Surabaja 23 December 1998

Site hosted by Angelfire.com: Build your free website today!

Surabaja 23 December 1998.

@eAsy crAcking for duMmies ...

MERRY XMAS & Happy NEW YEAR ...

[DISCLAIMER]

This simple tutor wont make you to become a GREAT CRACKER, but maybe can add your CRACKING KNOWLEDGE. First let's thanks to HARVESTR for putting my silly tuts in his NICE Page, and remember, if you use some PROGRAM and you like it make sure you BUY it !

TOOLS:

W32DASM 8.x

sOftICE 3.x

TARGET:

WINXFILES 32-BIT v3.5

http://www.PEPSOFT.com

Enough BULLSHIT let's BEGIN

Open W32DASM and Dissamble WINXFILES after doing that go to STRING DATA REFERENCES and find the string that you receive when you entered the wrong code. The message should say : 'INVALID REGISTRATION PASSWORD'

Double Click this STUPID string and you'll see something like this :

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:0046E194(C)
:0046E1CF 6A00 push 00000000 -------------->>>>>>>>>>>>>>Remember the OFFSET (mark in RED)!
:0046E1D1 668B0D64E24600 mov cx, word ptr [0046E264]
:0046E1D8 B202 mov dl, 02
* Possible StringData Ref from Code Obj ->"Invalid Registration Password."

Just scroll it Up ......

:0046E18F E89C57F9FF call 00403930 -------------->>>>>>> remember this OFFSET too !
:0046E194 7539 jne 0046E1CF --------->>>>>>>>>>>> jump to BAD GUY if our Password is wrOng
:0046E196 8B45FC mov eax, dword ptr [ebp-04]
:0046E199 E8FA030000 call 0046E598
:0046E19E 6A00 push 00000000
:0046E1A0 668B0D64E24600 mov cx, word ptr [0046E264]
:0046E1A7 B202 mov dl, 02

* Possible StringData Ref from Code Obj ->"WinXFiles is now registered. Thanks a lot!"

Now this one is interesting ......

What inside the call 00403930 will be like this :

:00403930 53 push ebx
:00403931 56 push esi
:00403932 57 push edi
:00403933 89C6 mov esi, eax ---------->>>>>>>>>>> EAX = Our CODE
:00403935 89D7 mov edi, edx---------->>>>>>>>>>> EDX = REAL CODE
:00403937 39D0 cmp eax, edx---------->>>>>>>>>>> Compare our CODE with the REAL CODE
:00403939 0F848F000000 je 004039CE

After the COMPARE instruction the FLAG REGISTER wiil depend on our CODE if its right then REGISTER FLAG will set to ZERO that mean get out from the CALL and display the BEAUTIFUL MESSAGE, I guess that is very easy to understand.

FAQ

[READER] : How do you know that EAX contain our CODE and EDX contain the REAL one ?

[OCHE] : You fOOl, use sOftICE and set some BREAKPOINTS.

[READER] : What BREAKPOINT ?

[OCHE] : BPX SHOWWINDOW and BPX 0046E18F .

[READER] : I don't understand with the last BREAKPOINT .........

[OCHE] : You remember this call 00403930 ...? look at the OFFSET and TRACE with F8 in sOftICE,

coz that's the last call before the PROGRAM decide that your PASSWORD is wrong or NOT.

[READER] : How do I see the REAL CODE ?Why don't you just write it with this tuts so I can register WINXFILES

quickly ?

[OCHE] : Use D EDX. F@CK YOU if you are just looking for the REAL SERIAL NUMBER

don't read this TUTS go and FIND it SOMEWHERE ELSE !

[READER] : F@CK YOU TOO OCHE !

oche_satriani@start.com.au

ITS OE'97 4397100xxx Corp.