the snakequestion 4-6Tue Dec 8 05:32:37 1998 hello to all crackers,4- where in the registry the 4D get handle :* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:004039EC(C)|:004039F5 8D442408............lea eax, dword ptr [esp+08]* Possible StringData Ref from Data Obj ->"4D" |:004039F9 8B0DF4C64000........mov ecx, dword ptr [0040C6F4]:004039FF 8B542404............mov edx, dword ptr [esp+04]:00403A03 50..................push eax:00403A04 C744240C00020000....mov [esp+0C], 00000200:00403A0C 68F8C64000..........push 0040C6F8:00403A11 6A00................push 00000000:00403A13 6A00................push 00000000:00403A15 51..................push ecx:00403A16 52..................push edxat location 004039F9 we have the address of the key "4D".at location 00403A0C we have the address of our value inthe key we created [0040c6f8]. (the FF that we were toldto put in)when the program is registered, the handle is stored inthe 4D key in hex values with wide format : "74 68 65" etc.the key is stored there too, after a few hex zerros in ascii format.when the program check to see our new key, and didn't findthe right serial code, it going to show the nag screenthat there we can enter our handle and serial number.the main routine for the right serial is here :* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00403B6D(C)|:00403AED B903000000...........mov ecx, 00000003:00403AF2 8B45F0...............mov eax, dword ptr [ebp-10]:00403AF5 2BD2.................sub edx, edx:00403AF7 F7F1.................div ecx:00403AF9 85D2.................test edx, edx:00403AFB 7559.................jne 00403B56:00403AFD 8B45F0...............mov eax, dword ptr [ebp-10]:00403B00 8A80F8C64000.........mov al, byte ptr [eax+0040C6F8]:00403B06 3C7F.................cmp al, 7F:00403B08 0F8FD1000000.........jg 00403BDF:00403B0E 3C20.................cmp al, 20:00403B10 0F8CDA000000.........jl 00403BF0:00403B16 6698.................cbw:00403B18 B102.................mov cl, 02:00403B1A F6F9.................idiv cl:00403B1C 0422.................add al, 22:00403B1E 3C5A.................cmp al, 5A:00403B20 7E06.................jle 00403B28:00403B22 3C61.................cmp al, 61:00403B24 7D02.................jge 00403B28:00403B26 0406.................add al, 06---- snip snip ------* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00403AFB(C)|:00403B56 BFF8C64000...........mov edi, 0040C6F8:00403B5B B9FFFFFFFF...........mov ecx, FFFFFFFF:00403B60 FF45F0...............inc [ebp-10]:00403B63 2BC0.................sub eax, eax:00403B65 F2...................repnz:00403B66 AE...................scasb:00403B67 F7D1.................not ecx:00403B69 49...................dec ecx:00403B6A 3B4DF0.............. cmp ecx, dword ptr [ebp-10]:00403B6D 0F877AFFFFFF.........ja 00403AEDthe main loop is from location 00403aed until 00403b60.this is done for each letter of our name.give a look at the dead list ::00403B92 E8114D0000..........Call 004088A8:00403B97 50..................push eax <-- bpx here !!!!:00403B98 8D4DEC..............lea ecx, dword ptr [ebp-14]:00403B9B C645FC04............mov [ebp-04], 04now, if we put bp in sofice in location 00403b97,and type "d eax" we can see the address of the real code,in my case it was : 40 0c 76, remmeber, it seats backwardsso type : "d 760c40" and here is the code. the real code get prefix of "8267-" the rest can be any alfanumeric value.in the registry the program add an entry :HKLM-SOFTWARE-4DEVELOPERS-RCrawler4D with this contents in my case : "74 68 65 20 73 6e 61 6b 65 00 00"wich in my case is : t h e s n a k e"5- what other ways :in the dead list we see this snipet of code ::00403E94 6A30..............push 00000030:00403E96 683CCB4000........push 0040CB3C:00403E9B 68FCC94000........push 0040C9FC:00403EA0 50................push eaxat location 00403e9b there is a push for the "beggar off cracker" message.the place that the real code remain is at address 00760E34. as the Sandman told us in some of his essay's there is a method that called :"THE ECHO METHOD". in simple English, if we know wherethe code seat in, we can change this push, to pushthe right address of the code and to show it in the error message.so what do we need is :load RCrawler in a hex editor, look for : CB400068FCC94000change to : CB400068340e7600....................--------now, run the prog and enter a fake code for your handle,you will get the right code for it in the error message.6- get the program register without the right code:if we want the program to register without enter the real code we need to ignore jump at 00403dd0 :put a bpx 00403dd0 !!!* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00403DAE(C)|:00403DC9 E872FCFFFF......call 00403A40:00403DCE 85C0............test eax, eax:00403DD0 0F84A5000000....je 00403E7B <--- r eip=403dd6 !!!:00403DD6 8D45E8..........lea eax, dword ptr [ebp-18]:00403DD9 8D4DEC..........lea ecx, dword ptr [ebp-14]and at location 00403e5b we need to jump !!* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00403E3D(C)|:00403E52 837DF000........cmp dword ptr [ebp-10], 00000000:00403E56 B800000000......mov eax, 00000000:00403E5B 7406............je 00403E63 <--- r fl z !!!:00403E5D 8B45F0..........mov eax, dword ptr [ebp-10]:00403E60 8B4020......... mov eax, dword ptr [eax+20]the program will registered itself !!!sorry for the long post, but that the only way i can put in details what i've foundthe snakewhy does it seat backwards? by peloponeso , Tue Dec 8 16:20 re: why it seats backwards by the snake , Wed Dec 9 00:33 question 4-6 - an addishion by the snake , Tue Dec 8 08:20