Target: Business Card Designer Plus 5.50 T00lz: SICE, W32Dasm Level: 1 Protection: Serial + some other stuff like nag etc. Background: I discovered this program on one CD I borrowed from my friend and (heh) for my surprise there were some shareware programs of which I spotted this. Looked like a nice challenge .. ;) Alrighty.. lets kick some biznezz azz.. I first tried to disable the nag just for practise, but I discovered this fucking annoying way of creating the nag, if anyone can help me out with nags like this, plz contact :) Ok.. it uses DialogBoxParamA :004226CB FF7208 push [edx+08] * Reference To: USER32.DialogBoxParamA, Ord:0000h | :004226CE E84D6A0700 Call 00499120 <-- this call to the "real" import Trace it and get to down below: * Reference To: USER32.DialogBoxParamA, Ord:0000h | :00499120 FF2528BD4B00 Jmp dword ptr [004BBD28] To what I understand it "loads" the nag in user32.dll itself, so there's no way patching it without crashing the whole program.. I know there's a way around but I haven't read any tute regarding it or anything whatsoever.. so if you know you could help me plz contact me, would be appreciated :) afterall.. I'm only a newbie but that was only the nag, we're gonna register this program so we dont have to really worry about it, I would've only taken it as a practice and as an example.. So to the serial part.. you're offered the chance of inserting your valid reg. code in the same nag we just tried to "vanish", so go ahead, fill the boxes with your dummy info, here's mine: Name: C_DKnight Company: Caliber Reg: 22446688 BPX on GetDlgItemTextA and you'll break, but only once!!! why? there are three dialogs.. according to my "experience" there should be three breaks.. mm.. lets find out why * Reference To: USER32.GetDlgItemTextA, Ord:0000h | :00492579 E8326C0000 Call 004991B0 :0049257E 8B4B19 mov ecx, dword ptr [ebx+19] :00492581 51 push ecx :00492582 E801EDFFFF call 00491288 <-- call to serial calc :00492587 59 pop ecx :00492588 85C0 test eax, eax <-- test results :0049258A 0F8EEA000000 jle 0049267A <-- jump if 0 or less.. :00492590 8B7319 mov esi, dword ptr [ebx+19] :00492593 83C60C add esi, 0000000C :00492596 6A40 push 00000040 :00492598 56 push esi * Possible Reference to Dialog: DialogID_465A, CONTROL_ID:465C, "UNREGISTERED EVALUATION COPY!" Lets trace to 00491288.. if u trace a little you'll end up here.. * Reference To: KERNEL32.lstrcpyA, Ord:0000h | :004912EF E88A770000 Call 00498A7E :004912F4 8B4508 mov eax, dword ptr [ebp+08] <-- look at EAX value here :004912F7 058C000000 add eax, 0000008C :004912FC 50 push eax * Reference To: KERNEL32.lstrlenA, Ord:0000h <-- string length | :004912FD E878780000 Call 00498B7A :00491302 8BD8 mov ebx, eax :00491304 8D45B4 lea eax, dword ptr [ebp-4C] <-- or look at [ebp-4C] here.. :00491307 50 push eax * Reference To: KERNEL32.lstrlenA, Ord:0000h | :00491308 E86D780000 Call 00498B7A :0049130D 3BD8 cmp ebx, eax <-- mmm.. compare, wonder what does it do? :0049130F 7541 jne 00491352 <-- doesnt seem good.. So take a look of EAX value at 491304, this is what I saw: BCD5-@??????-CAM1 .. hmm ..lets go on.. thou this should ring some bells already.. ;) Duh.. if you traced thru the above routine you should have some idea what does it do lemme explaing if you dont get it yet (we can ignore ltsrcpy) It gets the length of your string (read: serial) and compares it to the "real" serial length which is 11h -> 17d. So the serial has to be 17 characters, otherwise jump A-HA! At this point your bells should've already started ringing!! How many chars does BCD5-@??????-CAM1 have?.. 17? heh, yeah! .. ok.. disable the BPX('s) and change your serial: BCD5-@224466-CAM1, enable the BPX and trace.. ok.. now comes the lengthy part (divided in parts!!) : I'll put my pointers straight on.. :00491324 8A03 mov al, byte ptr [ebx] <-- move the char of the serial to al :00491326 0FBED0 movsx edx, al <-- store it in edx :00491329 83FA3F cmp edx, 0000003F <-- compare the char to 3F = ? :0049132C 7410 je 0049133E <-- jump if the char is ? :0049132E 83FA40 cmp edx, 00000040 <-- compare the char to 40 = @ :00491331 740B je 0049133E <-- jump if it is @ :00491333 8B4DFC mov ecx, dword ptr [ebp-04] <-- move the char to ecx :00491336 3A01 cmp al, byte ptr [ecx] <-- compare if its the same char :00491338 7404 je 0049133E <-- yes same char, jump :0049133A 33FF xor edi, edi <-- nope... :0049133C EB16 jmp 00491354 <-- reg failed * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0049132C(C), :00491331(C), :00491338(C) | :0049133E 46 inc esi <-- increase counter :0049133F FF45FC inc [ebp-04] <-- "move" one char right :00491342 43 inc ebx <-- same thing * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00491322(U) | :00491343 8D45B4 lea eax, dword ptr [ebp-4C] :00491346 50 push eax * Reference To: KERNEL32.lstrlenA, Ord:0000h <-- get the string length | :00491347 E82E780000 Call 00498B7A :0049134C 3BF0 cmp esi, eax <-- if not all done :0049134E 7CD4 jl 00491324 <-- jump until all done, alias loop :00491350 EB02 jmp 00491354 <-- when all chars (17) done jump here Ok.. pretty simply routine, you should understand it. If the char is ? or @ the routine just jumps over the compare to increase counter (0049133E).. lets see what happens when all chars are done.. arrhh .. another long listing.. so this upper part loops the serial until the char to be compared is @.. :0049136C 8B55F8 mov edx, dword ptr [ebp-08] <-- move the serial to edx :0049136F 0FBE0A movsx ecx, byte ptr [edx] <-- move a char to ecx :00491372 83F940 cmp ecx, 00000040 <-- is it @? :00491375 7542 jne 004913B9 <-- no -> jump, if it is -> go on :00491377 0FBE0B movsx ecx, byte ptr [ebx] <-- first ? (yup, question mark if ya remember!) :0049137A 0FBE4301 movsx eax, byte ptr [ebx+01] <-- second ? :0049137E 03C8 add ecx, eax <-- add 3F to ecx :00491380 0FBE5302 movsx edx, byte ptr [ebx+02] <-- third ? :00491384 03CA add ecx, edx <-- add 3F to ecx :00491386 0FBE4303 movsx eax, byte ptr [ebx+03] <-- fourth ? :0049138A 03C8 add ecx, eax <-- add 3F to ecx :0049138C 0FBE5304 movsx edx, byte ptr [ebx+04] <-- fifth ? :00491390 03CA add ecx, edx <-- add.. :00491392 0FBE4305 movsx eax, byte ptr [ebx+05] <-- sixth? :00491396 03C8 add ecx, eax <-- final add :00491398 8BC1 mov eax, ecx <-- move ecx (on my comp/name/company: 17A -> 378) to eax :0049139A B91A000000 mov ecx, 0000001A :0049139F 99 cdq :004913A0 F7F9 idiv ecx <-- divide ecx :004913A2 83C241 add edx, 00000041 <-- add 41 (A) to edx :004913A5 8BCA mov ecx, edx <-- move 41 to ecx :004913A7 8A43FF mov al, byte ptr [ebx-01] :004913AA 84C0 test al, al :004913AC 7407 je 004913B5 :004913AE 0FBED0 movsx edx, al <-- al = 40 :004913B1 3BCA cmp ecx, edx <-- compare ecx (4F on my comp) to 40 :004913B3 7404 je 004913B9 <-- if equal, reg succesful, otherwise beggar off * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004913AC(C) | :004913B5 33FF xor edi, edi :004913B7 EB12 jmp 004913CB * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00491375(C), :004913B3(C) | :004913B9 46 inc esi <-- increase counter :004913BA 43 inc ebx :004913BB FF45F8 inc [ebp-08] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0049136A(U) | :004913BE 8D45B4 lea eax, dword ptr [ebp-4C] :004913C1 50 push eax * Reference To: KERNEL32.lstrlenA, Ord:0000h | :004913C2 E8B3770000 Call 00498B7A :004913C7 3BF0 cmp esi, eax <-- check if all done :004913C9 7CA1 jl 0049136C <-- jump if not, alias loop again Ok.. veni, vidi, vici I could say... if u dunno what that means go find out and come back then :) I now know that the string BCD5-@??????-CAM1 doesnt change, excluding one char, @. .. Final notes: A messy bunch of crap so to say.. I hope ya could figure something out.. serial seems to be universal too at least according to those cpl of variations I tried -C_DKnight aloha (hawaii mood again) to: (sorry if I've forgotten you) AB4DS, r!SC, Dead-Mike, NrOC, Warezpup, Hutch, [yAtEs], [E_BLiss], [LaZaRuS], Doufas, SeKt0r, nchanta, Icey, |Xmen|, LordOfLA, F0dder, Predator, aCiDHaC, ACiD BuRN, X-Calibre, DnNuke, noos, nu, Thesmurf, defiler, Sinn0r, ^tCM^, Norika, cTT, Weazel, MisterE, Dawai, RevX, Maybird, BlackBird, DarkLord, FireWorx, SheeP140, extasy_, KaOsAuS, _zoltan, Torn@do, ByteBurn, Miscreant, croc, Br4t, [ViKiNg], N|Te, Moredhel Tailz, MR-B, Mathras, F0ley, Makis hRGN2,EAX