Name : WinBoost 2000 Gold Version : generic Editor : Magellass s/n saved : win.ini Tools : Softice Brain Cracker : LW2000 Tutorial : No.33 www.magellass.com --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Ok, boys and girl i felt very embarrased about the easy way to crack the Proggy in my tut 32! So mhmm... I thought let's do it the hard way ;) Enter the following details: User Name: LW2000 WB98 Registration Code: 1239900 WB2000 Registration Code: 1230099 I always try to break on GetDlgItemTextA and GetWindowTextA, you should do the same... it saves a lot of time =) Try to validate the code. *BOOM* Sice pops up. We'll have to hit F12 about 13x times till we get a usefull piece of code: .004D33D9: 8B80C8020000 mov eax,[eax][0000002C8] .004D33DF: E88CB9F5FF call .00042ED70 .004D33E4: 8D55F0 lea edx,[ebp][-0010] <- .004D33E7: 8B45FC mov eax,[ebp][-0004] .004D33EA: 8B80D8020000 mov eax,[eax][0000002D8] .004D33F0: E87BB9F5FF call .00042ED70 .004D33F5: 8D55EC lea edx,[ebp][-0014] .004D33F8: 8B45FC mov eax,[ebp][-0004] .004D33FB: 8B80CC020000 mov eax,[eax][0000002CC] .004D3401: E86AB9F5FF call .00042ED70 .004D3406: 8D45F4 lea eax,[ebp][-000C] .004D3409: 8B55EC mov edx,[ebp][-0014] .004D340C: E81B07F3FF call .000403B2C .004D3411: 8B55F8 mov edx,[ebp][-0008] .004D3414: 8B45FC mov eax,[ebp][-0004] .004D3417: E8F8FCFFFF call .0004D3114 .004D341C: 8D55E0 lea edx,[ebp][-0020] .004D341F: E83C4DF3FF call .000408160 .004D3424: 33C0 xor eax,eax .004D3426: 5A pop edx .004D3427: 59 pop ecx .004D3428: 59 pop ecx .004D3429: 648910 mov fs:[eax],edx .004D342C: 686E3F4D00 push 0004D3F6E .004D3431: 837DF000 cmp d,[ebp][-0010],000 .004D3435: 0F84F7090000 je .0004D3E32 2. Only bullshit, because we don't want to write a keygen, we only want to have one serial ... .004D343B: 8B45F0 mov eax,[ebp][-0010] <- WB98 key .004D343E: 8B55E0 mov edx,[ebp][-0020] <- correct key .004D3441: E8DA09F3FF call .000403E20 <- compare string .004D3446: 0F851F010000 jne .0004D356B There are about 17 more checks after this. The checked key will not work, because Magellass has found them in the Web! 3. Mhmm... great! Then just step until you are by .004D3441. Then type 'd edx' and write your key down and set a bpx on it. Ok.. lets type the new key as WB98 code... Back in SoftIce we step through the next code: .004D35DB: 8B45EC mov eax,[ebp][-0014] <-- WB2K Key .004D35DE: E82D07F3FF call .000403D10 <-- length .004D35E3: 83F814 cmp eax,014 .004D35E6: 0F8E5A030000 jle .0004D3946 4. Mhmm.. does that mean we must have 14h (= 20) or more characters? maybe, but let the jump do ... .004D3946: 8D45E8 lea eax,[ebp][-0018] .004D3949: 8B55EC mov edx,[ebp][-0014] .004D394C: E8DB01F3FF call .000403B2C .004D3951: 8B45EC mov eax,[ebp][-0014] .004D3954: E8B703F3FF call .000403D10 .004D3959: 83F817 cmp eax,017 .004D395C: 0F8EEA030000 jle .0004D3D4C 5. Next check.. this time with 17h (=23) or more chars? Let it be ... trace on with F10 .004D3D4C: 8D45E4 lea eax,[ebp][-001C] .004D3D4F: 8B55EC mov edx,[ebp][-0014] .004D3D52: E8D5FDF2FF call .000403B2C .004D3D57: 33DB xor ebx,ebx .004D3D59: 8D4DDC lea ecx,[ebp][-0024] .004D3D5C: 0FBFF3 movsx esi,bx .004D3D5F: 8BD6 mov edx,esi .004D3D61: A110684D00 mov eax,[0004D6810] .004D3D66: 8B00 mov eax,[eax] .004D3D68: 8B8054020000 mov eax,[eax][000000254] .004D3D6E: 8B4024 mov eax,[eax][00024] .004D3D71: 8B38 mov edi,[eax] .004D3D73: FF570C call d,[edi][0000C] .004D3D76: 8B55DC mov edx,[ebp][-0024] <-- our key .004D3D79: 8B45E4 mov eax,[ebp][-001C] <-- a key .004D3D7C: E89F00F3FF call .000403E20 <-- compare .004D3D81: 7427 je .0004D3DAA .004D3D83: 8D4DDC lea ecx,[ebp][-0024] 6. *g* 'd eax' ... so just write the key down. Let's try it! Congratulation! You are an registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net !!! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best!