Lord Soth
Questions and Answers for 4-6...
Wed Dec 9 14:33:32 1998


Hi all, hi Sandman.

Well, this time I don't have any kind of hard facts on what is going on in the program.
Lemme tell you what I did.
As we all knew that this program checks the value in the RegKey 4D, for our serial, I made 1 up and ran the program with PopIce .. hehe oops.. SoftIce.
So, I bpx on RegOpenKeyExA, and guess what.
After a bit of tracing and seeing where the program is going, I saw it push the value 0040C6F8, before a call to that API.
So I checked what's there after the call, and it was indeed my reg key.. (1st attempt I used my NOOP string hehe 90909090, 2nd attempt, I use 41h , which is the ASCII for A)
I traced inside what seemed to be a routine that checks this code. I could only figure out a bit out of the routine's operation. 1st thing was that it checks the length of the code, and CMPs it with 8, and follows by a JAE.. I would think that this was done to make certain the code is at least 8 numbers or chars.
here's a problem tho, we gave a DW value, so in memory, that takes 4 bytes, and that jump will never occur, and the RET after it will continue execution as usual, which is not what we want, so how come the program knows if my # is false???
Ok , afterwards, after a few manipulations (again, could'nt figure them out..), I have reached this line of code:

00403B00 MOV AL,[EAX+0040C6F8]

(the line address could be diff in your case of course..)

That line puts in AL 1 of the bytes out of the DW value. I found this out with a BPR on that area.
Then all sorts of checks are being made on it. it is compared to several values that represent the letter Z, and the digit 9, etc..
I think this checks that the char is actually a valid 1 for the protection.
Other than that, I could'nt find anything that checks the number.
I noticed several times that EAX is having the value of 1, but it was all after API calls to either MFC dll or MSVCRT (the C runtime lib).
So, I'm stuck :(
1st time this happened to me, but then again, this is the 1st time I'm trying to go deeper than what is needed for the 'crack'.
Thats why I joined the forum actually :)
So, any enlightments??

Maybe I shoulda used a key which is an ASCII of a number???
weird. hehehe

Cya all, hope u had better luck, I'm gonna read what u guys posted now.

Lord Soth