy by using the: R FL Z (which means to use an opposite flag; hence you can know if it can affect you or not)

:00411BAD E88AF9FEFF              call 0040153C

:00411BB2 25FF000000                and eax, 000000FF

:00411BB7 85C0                             test eax, eax

:00411BB9 7542                              jne 00411BFD                      Do a: R FL Z

 

  Now do a R FL Z on the conditional jump, you will see the wrong SN message telling you that it is NOT impotant. Now here is the next test-instruction:

:00411C2E E8FD510000              Call 00416E30

:00411C33 83C40C                       add esp, 0000000C

:00411C36 85C0                            test eax, eax

:00411C38 7442                             je 00411C7C                         Do a: R FL Z

 

Now if you do a R FL Z on EIP=00411C38, you will see “Thank you for register it. All function are now activate”

Telling you that this is Super Important. Therefore, the CALL on EIP = 00411C2E is super Important. Step into there and you will soon be here:

:10240EC8 8B542404                mov edx, dword ptr [esp+04]

:10240ECC 56                             push esi

:10240ECD 57                             push edi

:10240ECE 8BF2                        mov esi, edx                                * Do a: DD EDX, you will see the following:

                                                                                                              WWWYWXUVRYWVV

:10240ED0 8B7C2410               mov edi, dword ptr [esp+10]     * Do a: DD EDI, you will see 12345678 *

:10240ED4 0BD7                       or edx, edi

:10240ED6 83E203                    and edx, 00000003

:10240ED9 7432                         je 10240F0D

  

Mmmmm…….. It really simple:

 

  S/N:  WWWYWXUVRYWVV