How to crack Button Wiz by ?ferret



Proggy: Button Wiz v7.6

d/l:
http://www.joelryan.com

Tools discussed: ExDec, Softice

get exdecbeta.zip(or somethin like that) *g* and msdbg.zip at http://members.xoom.com/c4n4ever/.space/


OK, here we go....

1st run the proggy to see what the protection looks like

hmmmm....just a serial, no name or anything (either hardcoded or checks certain character positions)

Now, disassemble the proggy with ExDec
(THX JosephCo, I really love this li'l tool...keeps gettin better)
Search for "sorry"
You should find this at line 415497: 3a LitVarStr" .....
At 415487 you see the string for the Title Bar of the nag messagebox
Let's scroll up a bit and see what we can find...
Look here now ;-), at 415420 you'll see "Correct License Number"

Just above this is a BranchF: 415482...jumping to just before we saw the badguy message
The line before this jump is 415415: LeadO/33 EqVarBool (i.e. a compare)

Load (if you haven't already) the MSVBVM60.nms into sice and set a bpx on doexdisp.
Run the proggy. When sice breaks, set a bpm on DS:415415.
Try to register the program. When sice break this time,
F10 until you see lblEX_EqVarBool in the code window.
Examine the registers...the ONLY one that contains anything suspicious is ECX. This register holds a 4 digit number in widechar.
5.7.2.5.....$.....
Hmmm...maybe part of a larger hyphenated serial?....let's hit CTRL-D
and see if it breaks on this routine again ;-)
....nope, we just got our nag again. Well...that can't be right 4 digits?...C'mon!!!...Oh well let's give it a shot.
Try to register the proggy using 5725 as a serial.


Well....the proggy is now regged....with a 4 digit serial?!?!?!?


NOTE: If you search your disassembly for the number 5725,
you'll find it VERY near the top of the disassembly.
With hardcoded serials programmers often use global constants
or define the variable in the registration routine...
They could at least throw the variable initialization in
a completely unrelated part of the code to at least make us
look for it. In many cases we could save the precious 5 minutes
it took us to crack it by scrolling the disassembly a bit ;-)








GREETZ & THANX to all of the people who've helped me @ the Newbies Forum. (I'm too damn lazy to type all the names ;-))...but for this page I feel I must thank JosephCo in particular...THX JOE!





















































hehe...u busted me usin a free provider! Oh well...free info doesn't pay for web space, so I just make em work to find the banners ;-)