|
1999 |
( 'How to enable the "OK" botton' ) |
Win Code Reversing |
|
|
|
|
|
|
|
|
|
Program Details Program Name: winamp221.exe Program Type: Multimedia utility Program Location: Here Program Size: 598kb |
||
|
Softice V3.23 - Win'95 Debugger W32Dasm V8.93 - Win'95 Dissembler |
||
|
|
|
|
|
The author of Winamp v2.21 says :
Winamp is the ultimate
in media playback for 32-bit Windows platforms.
This release includes
plug-ins for MPG (audio only), MP2, MP3, WAV, MOD,
XM, IT, S3M, VOC,
CDDA, and MIDI. Winamp also supports third-party input
plug-ins, and
with them can support SID, VQF, RA, AAC, and more.
Check www.winamp.com/plugins
for plug-ins that add support for more types.
Feel free to visit
www.nullsoft.com/ for other Nullsoft projects.
|
|
This protection routine checks the
reg# within typing it, if it's not the right one, the
'OK' botton will be disabled.
Usually, when we want to set a bpx
in Softice with "Getwindowtexta"
or
Getdlgitemtexta",
we
type in the name/reg# and then set a bpx in Softice and when we
click the 'ok' botton we found ourselves
in Ice.
Here, it is going to be even easy
:). Thanks m0nSTRO.
The program keeps its settings at the same directory that it runs from, in file called
WINAMP.ini.
After registering, the program keeps its settings and the registering info at :
c:\windows\winamp.ini.
RegisteredTo=
|
|
Create a deadlist
with w32dasm, and see that there is no good hint for us at the
"string referance",
non of them can help us.
After you run winamp.exe
and get to know where is the registering screen,
right click mouse
will lead you to "nullsoft winamp/shareware/enter registration info"
Feel in the User
Name and Reg#, and let try to break in SI.
press the "ctrl+d" keys to fire up Softice.
Type 'bpx getdlgitemtexta' and 'x' to leave.
The only botton to push now it the 'cancel',
this will take us nowhere, so DON'T.
Try to add one number to the reg# that
you just typed in... BOOM, we're in SI.
Before we go to see the assembly code,
i'll just tell you that the program using
"Getdlgitemtexta"for
each character of the name you typed in, and goes to generate
the reg#. Each character
is beeing generated, and added to the code culculated from
all those typed
before. When you type the numbers for the reg#, "Getdlgitemtexta"
is used for them
too, and after each number it checks if the calculated code from the string
of numbers is equal to the real reg#. If it does, the 'OK' botton will
be enabled, else, keep type in numbers, and keep the botton disabled.
Okay, here is the
code where we break at :
:00401F26
FFD6
call esi
:00401F28
6A00
push 00000000
; we land here !
:00401F2A
6A00
push 00000000
:00401F2C
53
push ebx
:00401F2D
57
push edi
*
Reference To: USER32.GetDlgItemInt, Ord:0103h
|
:00401F2E
FF1530F34300 Call dword ptr [0043F330]
:00401F34
8BF0
mov esi, eax
:00401F36
8D4580 lea
eax, dword ptr [ebp-80] ; your name
:00401F39
50
push eax
:00401F3A
E8623D0200 call 00425CA1 ; generates
the real code
:00401F3F
3BC6
cmp eax, esi ; eax = real esi = fake
:00401F41
59
pop ecx
:00401F42
750A
jne 00401F4E ; if not right code,
jump
:00401F44
807D8000 cmp byte ptr [ebp-80],
00
:00401F48
7404
je 00401F4E
:00401F4A
6A01
push 00000001
:00401F4C
EB02
jmp 00401F50
Now, when you keep press 'F10', when you
land on location 00401F3F
this is the
compare between
the fake reg# to the real one. Look at the eax register, the value
in eax is not a
pointer to location, its the real reg# in hex, if you type now '?
eax' you will see the real reg# to register this multimedia player...
|
|
REMEMBER, i'm
doing my cracks as a hobby and challenge, so please, if you like
this utility and
want to keep using it, support the author and pay for it.
|
|
IWe didn't have to jump very deep in winamp
assembly code, all we need was in the
same data window in softice that we break
in...
My thanks and gratitude goes to:-
m0nSTRO for the idea to break within typing the reg#.
The Sandman for all what he is doing for us, newbies.
Rhayader for helping me with Reverse Code Engineering and useful tips