Phil
More Info
Wed Nov 11 16:19:31 1998


Hey...
In response to ' How I found this', since I don't know much about cracking (actually very, very little) and what excatly to look for, there was some trail and error, alot of F10's and F8's and alot of 'd', display of registers, EAX, EBX, EDX... I'm a newbie so there's alot of luck involved. I don't want to be just lucky and land on the correct point, but with limited experience I'll take what I can get for now. So this is pretty much what I've done.

1) First I set the basic breakpoints - GETDLGITEMTEXT(A), GETWINDOWTEXT(A) to see which one works. I use these breakpoints because, from reading alot of tutorials, I found that GETDLGITEMTEXT and GETWINDOWTEXT are two common breakpoints used for windows programs. Something to do with API functions. And these two breakpoints are often used when you are asked to enter a name and serial.

2) I then found out that none of those two worked. So I then tried HMEMCPY. Why, I don't know, I have no idea what it does or why it works. Like I said before, I have limited knowledge and experience in cracking. However it worked so I used it. Maybe someone could explain to me what excatly is HMEMCPY.

3) Now I'm in Soft-Ice. You press F11 to return to wherever the CALL was called from. Why you do this, again I don't know, it's just what I've read many times in tutorials. And they don't explain why.

You will then be staring at:
CALL kernel!hmemcpy
PUSH word ptr [DI] *this is where you land
......

4) From here on I have no idea what to look for. So I just start fooling around. Pressing F10/F8 and follow the porgram, hoping to find something helpful. I do alot of 'd' EAX, EBX, EDX...to see if I can find my name or serial number I've entered. I'm probably doing this all wrong and I'm sure I'm not the only one. But what am I suppose to do? After about a full day of trial and error, F10 & F8, I see something that looks interesting. Why I say it's interesting, it's just a gut feeling I got. There's a CALL, and inside there's loop that takes your name and capitilize it. To see you name I typed in 'd esi'. Continue on and there's another CALL that looks interesting. In there is another loop that takes your now capitilize name and compares it to 'Silicon Surfer'. Again to see this I type 'd edx', for your name and 'd 0045C3A0' for Silicons name. Now I know I'm on the right track. I continue on, and with alot more of F10/F8 I find another little loop, that takes your name and lowercases it. Now I continue on with F10's and final find the calculation to determine the real registration key.

5) And about the conditional jump:
cs:ds cmp ebx, eax
jnz 0045b9c6
....
I knew that this was an important jump, cuz there was a compare just before it. The compare was comparing the 'real registration key', stored in EBX, to the fake one you entered, stored in EAX. How I knew that EBX had the real registration key, was from the calculation performed above. And I also tried out the real registration key and it worked. How I knew that eax was my fake registration key,I typed '? eax' and saw the serial number I entered. Now if the real reg. key and fake reg. key doesn't match the jump occurs and the program DOESN'T get registered. However if the real reg. key matchs the fake reg. key then the jump does not occur and the program GETS REGISTERED.

That's pretty much all I know. I hope that this 'tutorial', if you can call it that, helps out other newbies. If not, sorry...:( Like I said before and I'll say it again, lack of experience.

Trying
Phil...