---------------------------------------------------------
How to find a serial in ExIcon v1.9b
---------------------------------------------------------
Cracker: stealthFIGHTER
Target: ExIcon v1.9b
Tools: W32dasm
Hiew
Brain
Where: http://www.basta.com
Sorry for my english, its not my mother language.
-----------
Step 1:
-----------
Run ExIcon, go to about - registration - enter any s/n.
Boom - error message <- write it down. Open ExIcon.exe
in W32Dasm - click SDR window and find the message and
dbl click on it. You are here:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040ABBF(C) <---------------------- here we go!
|
:0040ABE3 6AFF push FFFFFFFF
:0040ABE5 6A30 push 00000030
* Possible Reference to String Resource ID=25224: "The password you have entered is incorrect."
|
:0040ABE7 6888620000 push 00006288 <------- we are here
:0040ABEC E8908B0100 call 00423781
Press SHIFT+F12 and enter 0040ABBF. We land here:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040AB29(C) <---------------------- here we go!
|
:0040AB7F 51 push ecx
:0040AB80 E80B2F0000 call 0040DA90
:0040AB85 83C404 add esp, 00000004
:0040AB88 8BF8 mov edi, eax
:0040AB8A E8EBC30100 call 00426F7A
:0040AB8F 8B4010 mov eax, dword ptr [eax+10]
:0040AB92 6A00 push 00000000
:0040AB94 50 push eax
:0040AB95 E8D6100000 call 0040BC70
:0040AB9A 8BCF mov ecx, edi
:0040AB9C 83C408 add esp, 00000008
:0040AB9F 2BC8 sub ecx, eax
:0040ABA1 81F94D060000 cmp ecx, 0000064D
:0040ABA7 7418 je 0040ABC1
:0040ABA9 81F943060000 cmp ecx, 00000643
:0040ABAF 7410 je 0040ABC1
:0040ABB1 81F95F060000 cmp ecx, 0000065F
:0040ABB7 7408 je 0040ABC1
:0040ABB9 81F9F0050000 cmp ecx, 000005F0
:0040ABBF 7522 jne 0040ABE3 <----- we are here
Press SHIFT+F12 and enter 0040AB29. We land here:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040AAD2(U)
|
:0040AAD6 50 push eax
:0040AAD7 8B8424D8000000 mov eax, dword ptr [esp+000000D8]
:0040AADE 50 push eax
:0040AADF 8D4C2414 lea ecx, dword ptr [esp+14]
:0040AAE3 E888CCFFFF call 00407770
:0040AAE8 8D4C240C lea ecx, dword ptr [esp+0C]
:0040AAEC C78424CC00000000000000 mov dword ptr [esp+000000CC], 00000000
:0040AAF7 E8CA210100 call 0041CCC6
:0040AAFC 83F801 cmp eax, 00000001
:0040AAFF 0F85EC000000 jne 0040ABF1
:0040AB05 8B8424BC000000 mov eax, dword ptr [esp+000000BC]
:0040AB0C 8B48F8 mov ecx, dword ptr [eax-08]
:0040AB0F 85C9 test ecx, ecx
:0040AB11 0F84DA000000 je 0040ABF1
:0040AB17 50 push eax
:0040AB18 E833100000 call 0040BB50 <----------- a call
:0040AB1D 8B8C24C0000000 mov ecx, dword ptr [esp+000000C0]
:0040AB24 83C404 add esp, 00000004
:0040AB27 85C0 test eax, eax <---------- test
:0040AB29 7454 je 0040AB7F <---------- bad boy
Double click on call 0040BB50 and execute it (press Call on the to panel)
We land here:
* Referenced by a CALL at Addresses:
|:00409DC5 , :0040AB18
|
:0040BB50 53 push ebx <----- nice!
:0040BB51 56 push esi <----- nice!
:0040BB52 8B74240C mov esi, dword ptr [esp+0C]
:0040BB56 57 push edi
:0040BB57 85F6 test esi, esi
:0040BB59 0F84F2000000 je 0040BC51
:0040BB5F 8BFE mov edi, esi
:0040BB61 83C9FF or ecx, FFFFFFFF
:0040BB64 33C0 xor eax, eax
:0040BB66 F2 repnz
:0040BB67 AE scasb
:0040BB68 F7D1 not ecx
:0040BB6A 49 dec ecx
:0040BB6B 83F910 cmp ecx, 00000010
:0040BB6E 0F85DD000000 jne 0040BC51
:0040BB74 B90F000000 mov ecx, 0000000F
Double click on the 0040BB50 push ebx and write down the offset (AF50).
Run Hiew, select decode, press F5 and enter the offset.
Press F3, then F2 and enter: mov eax, 1 [ENTER]
ret [ENTER]
Press F9 and quit.
Run again. Wov, we are a registered user.
---------------------------------------
If i make a mistake, please e-mail
me to: stealthfighter@another.com
--------------------------------------- movsx eax, byte ptr [ebx]