Posted by Eternal Bliss on 1/16/2000, 4:54 pm
62.188.156.248
I am going to describe quite a bit on how I manage to get to a 1-byte patch.
(Lazarus, your faith in me is not wasted. heh...)
At the same time, where to fish the correct serial is also described.
When I say eax = something, see it using "d eax" without quote and watch the data window in SICE.
I have commented on the codes as I show them. Keep a lookout for Note 1.I register using "Unregistered" for Name and "Unregistered" for Company.
Then I set breakpoint as hmemcpy. I break into the program and after a few
F12s, I land at 0042CB33 which means that I was in GetDlgItemTextA.
So, the program uses this API to get the Name.Code below shows the Name and Company and Keycode being retrieved by the program.
* Reference To: USER32.GetDlgItemTextA, Ord:0000h
|
:0042CB2E E8ADEA0500 Call 0048B5E0
Get Name = "Unregistered"
:0042CB33 8D45B0 lea eax, dword ptr [ebp-50]
eax now contains the address which has the Name
:0042CB36 50 push eax* Possible StringData Ref from Data Obj ->"Name"
|
:0042CB37 68E7394900 push 004939E7* Possible StringData Ref from Data Obj ->"RegisterInfo"
|
:0042CB3C 68DA394900 push 004939DA
:0042CB41 8B15E68B4A00 mov edx, dword ptr [004A8BE6]
:0042CB47 52 push edx
:0042CB48 E86F71FEFF call 00413CBC
:0042CB4D 83C410 add esp, 00000010
:0042CB50 6A50 push 00000050
:0042CB52 8D4DB0 lea ecx, dword ptr [ebp-50]
:0042CB55 51 push ecx* Possible Ref to Menu: MenuID_0064, Item: "New Recording... Ctrl+N"
|* Possible Reference to Dialog: DialogID_0066
|* Possible Reference to Dialog: DialogID_0066, CONTROL_ID:0066, "00:00:00:000"
|* Possible Reference to String Resource ID=00102: "Creates a new recording"
|
:0042CB56 6A66 push 00000066
:0042CB58 8B03 mov eax, dword ptr [ebx]
:0042CB5A 8B500C mov edx, dword ptr [eax+0C]
:0042CB5D 52 push edx* Reference To: USER32.GetDlgItemTextA, Ord:0000h
|
:0042CB5E E87DEA0500 Call 0048B5E0
Get Company = "Unregistered"
:0042CB63 8D4DB0 lea ecx, dword ptr [ebp-50]
ecx now contains the address which has the Company
:0042CB66 51 push ecx* Possible StringData Ref from Data Obj ->"Company"
|
:0042CB67 68F9394900 push 004939F9* Possible StringData Ref from Data Obj ->"RegisterInfo"
|
:0042CB6C 68EC394900 push 004939EC
:0042CB71 A1E68B4A00 mov eax, dword ptr [004A8BE6]
:0042CB76 50 push eax
:0042CB77 E84071FEFF call 00413CBC
:0042CB7C 83C410 add esp, 00000010
:0042CB7F 6A50 push 00000050
:0042CB81 8D55B0 lea edx, dword ptr [ebp-50]
:0042CB84 52 push edx* Possible Reference to Menu: MenuID_0067
|* Possible Reference to Dialog: DialogID_0067
|* Possible Reference to Dialog: DialogID_0066, CONTROL_ID:0067, ""
|* Possible Reference to String Resource ID=00103: "Creates a new multitrack project"
|
:0042CB85 6A67 push 00000067
:0042CB87 8B0B mov ecx, dword ptr [ebx]
:0042CB89 8B410C mov eax, dword ptr [ecx+0C]
:0042CB8C 50 push eax* Reference To: USER32.GetDlgItemTextA, Ord:0000h
|
:0042CB8D E84EEA0500 Call 0048B5E0
Get fake Key code = "1234567890"
:0042CB92 8D55B0 lea edx, dword ptr [ebp-50]
edx now contains the address which has our fake Keycode
:0042CB95 52 push edx* Possible StringData Ref from Data Obj ->"Key"
|
:0042CB96 680E3A4900 push 00493A0E* Possible StringData Ref from Data Obj ->"RegisterInfo"
|
:0042CB9B 68013A4900 push 00493A01
:0042CBA0 8B0DE68B4A00 mov ecx, dword ptr [004A8BE6]
:0042CBA6 51 push ecx
:0042CBA7 E81071FEFF call 00413CBC
:0042CBAC 83C410 add esp, 00000010* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042CB1A(C)
|
:0042CBAF 5B pop ebx
:0042CBB0 8BE5 mov esp, ebp
:0042CBB2 5D pop ebp
:0042CBB3 C3 ret