Name : WinXFiles Version : 4.3 Editor : PepSoft Target : WXFiles.exe s/n saved : HKEY_CURRENT_USER\Software\Pepsoft\WXF32\Reg Tools : Softice 4.0 Brain Cracker : LW2000 Tutorial : No.24 http://www.pepsoft.com/ --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. We go to the regscreen and enter the details. Name: LW2000 Key : 1230099 *BOOM* 'Sorry... Invalid Registration Password' What the hell is this? Seems, that we found a bug... ;) Let's fix it. 2. Press [ctrl]+[d] and set a breakpoint on hmemcpy. 'bpx hmemcpy' Press F5 to return to the app. Then try to register, again. *BOOM* Sice pops up. Press F11 to get the Caller and F12 about six times, then you should be inside the WinXFilescode. 3. Now go with F10 over all ret's and then you should see this: :00480DB1 8B85D4FBFFFF mov eax, dword ptr [ebp+FFFFFBD4] :00480DB7 8D95D8FBFFFF lea edx, dword ptr [ebp+FFFFFBD8] :00480DBD E8E255F8FF call 004063A4 :00480DC2 8B95D8FBFFFF mov edx, dword ptr [ebp+FFFFFBD8] :00480DC8 8BC3 mov eax, ebx :00480DCA E85943F9FF call 00415128 :00480DCF 8D95D4FBFFFF lea edx, dword ptr [ebp+FFFFFBD4] :00480DD5 8B45FC mov eax, dword ptr [ebp-04] :00480DD8 8B80B8010000 mov eax, dword ptr [eax+000001B8] :00480DDE E81543F9FF call 004150F8 4. Step with F10 and take a look at the registers. :00481071 0FB63B movzx edi, byte ptr [ebx] :00481074 0FBFC7 movsx eax, di :00481077 B917000000 mov ecx, 00000017 :0048107C 99 cdq :0048107D F7F9 idiv ecx :0048107F 8A9415F9FCFFFF mov dl, byte ptr [ebp+edx-00000307] :00481086 8D85D0FBFFFF lea eax, dword ptr [ebp+FFFFFBD0] :0048108C 885001 mov byte ptr [eax+01], dl :0048108F C60001 mov byte ptr [eax], 01 :00481092 8D95D0FBFFFF lea edx, dword ptr [ebp+FFFFFBD0] :00481098 8D85F8FDFFFF lea eax, dword ptr [ebp+FFFFFDF8] :0048109E E8191AF8FF call 00402ABC :004810A3 43 inc ebx :004810A4 4E dec esi :004810A5 75CA jne 00481071 5. Ok, by stepping we see a loop and the register dl is filled with letters. Let's trace a bit more. :004810A7 8D95D4FBFFFF lea edx, dword ptr [ebp+FFFFFBD4] :004810AD 8B45FC mov eax, dword ptr [ebp-04] :004810B0 8B80BC010000 mov eax, dword ptr [eax+000001BC] :004810B6 E83D40F9FF call 004150F8 :004810BB 8B85D4FBFFFF mov eax, dword ptr [ebp+FFFFFBD4] :004810C1 50 push eax :004810C2 8D85D8FBFFFF lea eax, dword ptr [ebp+FFFFFBD8] :004810C8 8D95F8FDFFFF lea edx, dword ptr [ebp+FFFFFDF8] d edx = serial :004810CE E80127F8FF call 004037D4 :004810D3 8B95D8FBFFFF mov edx, dword ptr [ebp+FFFFFBD8] :004810D9 58 pop eax 6. Ok, write down our serial, let's try it =) Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net !!! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best!