thematrix
April 21st, 2003, 10:39
i am a newbie here
i tried my 1st victim a software named PCmedik, after checking the serial protection by softice i come to know that the final check of serial check is done at this address:-
0047a570 0F857000000 jne 0047A61D
which i have changed to je 0047A61D
i even tried to see the serial by this "d eax,ebxecx,edi,esi" which result in vain
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047A499(C)
|
:0047A508 E8DBD0FDFF call 004575E8
:0047A50D 837DFC00 cmp dword ptr [ebp-04], 00000000
:0047A511 0F843C010000 je 0047A653
:0047A517 8D55F8 lea edx, dword ptr [ebp-08]
:0047A51A 8B8324030000 mov eax, dword ptr [ebx+00000324]
:0047A520 E8C3D0FDFF call 004575E8
:0047A525 837DF800 cmp dword ptr [ebp-08], 00000000
:0047A529 0F8424010000 je 0047A653
:0047A52F 8D55F0 lea edx, dword ptr [ebp-10]
:0047A532 8B8324030000 mov eax, dword ptr [ebx+00000324]
:0047A538 E8ABD0FDFF call 004575E8
:0047A53D 8B45F0 mov eax, dword ptr [ebp-10]
:0047A540 8D55F4 lea edx, dword ptr [ebp-0C]
:0047A543 E8A0DBF8FF call 004080E8
:0047A548 8B45F4 mov eax, dword ptr [ebp-0C]
:0047A54B 50 push eax
:0047A54C 8D55E8 lea edx, dword ptr [ebp-18]
:0047A54F 8B832C030000 mov eax, dword ptr [ebx+0000032C]
:0047A555 E88ED0FDFF call 004575E8
:0047A55A 8B45E8 mov eax, dword ptr [ebp-18]
:0047A55D 8D55EC lea edx, dword ptr [ebp-14]
:0047A560 E883DBF8FF call 004080E8
:0047A565 8B45EC mov eax, dword ptr [ebp-14]
:0047A568 5A pop edx
:0047A569 E8B63D0000 call 0047E324
:0047A56E 3C01 cmp al, 01
:0047A570 0F85A7000000 jne 0047A61D
:0047A576 A1E03C4800 mov eax, dword ptr [00483CE0]
:0047A57B 8B00 mov eax, dword ptr [eax]
:0047A57D 8B805C030000 mov eax, dword ptr [eax+0000035C]
:0047A583 33D2 xor edx, edx
:0047A585 E87ECFFDFF call 00457508
BUT AFTER THANKS MESSAGE ALSO the disabled function is still there
and in the about box also it still point to unregistered.whats this?
there is also a key in registry
"\Software\PGWARE\PcMedik"
* Possible StringData Ref from Code Obj ->"\Software\PGWARE\PcMedik"
|
:00481AB9 BAFC1D4800 mov edx, 00481DFC
:00481ABE 8BC3 mov eax, ebx
:00481AC0 E82F01FAFF call 00421BF4
:00481AC5 8D4DE8 lea ecx, dword ptr [ebp-18]
* Possible StringData Ref from Code Obj ->"Name"
|
:00481AC8 BA201E4800 mov edx, 00481E20
:00481ACD 8BC3 mov eax, ebx
:00481ACF E8E802FAFF call 00421DBC
:00481AD4 8B55E8 mov edx, dword ptr [ebp-18]
:00481AD7 B86C4F4800 mov eax, 00484F6C
:00481ADC E83326F8FF call 00404114
:00481AE1 8D4DE4 lea ecx, dword ptr [ebp-1C]
* Possible StringData Ref from Code Obj ->"Serial"
|
:00481AE4 BA301E4800 mov edx, 00481E30
:00481AE9 8BC3 mov eax, ebx
:00481AEB E8CC02FAFF call 00421DBC
:00481AF0 8B55E4 mov edx, dword ptr [ebp-1C]
:00481AF3 B8684F4800 mov eax, 00484F68
:00481AF8 E81726F8FF call 00404114
:00481AFD 8D45DC lea eax, dword ptr [ebp-24]
:00481B00 50 push eax
:00481B01 8B15684F4800 mov edx, dword ptr [00484F68]
AN ALSO HERE
* Possible StringData Ref from Code Obj ->"\Software\PGWARE\PCMedik"
|
:0047E387 BAECE64700 mov edx, 0047E6EC
:0047E38C 8B45EC mov eax, dword ptr [ebp-14]
:0047E38F E86038FAFF call 00421BF4
:0047E394 837DFC00 cmp dword ptr [ebp-04], 00000000
:0047E398 7428 je 0047E3C2
:0047E39A 837DF800 cmp dword ptr [ebp-08], 00000000
:0047E39E 7422 je 0047E3C2
:0047E3A0 8B4DFC mov ecx, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"Name"
|
:0047E3A3 BA10E74700 mov edx, 0047E710
:0047E3A8 8B45EC mov eax, dword ptr [ebp-14]
:0047E3AB E8E039FAFF call 00421D90
:0047E3B0 8B4DF8 mov ecx, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"Serial"
|
:0047E3B3 BA20E74700 mov edx, 0047E720
:0047E3B8 8B45EC mov eax, dword ptr [ebp-14]
:0047E3BB E8D039FAFF call 00421D90
:0047E3C0 EB20 jmp 0047E3E2
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047E398(C), :0047E39E(C)
|
:0047E3C2 8D4DFC lea ecx, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"Name"
|
:0047E3C5 BA10E74700 mov edx, 0047E710
:0047E3CA 8B45EC mov eax, dword ptr [ebp-14]
:0047E3CD E8EA39FAFF call 00421DBC
:0047E3D2 8D4DF8 lea ecx, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"Serial"
|
:0047E3D5 BA20E74700 mov edx, 0047E720
:0047E3DA 8B45EC mov eax, dword ptr [ebp-14]
:0047E3DD E8DA39FAFF call 00421DBC
where the serial and name r stored,
i put a breakpoint
bpx RegQueryValueExa If (*edi>='Name') do "dd *edi"
which i have read from a tutorial (Windows95 registry cracking by: Epic Lord on krobar) which shows the s/n and name, the breakpoint breaks softice when the software is loaded but in vain as there is so s/n which is shown in softice but after some F10 also nothing showed up.
and this software is worth using
pl help me(newbie) in serial sniffing and also patching it
thanks in advance
i tried my 1st victim a software named PCmedik, after checking the serial protection by softice i come to know that the final check of serial check is done at this address:-
0047a570 0F857000000 jne 0047A61D
which i have changed to je 0047A61D
i even tried to see the serial by this "d eax,ebxecx,edi,esi" which result in vain
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047A499(C)
|
:0047A508 E8DBD0FDFF call 004575E8
:0047A50D 837DFC00 cmp dword ptr [ebp-04], 00000000
:0047A511 0F843C010000 je 0047A653
:0047A517 8D55F8 lea edx, dword ptr [ebp-08]
:0047A51A 8B8324030000 mov eax, dword ptr [ebx+00000324]
:0047A520 E8C3D0FDFF call 004575E8
:0047A525 837DF800 cmp dword ptr [ebp-08], 00000000
:0047A529 0F8424010000 je 0047A653
:0047A52F 8D55F0 lea edx, dword ptr [ebp-10]
:0047A532 8B8324030000 mov eax, dword ptr [ebx+00000324]
:0047A538 E8ABD0FDFF call 004575E8
:0047A53D 8B45F0 mov eax, dword ptr [ebp-10]
:0047A540 8D55F4 lea edx, dword ptr [ebp-0C]
:0047A543 E8A0DBF8FF call 004080E8
:0047A548 8B45F4 mov eax, dword ptr [ebp-0C]
:0047A54B 50 push eax
:0047A54C 8D55E8 lea edx, dword ptr [ebp-18]
:0047A54F 8B832C030000 mov eax, dword ptr [ebx+0000032C]
:0047A555 E88ED0FDFF call 004575E8
:0047A55A 8B45E8 mov eax, dword ptr [ebp-18]
:0047A55D 8D55EC lea edx, dword ptr [ebp-14]
:0047A560 E883DBF8FF call 004080E8
:0047A565 8B45EC mov eax, dword ptr [ebp-14]
:0047A568 5A pop edx
:0047A569 E8B63D0000 call 0047E324
:0047A56E 3C01 cmp al, 01
:0047A570 0F85A7000000 jne 0047A61D
:0047A576 A1E03C4800 mov eax, dword ptr [00483CE0]
:0047A57B 8B00 mov eax, dword ptr [eax]
:0047A57D 8B805C030000 mov eax, dword ptr [eax+0000035C]
:0047A583 33D2 xor edx, edx
:0047A585 E87ECFFDFF call 00457508
BUT AFTER THANKS MESSAGE ALSO the disabled function is still there
and in the about box also it still point to unregistered.whats this?
there is also a key in registry
"\Software\PGWARE\PcMedik"
* Possible StringData Ref from Code Obj ->"\Software\PGWARE\PcMedik"
|
:00481AB9 BAFC1D4800 mov edx, 00481DFC
:00481ABE 8BC3 mov eax, ebx
:00481AC0 E82F01FAFF call 00421BF4
:00481AC5 8D4DE8 lea ecx, dword ptr [ebp-18]
* Possible StringData Ref from Code Obj ->"Name"
|
:00481AC8 BA201E4800 mov edx, 00481E20
:00481ACD 8BC3 mov eax, ebx
:00481ACF E8E802FAFF call 00421DBC
:00481AD4 8B55E8 mov edx, dword ptr [ebp-18]
:00481AD7 B86C4F4800 mov eax, 00484F6C
:00481ADC E83326F8FF call 00404114
:00481AE1 8D4DE4 lea ecx, dword ptr [ebp-1C]
* Possible StringData Ref from Code Obj ->"Serial"
|
:00481AE4 BA301E4800 mov edx, 00481E30
:00481AE9 8BC3 mov eax, ebx
:00481AEB E8CC02FAFF call 00421DBC
:00481AF0 8B55E4 mov edx, dword ptr [ebp-1C]
:00481AF3 B8684F4800 mov eax, 00484F68
:00481AF8 E81726F8FF call 00404114
:00481AFD 8D45DC lea eax, dword ptr [ebp-24]
:00481B00 50 push eax
:00481B01 8B15684F4800 mov edx, dword ptr [00484F68]
AN ALSO HERE
* Possible StringData Ref from Code Obj ->"\Software\PGWARE\PCMedik"
|
:0047E387 BAECE64700 mov edx, 0047E6EC
:0047E38C 8B45EC mov eax, dword ptr [ebp-14]
:0047E38F E86038FAFF call 00421BF4
:0047E394 837DFC00 cmp dword ptr [ebp-04], 00000000
:0047E398 7428 je 0047E3C2
:0047E39A 837DF800 cmp dword ptr [ebp-08], 00000000
:0047E39E 7422 je 0047E3C2
:0047E3A0 8B4DFC mov ecx, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"Name"
|
:0047E3A3 BA10E74700 mov edx, 0047E710
:0047E3A8 8B45EC mov eax, dword ptr [ebp-14]
:0047E3AB E8E039FAFF call 00421D90
:0047E3B0 8B4DF8 mov ecx, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"Serial"
|
:0047E3B3 BA20E74700 mov edx, 0047E720
:0047E3B8 8B45EC mov eax, dword ptr [ebp-14]
:0047E3BB E8D039FAFF call 00421D90
:0047E3C0 EB20 jmp 0047E3E2
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047E398(C), :0047E39E(C)
|
:0047E3C2 8D4DFC lea ecx, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"Name"
|
:0047E3C5 BA10E74700 mov edx, 0047E710
:0047E3CA 8B45EC mov eax, dword ptr [ebp-14]
:0047E3CD E8EA39FAFF call 00421DBC
:0047E3D2 8D4DF8 lea ecx, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"Serial"
|
:0047E3D5 BA20E74700 mov edx, 0047E720
:0047E3DA 8B45EC mov eax, dword ptr [ebp-14]
:0047E3DD E8DA39FAFF call 00421DBC
where the serial and name r stored,
i put a breakpoint
bpx RegQueryValueExa If (*edi>='Name') do "dd *edi"
which i have read from a tutorial (Windows95 registry cracking by: Epic Lord on krobar) which shows the s/n and name, the breakpoint breaks softice when the software is loaded but in vain as there is so s/n which is shown in softice but after some F10 also nothing showed up.
and this software is worth using
pl help me(newbie) in serial sniffing and also patching it
thanks in advance