Name : MP3-Wolf
Version : 1.04
Editor : Trellian
Target : mwolf32.exe
s/n saved : mwolf.ini
Tools : W32Dasm
Softice
Brain
Cracker : LW2000
Tutorial : No.26
http://www.trellian.com/mwolf
---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---
1. We go to the regscreen and enter the details.
Registration Name: LW2000
Serial Number : 1230099
*BOOM* We get a error message, that our code is not correct.
What the hell is this? Seems, that we found a bug... ;)
Let's fix it.
2. Load W32Dasm with mwolf32.exe, click on the SDR and go
to our string.
Ok, you should be here now:
:00403541 E8DC9D0000 call 0040D322 <<-- Serial Check routine
:00403546 59 pop ecx
:00403547 85C0 test eax, eax
:00403549 59 pop ecx
:0040354A 7518 jne 00403564 <<-- Check
:0040354C 6A30 push 00000030
* Possible StringData Ref from Data Obj ->"Invalid Registration"
|
:0040354E 68245B4100 push 00415B24
* Possible StringData Ref from Data Obj ->
"Invalid Registration Name or Serial "
3. To see where the error message is coming from, we scroll a bit up.
In Call 0040D322 our fake serial is compared to the correct one.
Are different then is eax=0, else is eax=1.
Mhmm, ok, let's leave W32Dasm and start Softice.
Go to the regscreen, again.
Registration Name: LW2000
Serial Number : 1230099
Press[ctrl]+[d] to switch to softice and 'bpx hmemcpy'.
Press F5 to return to the app. Press OK.
*BOOM* Sice pops up. Press F11 to get the Caller.
Now press F12 until you are in the program code.
4. 'bc *' and then set a breakpoint on 0040D322.
Press F5. *Boom* Now we are here:
:0040D322 55 push ebp
:0040D323 8BEC mov ebp, esp
:0040D325 83EC30 sub esp, 00000030
:0040D328 8B450C mov eax, dword ptr [ebp+0C]
:0040D32B 53 push ebx
:0040D32C 56 push esi
:0040D32D 57 push edi
:0040D32E 85C0 test eax, eax
:0040D330 0F840F010000 je 0040D445
:0040D336 8B5D08 mov ebx, dword ptr [ebp+08]
:0040D339 85DB test ebx, ebx
:0040D33B 0F8404010000 je 0040D445
:0040D341 80384D cmp byte ptr [eax], 4D <<--1. Char = 4D = 'M' ?
:0040D344 0F85FB000000 jne 0040D445
:0040D34A 80780157 cmp byte ptr [eax+01], 57 <<--2. Char = 57 = 'W' ?
:0040D34E 0F85F1000000 jne 0040D445
:0040D354 6A13 push 00000013
:0040D356 50 push eax
:0040D357 8D45E4 lea eax, dword ptr [ebp-1C]
:0040D35A 50 push eax
:0040D35B E849A1FFFF call 004074A9
:0040D360 83C40C add esp, 0000000C
:0040D363 8D45E4 lea eax, dword ptr [ebp-1C]
:0040D366 6A2D push 0000002D <<--3. Char = 2D = '-'
:0040D368 50 push eax
:0040D369 E8120D0000 call 0040E080
:0040D36E 8BF0 mov esi, eax
:0040D370 59 pop ecx
:0040D371 85F6 test esi, esi
:0040D373 59 pop ecx
:0040D374 89750C mov dword ptr [ebp+0C], esi
:0040D377 0F84C8000000 je 0040D445 <<--3. Char = 2D = '-' ?
:0040D37D 802600 and byte ptr [esi], 00
:0040D380 8D45F8 lea eax, dword ptr [ebp-08]
5. If this is not true the proggy jumps to 0040D445 and here
:0040D445 33C0 xor eax, eax <<-- eax=0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D443(U)
|
:0040D447 5F pop edi
:0040D448 5E pop esi
:0040D449 5B pop ebx
:0040D44A C9 leave
:0040D44B C3 ret <<-- ret with eax=0 !!!
6. Ok, we don't want to fail... Let's enter as serial.
Then we trace through the code, again...
A long time later, we see this:
:0040D41E 68F47A4100 push 00417AF4
:0040D423 8D45D0 lea eax, dword ptr [ebp-30]
:0040D426 6A14 push 00000014
:0040D428 50 push eax
:0040D429 E872040000 call 0040D8A0
:0040D42E 83C410 add esp, 00000010
:0040D431 46 inc esi
:0040D432 8D45D0 lea eax, dword ptr [ebp-30] <<-- d eax
Ok, we see a number, but what we can do with it?
Mhmm, we take the String "MW-" and then we complete it
with the new number we found out!
7. Let's try again to register!
Congratulation! You are a registered user.
FINISH! Easy, or?
cu LW2000
Any comments? Mail me LW2000@gmx.net !!!
----
tKC, thx for your tutors!
I started with tutor 1 and i still read them... they are the best!