Name      : 007 Stealth Activity Monitor (SAM)

Version   : 4.2

Editor    : IOPUS Software

Target    : samctrl.Exe

s/n saved : HKEY_LOCAL_MACHINE\Software\Rexs

Tools     : W32Dasm
	    Hiew
	    Brain
	    
Cracker   : LW2000

Tutorial  : No.21

www.iopus.com


---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---


1.	Ok, fire up samctrl.exe. Click on the Registertab and enter
        LW2000 as regcode.
	*Boom* "Wrong registration code entered". 
	wtf, seems that we found a bug ;)

	Let's fix it!

2.	Load W32Dasm with samctrl.exe.
	Click on the String Data Reference and take a look.
	mhmm, "SAM is now successfully registered" looks *very*
        interesting, lets doubleclick on it!


* Possible StringData Ref from Data Obj ->
"SAM is now successfully registered "
                     ->"- Thank you ! "
                                  |
:00404475 684CA94000              push 0040A94C
:0040447A 8BCE                    mov ecx, esi

* Reference To: MFC42.Ordinal:1080, Ord:1080h
                                  |
:0040447C E8DD150000              Call 00405A5E

* Possible StringData Ref from Data Obj ->"REGISTERED VERSION"
                                  |
:00404481 68BCA34000              push 0040A3BC
:00404486 8D8E60010000            lea ecx, dword ptr [esi+00000160]


3.	Ok, Now scroll up a *little* bit:

* Reference To: KERNEL32.lstrcmpA, Ord:0295h
                                  |
:0040445C FF1538704000            Call dword ptr [00407038]
:00404462 85C0                    test eax, eax
:00404464 756F                    jne 004044D5  <-- mhmm...
:00404466 8B0F                    mov ecx, dword ptr [edi]
:00404468 8379F809                cmp dword ptr [ecx-08], 00000009
:0040446C 7E67                    jle 004044D5  <-- mhmm...
:0040446E 6A40                    push 00000040

* Possible StringData Ref from Data Obj ->"Registration"
                                  |
:00404470 6864AA4000              push 0040AA64

* Possible StringData Ref from Data Obj
->"SAM is now successfully registered "
                     ->"- Thank you ! "
                                  |
:00404475 684CA94000              push 0040A94C


4.	Seems that we found a easy one... =)
	The JNE in Line 00404464 could be easily changed to je, but
        whats about the jle in Line 0040446C? This must be fixed, too.
        Let's nope it!

	Ok, get the offsets (i think you know how to ;)

	The JNE ist at 3864h and the JLE is at 386Ch.

	Close W32Dasm and start hiew with samctrl.exe. Goto decodemode
        and press F5.

5.	Goto the Offset 3864. Press F3 and change 756F to 746F (JNE -> JE).
	Then goto 386C and enter 9090 (2x NOP) for 7E67 (JLE).

	Press F9 to update and F10 to quit. 

	Start samctrl and try to register again with LW2000.


Congratulation! You are a registered user.



FINISH! Easy, or?

cu LW2000
Any comments? Mail me LW2000@gmx.net !!!
----
tKC, thx for your tutors!
I started with tutor 1 and i still read them... they are the best!