Name      : Offline Explorer

Version   : 1.2

Editor    : Metaproducts

Target    : OE.exe

Tools     : W32Dasm
            GetTyp
            Procdump 1.60
            Hiew
            Brain
            
Cracker   : LW2000

Tutorial  : No.44

http://www.metaproducts.com.



---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---

1.      Ok, lets try to register.

        Registered User: LW2000
        Registration Key: 1230099

        *BOOM* 'Sorry, registration information is invalid'.

        Seems that we have found a bug... ;) Let's fix it.

2.      First check the exe with GetTyp for any exe-packer (i always do
        this first).
        AHA! GT has found "ASPack 1.083", ok let's unpack it =)

        Load Procdump, choose unpack and select our packer....

        When Procdump is finished, load the new unpacked file in W32Dasm.

        Click on the SDR and go to our string:

:004B7827 8B45F4                  mov eax, dword ptr [ebp-0C]
:004B782A E8C5C7F4FF              call 00403FF4
:004B782F 8BC8                    mov ecx, eax

* Possible StringData Ref from Code Obj->"Sorry, registration information"
                                       ->"is invalid."
                                  |
:004B7831 BA90784B00              mov edx, 004B7890
:004B7836 A1F84C4D00              mov eax, dword ptr [004D4CF8]
:004B783B 8B00                    mov eax, dword ptr [eax]
:004B783D E81A7EF9FF              call 0044F65C


3.      Ok, this looks fine, but scroll up to see where we have come from.


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B771B(C)  <<-- here we go
|
:004B7782 6A10                    push 00000010
:004B7784 8D4DF0                  lea ecx, dword ptr [ebp-10]
:004B7787 A1FC4A4D00              mov eax, dword ptr [004D4AFC]
:004B778C 8B00                    mov eax, dword ptr [eax]


        We go to 004B771B.


:004B7714 E8F7B00000              call 004C2810  <<-- Check rountine
:004B7719 84C0                    test al, al    <<-- tests AL
:004B771B 7565                    jne 004B7782   <<-- Check
:004B771D A1FC4A4D00              mov eax, dword ptr [004D4AFC]
:004B7722 8B00                    mov eax, dword ptr [eax]
:004B7724 C680C005000001          mov byte ptr [eax+000005C0], 01


4.      So what will we do now? Change the jne to je ??? NO! This is
        quite silly, because most of the programs check the serial
        more than once. So, if AL=1 then the test is passed, else
        we fail. Go into the Call and note the offset (C1C10).
        Open the unpacked file with hiew and go to our offset:


:004C2810 55                      push ebp
:004C2811 8BEC                    mov ebp, esp
:004C2813 83C4F0                  add esp, FFFFFFF0
:004C2816 53                      push ebx
:004C2817 33DB                    xor ebx, ebx
:004C2819 895DF0                  mov dword ptr [ebp-10], ebx

        Press F3 to edit and F2 to enter ASM Commands. No enter:
        mov al, 1  [Enter]
        ret        [Enter]
        [Esc]

Save your work and quit. Now try again to register.


Congratulation! You are a registered user.


FINISH! Easy, or?

cu LW2000
Any comments? Mail me LW2000@gmx.net !!!
----
tKC, thx for your tutors!
I started with tutor 1 and i still read them... they are the best!