Name : Xara Webstyle
Version : 1.2
Editor : UltraEdit
Target : webstyle.exe
s/n saved : HKEY_CURRENT_USER\Software\Xara\WebStyle\Options\ModelFlags
Tools : W32Dasm 8.93
Hiew 6.16
Brain
Cracker : LW2000
Tutorial : No.18
http://www.ultraedit.com/
---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---
Please excuse my poor english, its not my mother language....
1. OK, go to the Registrationscreen and enter the details.
*BOOM* 'Invalid number. Please contact Xara ...'
Seems, that we found a bug ;)
Let's fix it.
Load W32Dasm with webstyle.exe. Click on the SDR and search
our message text. Doubleclick on it and close the SDR Window.
Now it should look like this:
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0045013C(C), :00450150(C), :00450169(C), :00450182(C), :0045019B(C)
|:004501B4(C), :004501CD(C), :004501E6(C), :00450251(C)
:00450284 6A02 push 00000002
:00450286 6A01 push 00000001
:00450288 6A00 push 00000000
:0045028A 6A00 push 00000000
:0045028C 6A00 push 00000000
:0045028E 6A00 push 00000000
* Possible Reference to String Resource ID=18500:
"Invalid number. Please contact Xara technical support@xara.c"
2. Let's take a look at the code. Goto Code Location 0045013C.
* Referenced by a CALL at Addresses:
|:0044F9AD , :0044FA28
|
:00450100 64A100000000 mov eax, dword ptr fs:[00000000]
:00450106 6AFF push FFFFFFFF
:00450108 681FB04A00 push 004AB01F
:0045010D 50 push eax
:0045010E 8B442410 mov eax, dword ptr [esp+10]
:00450112 64892500000000 mov dword ptr fs:[00000000], esp
:00450119 50 push eax
:0045011A 8D4C2414 lea ecx, dword ptr [esp+14]
:0045011E E8AC520400 call 004953CF
:00450123 8D4C2410 lea ecx, dword ptr [esp+10]
:00450127 C744240800000000 mov [esp+08], 00000000
:0045012F E8CC580400 call 00495A00
:00450134 8B442410 mov eax, dword ptr [esp+10]
:00450138 8378F807 cmp dword ptr [eax-08], 00000007
:0045013C 0F8542010000 jne 00450284 <-- 1. Check
:00450142 0FBE08 movsx ecx, byte ptr [eax]
:00450145 51 push ecx
:00450146 E8F5F20200 call 0047F440
:0045014B 83C404 add esp, 00000004
:0045014E 85C0 test eax, eax
:00450150 0F842E010000 je 00450284 <-- 2. Check
:00450156 8B542410 mov edx, dword ptr [esp+10]
:0045015A 0FBE4201 movsx eax, byte ptr [edx+01]
:0045015E 50 push eax
:0045015F E8DCF20200 call 0047F440
:00450164 83C404 add esp, 00000004
:00450167 85C0 test eax, eax
:00450169 0F8415010000 je 00450284 <-- 3. Check
:0045016F 8B4C2410 mov ecx, dword ptr [esp+10]
:00450173 0FBE5102 movsx edx, byte ptr [ecx+02]
:00450177 52 push edx
:00450178 E8C3F20200 call 0047F440
:0045017D 83C404 add esp, 00000004
:00450180 85C0 test eax, eax
:00450182 0F84FC000000 je 00450284 <-- 4. Check
:00450188 8B442410 mov eax, dword ptr [esp+10]
:0045018C 0FBE4803 movsx ecx, byte ptr [eax+03]
:00450190 51 push ecx
:00450191 E8AAF20200 call 0047F440
:00450196 83C404 add esp, 00000004
:00450199 85C0 test eax, eax
:0045019B 0F84E3000000 je 00450284 <-- 5. Check
:004501A1 8B542410 mov edx, dword ptr [esp+10]
:004501A5 0FBE4204 movsx eax, byte ptr [edx+04]
:004501A9 50 push eax
:004501AA E891F20200 call 0047F440
:004501AF 83C404 add esp, 00000004
:004501B2 85C0 test eax, eax
:004501B4 0F84CA000000 je 00450284 <-- 6. Check
:004501BA 8B4C2410 mov ecx, dword ptr [esp+10]
:004501BE 0FBE5105 movsx edx, byte ptr [ecx+05]
:004501C2 52 push edx
:004501C3 E878F20200 call 0047F440
:004501C8 83C404 add esp, 00000004
:004501CB 85C0 test eax, eax
:004501CD 0F84B1000000 je 00450284 <-- 7. Check
:004501D3 8B442410 mov eax, dword ptr [esp+10]
:004501D7 0FBE4806 movsx ecx, byte ptr [eax+06]
:004501DB 51 push ecx
:004501DC E85FF20200 call 0047F440
:004501E1 83C404 add esp, 00000004
:004501E4 85C0 test eax, eax
:004501E6 0F8498000000 je 00450284 <-- 8. Check
:004501EC 8B442410 mov eax, dword ptr [esp+10]
:004501F0 0FBE4804 movsx ecx, byte ptr [eax+04]
:004501F4 8D1449 lea edx, dword ptr [ecx+2*ecx]
:004501F7 0FBE4806 movsx ecx, byte ptr [eax+06]
:004501FB 8D0CD1 lea ecx, dword ptr [ecx+8*edx]
:004501FE 8D1449 lea edx, dword ptr [ecx+2*ecx]
:00450201 0FBE4802 movsx ecx, byte ptr [eax+02]
:00450205 8D0CD1 lea ecx, dword ptr [ecx+8*edx]
:00450208 8D1449 lea edx, dword ptr [ecx+2*ecx]
:0045020B 0FBE4805 movsx ecx, byte ptr [eax+05]
:0045020F 8D0CD1 lea ecx, dword ptr [ecx+8*edx]
:00450212 8D1449 lea edx, dword ptr [ecx+2*ecx]
:00450215 0FBE08 movsx ecx, byte ptr [eax]
:00450218 8D0CD1 lea ecx, dword ptr [ecx+8*edx]
:0045021B 8D1449 lea edx, dword ptr [ecx+2*ecx]
:0045021E 0FBE4801 movsx ecx, byte ptr [eax+01]
:00450222 0FBE4003 movsx eax, byte ptr [eax+03]
:00450226 8D0CD1 lea ecx, dword ptr [ecx+8*edx]
:00450229 8D1449 lea edx, dword ptr [ecx+2*ecx]
:0045022C 8D8CD067216BFB lea ecx, dword ptr [eax+8*edx-0494DE99]
:00450233 8B442414 mov eax, dword ptr [esp+14]
:00450237 8BD0 mov edx, eax
:00450239 D1E8 shr eax, 1
:0045023B 81E255555555 and edx, 55555555
:00450241 2555555555 and eax, 55555555
:00450246 8D0450 lea eax, dword ptr [eax+2*edx]
:00450249 69C00D661900 imul eax, 0019660D
:0045024F 3BC8 cmp ecx, eax
:00450251 7531 jne 00450284 <-- 9. Check
:00450253 8D4C2410 lea ecx, dword ptr [esp+10]
:00450257 C705E8FE4D0009000000 mov dword ptr [004DFEE8], 00000009
:00450261 C7442408FFFFFFFF mov [esp+08], FFFFFFFF
:00450269 E89C520400 call 0049550A
:0045026E B801000000 mov eax, 00000001
:00450273 8B4C2400 mov ecx, dword ptr [esp]
:00450277 64890D00000000 mov dword ptr fs:[00000000], ecx
:0045027E 83C40C add esp, 0000000C
:00450281 C20800 ret 0008
3. Ok, we have nine checks. Let's fix them! Business as usual!
Change the jne to je and the je to jne. I think there is no
need to explain how to do this in hiew. If you don't know
how to do this, read my old tut's or take a look into other
tKC Cracking tutorials...
4. Done? Ok, let's try again to register.
Congratulation! You are an registered user.
FINISH! Easy, or?
cu LW2000
Any comments? Mail me LW2000@gmx.net !!!
----
tKC, thx for your tutors!
I started with tutor 1 and i still read them... they are the best!