........................................................................................ : Tutorial Nr. 31 .....................................................................: : ^^^^^^^^^^^^^^^ : : :................................................................ : Application: Imagine CD-Menü v3.0 : : URL: http://www.imagine-cdmenue.de/ : : Our Aim: Serial fishing : :...................... ............: : : : Cracker: ScareByte : : Group: DBC : : URL: http://kickme.to/scarebyte : : http://kickme.to/dbc : : : : Toolz: SoftIce (and knowledge), ASM-knowledge, your Brain : : Date: 05.04.2001 : : Level: easy : :.................................................................................: ..:[ First words ]:.. Hi folks. Today we will fish a Serial for Imagine CD-Menü v3.0. I won't make many words. So let us begin. ..:[ Begin ]:... Launch the program-file and click on "Order". Here you have to enter your Name and Firm which we need for the registration. So, I will enter my Name ScareByte and as Firm I take DBC. Now, let us change to the Registration-Dialog and enter as Serial 19191919. (That's only my standard Serial I ever use. You can even take an another :) We use as Breakpoint the HMemCpy Function. Change to SoftIce with Ctrl+D and enter the Breakpoint "bpx hmemcpy". Go out from SoftIce and press the OK Button. SoftIce pops up. Now press 12 x F12 and we will see this: 0177:004C1851 E8DE3DF7FF CALL 00435634 0177:004C1856 8B95E0FDFFFF MOV EDX,[EBP-0220] 0177:004C185C A14C5E4F00 MOV EAX,[004F5E4C] 0177:004C1861 E8EA25F4FF CALL 00403E50 0177:004C1866 8D95DCFDFFFF LEA EDX,[EBP-0224] 0177:004C186C 8B830C030000 MOV EAX,[EBX+0000030C] 0177:004C1872 E8BD3DF7FF CALL 00435634 0177:004C1877 8B95DCFDFFFF MOV EDX,[EBP-0224] 0177:004C187D A1BC5B4F00 MOV EAX,[004F5BBC] 0177:004C1882 E8C925F4FF CALL 00403E50 0177:004C1887 A1F85B4F00 MOV EAX,[004F5BF8] 0177:004C188C 803800 CMP BYTE PTR [EAX],00 0177:004C188F 0F85470A0000 JNZ 004C22DC 0177:004C1895 C785F4FEFFFFE9030000MOV DWORD PTR [EBP-010C],000003E9 0177:004C189F A14C5E4F00 MOV EAX,[004F5E4C] 0177:004C18A4 8B00 MOV EAX,[EAX] 0177:004C18A6 E8D127F4FF CALL 0040407C // length of our fake serial 0177:004C18AB 85C0 TEST EAX,EAX // if not a serial entered then 0177:004C18AD 0F8E5C030000 JLE 004C1C0F // jump to bad message 0177:004C18B3 A020254C00 MOV AL,[004C2520] 0177:004C18B8 50 PUSH EAX 0177:004C18B9 8D85F8FEFFFF LEA EAX,[EBP-0108] OK, what we have to do is to trace with F10 along the code until we see this little piece of code: 0177:004C1BEF 8D8528FDFFFF LEA EAX,[EBP-02D8] 0177:004C1BF5 B110 MOV CL,10 0177:004C1BF7 E8C40FF4FF CALL 00402BC0 0177:004C1BFC 8D9528FDFFFF LEA EDX,[EBP-02D8] 0177:004C1C02 8D85F8FEFFFF LEA EAX,[EBP-0108] 0177:004C1C08 E81324F4FF CALL 00404020 0177:004C1C0D EB10 JMP 004C1C1F 0177:004C1C0F 8D85F8FEFFFF LEA EAX,[EBP-0108] 0177:004C1C15 BA2C254C00 MOV EDX,004C252C 0177:004C1C1A E87522F4FF CALL 00403E94 0177:004C1C1F A14C5E4F00 MOV EAX,[004F5E4C] 0177:004C1C24 8B00 MOV EAX,[EAX] // String 1 0177:004C1C26 8B95F8FEFFFF MOV EDX,[EBP-0108] // String 2 0177:004C1C2C E85B25F4FF CALL 0040418C // Compare String 1 and 2 0177:004C1C31 0F856E040000 JNZ 004C20A5 // jump if not equal 0177:004C1C37 8D85FCFEFFFF LEA EAX,[EBP-0104] On line 0177:004C1C26 we should enter "d eax" to see what is in eax. EAX points to this data: "19191919". And on line 0177:004C1C2C we should see what is in edx. EDX points do this data: "1919-191-9.-....". Hey, this looks like a format-compare of the serial. With this informations we know the required serial format. Serial-Format: ABCD-EFG-HI-JKLM Change back to the registration dialog and rewrite the serial. Enter a serial like ABCD-EFG-HI-JKLM. Press the OK Button again to reenter SoftIce. Trace again to the Call on line 0177:004C1C2C. The format is right and we don't jump :) Press F10 until you reach the line: 0177:004C1FDD 0177:004C1FDD 8B35AC5F4F00 MOV ESI,[004F5FAC] 0177:004C1FE3 8D85E5FDFFFF LEA EAX,[EBP-021B] // EAX points to our right serial 0177:004C1FE9 8A08 MOV CL,[EAX] 0177:004C1FEB 320E XOR CL,[ESI] 0177:004C1FED 8808 MOV [EAX],CL 0177:004C1FEF 40 INC EAX 0177:004C1FF0 46 INC ESI 0177:004C1FF1 4A DEC EDX 0177:004C1FF2 75F5 JNZ 004C1FE9 0177:004C1FF4 8D85E8FEFFFF LEA EAX,[EBP-0118] 0177:004C1FFA 8D95E4FDFFFF LEA EDX,[EBP-021C] 0177:004C2000 E81B20F4FF CALL 00404020 0177:004C2005 8D8500FFFFFF LEA EAX,[EBP-0100] 0177:004C200B 8B154C5E4F00 MOV EDX,[004F5E4C] 0177:004C2011 8B12 MOV EDX,[EDX] If you want see your right serial you have to enter on line 0177:004C1FE9 "d eax". OK, that's all. Name: ScareByte Firm: DBC Serial: 4795-507-84-1166 ..:[ Last words ]:... Hmm, sorry for my bad school english. I know there are a lot of mistakes :) If you want so say thanx then write a mail: ScareByte@gmx.net cu ScareByte ..:[ Greetz ]:.. Group: DBC, eMINENCE, UCF, CORE, TNP, TGC, EVC, Immortal Descendants, Krypto Crew, Amok People: all DBC (specially NUKEM and Black Panther) & eMINENCE Members, kOBoLd666, SpaceKeks, bOOm51, |VerTex|, the whole TNP - Team and all my friends I've forgot ^_^check, since