Name      : DLL Show

Version   : 4.x

Editor    : Software By Design

Target    : dllshow.exe

Tools     : Softice
            Brain
            
Cracker   : LW2000

Tutorial  : No.55

http://www.execpc.com/~sbd

---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---


1.      Ok, click on help and go to the registration dialog.
        Enter the details:
        
        User Name: LW2000 [CiA]
        Organization: (not needed) 
        Registration: 1230099

        Switch to Sice and set a breakpoint on Getdlgitemtexta.

        'bpx getdlgitemtexta'

2.      Now press F5 to return to the app. Ok, lets try ... press ok.
        *BOOM* Sice pops up. Remember, 3 Editfields and our serial is
        in the last. This means for us F5 twice... Ok, Sice breaks at
        the last edit field. Now press F11 to get the caller.
        Now trace with F10 and take a look at the registers.

0177:0040D5B2 E8B9810000    call 00415770
0177:0040D5B7 8D4C2440      lea ecx, dword ptr [esp+40]
0177:0040D5BB 51            push ecx
0177:0040D5BC E8559C0000    call 00417216
0177:0040D5C1 56            push esi
0177:0040D5C2 8BD8          mov ebx, eax
0177:0040D5C4 E837810000    call 00415700
0177:0040D5C9 83C438        add esp, 00000038
0177:0040D5CC 3D92A71901    cmp eax, 0119A792
0177:0040D5D1 7518          jne 0040D5EB

* Reference To: KERNEL32.lstrcpyA, Ord:0302h
|
0177:0040D5D3 8B1D28F14100 mov ebx, dword ptr [0041F128]

* Possible StringData Ref from Data Obj ->"Gregory Braun"
|
0177:0040D5D9 68D42E4200    push 00422ED4
0177:0040D5DE 56            push esi
0177:0040D5DF FFD3          call ebx

* Possible StringData Ref from Data Obj ->"Software Design"
|
0177:0040D5E1 68C42E4200    push 00422EC4
0177:0040D5E6 57            push edi
0177:0040D5E7 FFD3          call ebx
0177:0040D5E9 EB07          jmp 0040D5F2

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
0177:0040D5D1(C)
|
0177:0040D5EB 3D3CCE5F0D    cmp eax, 0D5FCE3C
0177:0040D5F0 750C          jne 0040D5FE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
0177:0040D5E9(U)
|
0177:0040D5F2 57            push edi
0177:0040D5F3 56            push esi
0177:0040D5F4 E8A77B0000    call 004151A0
0177:0040D5F9 83C408        add esp, 00000008
0177:0040D5FC 8BD8          mov ebx, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
0177:0040D5F0(C)
|
0177:0040D5FE 57            push edi
0177:0040D5FF 56            push esi
0177:0040D600 E89B7B0000    call 004151A0  <-- check routine
0177:0040D605 83C408        add esp, 00000008
0177:0040D608 3BD8          cmp ebx, eax   <-- cmp fake and correct serial
0177:0040D60A 5F            pop edi
0177:0040D60B 741D          je 0040D62A  <-- Bad Boy

3.      Inside the Call at 0040D600 the correct serial number is
        generated and saved in eax. Our fake serial number (1230099)
        is stored in ebx. Trace on 0040D60A.
        '?ebx' shows our fake serial, and '?eax' shows us the correct one.         Note it and then try it!


Congratulation! You are a registered user.

FINISH! Easy, or?

cu LW2000
Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net
----
tKC, thx for your tutors!
I started with tutor 1 and i still read them... they are the best!