D0gBytes
My steps to solve Task 3
Fri Dec 18 16:22:05 1998



Hello fellow Crackers.


I first used W32Dasm and searched for some strings that might lead me to some interesting code. The string "Registered" was my first choice. This string is found in 2 places only one of which was interesting.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00444B7C(C)
|
:00444B99 C60511A8440001 mov byte ptr [0044A811], 01
:00444BA0 A1589C4400 mov eax, dword ptr [00449C58]
:00444BA5 8B00 mov eax, dword ptr [eax]
:00444BA7 8B8020020000 mov eax, dword ptr [eax+00000220]

* Possible StringData Ref from Code Obj ->"Registered"
|
:00444BAD BA30504400 mov edx, 00445030
:00444BB2 E82D85FDFF call 0041D0E4

The reference for this jump was 00444B7C(C) Shown below.

:00444B71 8B55E4 mov edx, dword ptr [ebp-1C]
:00444B74 8B45F8 mov eax, dword ptr [ebp-08]
:00444B77 E888F0FBFF call 00403C04
:00444B7C 741B je 00444B99<--------------------------------------------Here
:00444B7E A1089D4400 mov eax, dword ptr [00449D08]
:00444B83 8B00 mov eax, dword ptr [eax]
:00444B85 E8625EFEFF call 0042A9EC
:00444B8A 8B55FC mov edx, dword ptr [ebp-04]
:00444B8D 8BC3 mov eax, ebx
:00444B8F E8E4E3FFFF call 00442F78
:00444B94 E9A6000000 jmp 00444C3F

Noping out this jump did not produce the desired result but changing the conditions of the jump registered the program. A change from 752E JNZ to 742E JZ

I knew that I had found the "Shareware Switch".. A good crack but it did not satisfy the question of Task 3. The jump was changed back to it's original JNZ so that I could further persue Task 3

Finding nothing else in W32Dasm that produced any promising leads, I started the program and selected the register option at the nag screen. entered "Pirate Copy" for a name and used 999999999 as the S/N.. I did not want to use any info from Tasks 1&2 so, I did not enter the known S/N for the Pirate Copy name. I set my break point on HMEMCPY because I am lazy.. I F12ed back to where I saw I was in the code for CYT. I F 10ed from here while watching EAX. With in a few F10s I saw my false S/N of 999999999. Right below that I also saw the correct S/N for the Name "Pirate Copy" I knew I had just passed through the correct S/N generating code and was directly in front of the compare code. Just below was the next jump that made that comparison. Noping out this jump produced the correct results for Task 3. Although I knew The correct S/N when I saw it in EAX, I am sure that had I not known it to be correct from Task 1, I would have had a strong suspicion and tried it as a S/N.

I Noped out the jump at :0043FA09 with a hex editor and found that I had satisfied Task 3.

:0043F9FB E8B4D6FDFF call 0041D0B4
:0043FA00 8B55F8 mov edx, dword ptr [ebp-08]
:0043FA03 58 pop eax
:0043FA04 E8FB41FCFF call 00403C04
:0043FA09 752E jne 0043FA39<------Noping this line gives the correct answer for Task 3
:0043FA0B A1209B4400 mov eax, dword ptr [00449B20]
:0043FA10 8B00 mov eax, dword ptr [eax]

Regards,

Bytes