FlatlineQuestions 3-5Fri Nov 20 01:11:25 1998 I haven't seen many responses for Questions 3-5. Does that mean it was real easy or that most people got stuck?Here's how I did it anyway.I ran Uninstall Manager, clicked the "Register" button and entered a registration name and registration key in my case:Registration name = flatlineRegistration key = 11223344Ok, now before pressing the "OK" button, I entered softice (ctrl D) and set the breakpointbpx hmemcpyCtrl D once more to return to the program and then disable the breakpointbd 0We are now in the kernel as can be seen by the title of the code window. To get back to Uninstall Manager's code you need to press f12 (p ret) seven times. Each time you press f12 you will be able to see the code you are passing through. I have listed the titles of the code window that I saw as I went along:KernelProt16User!BozoslivehereUser!BozoslivehereUSer!WaitmessageUSer!DispatchmessageUser!ThkconnectiondatalsAfter the final f12 the bottom of the code window showed UNISNMAN!CODEOk, the code where I ended up had lots of POP's followed by a ret so I guessed that I was at the end of a call somewhere. I stepped through the code (f10) and found myself at the end of another call and so on. I kept going until I came to the first compare instruction which was followed by a conditional jump (you can also get there I discovered by hitting f12 another 5 times).0045bf93 cmp dword ptr [ebp-0c],00If at this point we find where ebp-0c is pointing, it is 010da898 and what is at this address?d 010da898It is the registration name we entered! OK, so we are in the right area. This code, I believe, is checking to see if we entered a name, if not then the program runs as if we are still in shareware mode. Further down we see another compare:0045bfaa cmp dword ptr [ebp-10],00Hmm.. looks alot like the last one. What is it pointing to? This time it is the Registration Key and it is checking that a value has been entered.As an aside, if you scan up and down in the data window around where the program stores our reg name and key, you will also see some of the strings from the nag screen.I then kept following the code until I came across the following::0045C02A mov eax, dword ptr [ebp-04]:0045C02D call 0045B918:0045C032 cmp al, 01:0045C034 jne 0045C28B:0045C03A mov dl, 01:0045C03C mov eax, dword ptr [0043C3E0]:0045C041 call 0043C574The cmp al,01 after the call and followed by a conditional jump looks very suspicious. I confirmed my suspicions by tracing into the call (f8) and then stepping through the code to see what was happening.Jeff has already pointed out that patching the jump after the compare will make the program think it is registered. I also tried to trace into the call and patch it so that the compare would be correct each time. This can be done by changing:0045B9C0 jnz 0045B9C6 to jmp 0045B9C2much better than nopping I think. Anway you can now enter any reg name and key and the program will write that name into the registry, in code of course, and the program will be regged. The only problem is that if you leave them blank, the program misses this part of the code and you are still in shareware mode (remember the comparisons above?). Well I hope this was useful to someone and I look forward to the next challenge. Thanks Sandman it has been a good learning exercise! Perhaps when you summerise the projects it would be good to put all the questions up front, that way late comers can try the exercises before they see some of the solutions.