Name : Xara Webstyle Version : 1.2 Editor : UltraEdit Target : webstyle.exe s/n saved : HKEY_CURRENT_USER\Software\Xara\WebStyle\Options\ModelFlags Tools : W32Dasm 8.93 Hiew 6.16 Brain Cracker : LW2000 Tutorial : No.18 http://www.ultraedit.com/ --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- Please excuse my poor english, its not my mother language.... 1. OK, go to the Registrationscreen and enter the details. *BOOM* 'Invalid number. Please contact Xara ...' Seems, that we found a bug ;) Let's fix it. Load W32Dasm with webstyle.exe. Click on the SDR and search our message text. Doubleclick on it and close the SDR Window. Now it should look like this: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0045013C(C), :00450150(C), :00450169(C), :00450182(C), :0045019B(C) |:004501B4(C), :004501CD(C), :004501E6(C), :00450251(C) :00450284 6A02 push 00000002 :00450286 6A01 push 00000001 :00450288 6A00 push 00000000 :0045028A 6A00 push 00000000 :0045028C 6A00 push 00000000 :0045028E 6A00 push 00000000 * Possible Reference to String Resource ID=18500: "Invalid number. Please contact Xara technical support@xara.c" 2. Let's take a look at the code. Goto Code Location 0045013C. * Referenced by a CALL at Addresses: |:0044F9AD , :0044FA28 | :00450100 64A100000000 mov eax, dword ptr fs:[00000000] :00450106 6AFF push FFFFFFFF :00450108 681FB04A00 push 004AB01F :0045010D 50 push eax :0045010E 8B442410 mov eax, dword ptr [esp+10] :00450112 64892500000000 mov dword ptr fs:[00000000], esp :00450119 50 push eax :0045011A 8D4C2414 lea ecx, dword ptr [esp+14] :0045011E E8AC520400 call 004953CF :00450123 8D4C2410 lea ecx, dword ptr [esp+10] :00450127 C744240800000000 mov [esp+08], 00000000 :0045012F E8CC580400 call 00495A00 :00450134 8B442410 mov eax, dword ptr [esp+10] :00450138 8378F807 cmp dword ptr [eax-08], 00000007 :0045013C 0F8542010000 jne 00450284 <-- 1. Check :00450142 0FBE08 movsx ecx, byte ptr [eax] :00450145 51 push ecx :00450146 E8F5F20200 call 0047F440 :0045014B 83C404 add esp, 00000004 :0045014E 85C0 test eax, eax :00450150 0F842E010000 je 00450284 <-- 2. Check :00450156 8B542410 mov edx, dword ptr [esp+10] :0045015A 0FBE4201 movsx eax, byte ptr [edx+01] :0045015E 50 push eax :0045015F E8DCF20200 call 0047F440 :00450164 83C404 add esp, 00000004 :00450167 85C0 test eax, eax :00450169 0F8415010000 je 00450284 <-- 3. Check :0045016F 8B4C2410 mov ecx, dword ptr [esp+10] :00450173 0FBE5102 movsx edx, byte ptr [ecx+02] :00450177 52 push edx :00450178 E8C3F20200 call 0047F440 :0045017D 83C404 add esp, 00000004 :00450180 85C0 test eax, eax :00450182 0F84FC000000 je 00450284 <-- 4. Check :00450188 8B442410 mov eax, dword ptr [esp+10] :0045018C 0FBE4803 movsx ecx, byte ptr [eax+03] :00450190 51 push ecx :00450191 E8AAF20200 call 0047F440 :00450196 83C404 add esp, 00000004 :00450199 85C0 test eax, eax :0045019B 0F84E3000000 je 00450284 <-- 5. Check :004501A1 8B542410 mov edx, dword ptr [esp+10] :004501A5 0FBE4204 movsx eax, byte ptr [edx+04] :004501A9 50 push eax :004501AA E891F20200 call 0047F440 :004501AF 83C404 add esp, 00000004 :004501B2 85C0 test eax, eax :004501B4 0F84CA000000 je 00450284 <-- 6. Check :004501BA 8B4C2410 mov ecx, dword ptr [esp+10] :004501BE 0FBE5105 movsx edx, byte ptr [ecx+05] :004501C2 52 push edx :004501C3 E878F20200 call 0047F440 :004501C8 83C404 add esp, 00000004 :004501CB 85C0 test eax, eax :004501CD 0F84B1000000 je 00450284 <-- 7. Check :004501D3 8B442410 mov eax, dword ptr [esp+10] :004501D7 0FBE4806 movsx ecx, byte ptr [eax+06] :004501DB 51 push ecx :004501DC E85FF20200 call 0047F440 :004501E1 83C404 add esp, 00000004 :004501E4 85C0 test eax, eax :004501E6 0F8498000000 je 00450284 <-- 8. Check :004501EC 8B442410 mov eax, dword ptr [esp+10] :004501F0 0FBE4804 movsx ecx, byte ptr [eax+04] :004501F4 8D1449 lea edx, dword ptr [ecx+2*ecx] :004501F7 0FBE4806 movsx ecx, byte ptr [eax+06] :004501FB 8D0CD1 lea ecx, dword ptr [ecx+8*edx] :004501FE 8D1449 lea edx, dword ptr [ecx+2*ecx] :00450201 0FBE4802 movsx ecx, byte ptr [eax+02] :00450205 8D0CD1 lea ecx, dword ptr [ecx+8*edx] :00450208 8D1449 lea edx, dword ptr [ecx+2*ecx] :0045020B 0FBE4805 movsx ecx, byte ptr [eax+05] :0045020F 8D0CD1 lea ecx, dword ptr [ecx+8*edx] :00450212 8D1449 lea edx, dword ptr [ecx+2*ecx] :00450215 0FBE08 movsx ecx, byte ptr [eax] :00450218 8D0CD1 lea ecx, dword ptr [ecx+8*edx] :0045021B 8D1449 lea edx, dword ptr [ecx+2*ecx] :0045021E 0FBE4801 movsx ecx, byte ptr [eax+01] :00450222 0FBE4003 movsx eax, byte ptr [eax+03] :00450226 8D0CD1 lea ecx, dword ptr [ecx+8*edx] :00450229 8D1449 lea edx, dword ptr [ecx+2*ecx] :0045022C 8D8CD067216BFB lea ecx, dword ptr [eax+8*edx-0494DE99] :00450233 8B442414 mov eax, dword ptr [esp+14] :00450237 8BD0 mov edx, eax :00450239 D1E8 shr eax, 1 :0045023B 81E255555555 and edx, 55555555 :00450241 2555555555 and eax, 55555555 :00450246 8D0450 lea eax, dword ptr [eax+2*edx] :00450249 69C00D661900 imul eax, 0019660D :0045024F 3BC8 cmp ecx, eax :00450251 7531 jne 00450284 <-- 9. Check :00450253 8D4C2410 lea ecx, dword ptr [esp+10] :00450257 C705E8FE4D0009000000 mov dword ptr [004DFEE8], 00000009 :00450261 C7442408FFFFFFFF mov [esp+08], FFFFFFFF :00450269 E89C520400 call 0049550A :0045026E B801000000 mov eax, 00000001 :00450273 8B4C2400 mov ecx, dword ptr [esp] :00450277 64890D00000000 mov dword ptr fs:[00000000], ecx :0045027E 83C40C add esp, 0000000C :00450281 C20800 ret 0008 3. Ok, we have nine checks. Let's fix them! Business as usual! Change the jne to je and the je to jne. I think there is no need to explain how to do this in hiew. If you don't know how to do this, read my old tut's or take a look into other tKC Cracking tutorials... 4. Done? Ok, let's try again to register. Congratulation! You are an registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net !!! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best!