i am a newbie here
i tried my 1st victim a software named PCmedik, after checking the serial protection by softice i come to know that the final check of serial check is done at this address:-
0047a570 0F857000000 jne 0047A61D
which i have changed to je 0047A61D
i even tried to see the serial by this "d eax,ebxecx,edi,esi" which result in vain

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047A499(C)
|
:0047A508 E8DBD0FDFF call 004575E8
:0047A50D 837DFC00 cmp dword ptr [ebp-04], 00000000
:0047A511 0F843C010000 je 0047A653
:0047A517 8D55F8 lea edx, dword ptr [ebp-08]
:0047A51A 8B8324030000 mov eax, dword ptr [ebx+00000324]
:0047A520 E8C3D0FDFF call 004575E8
:0047A525 837DF800 cmp dword ptr [ebp-08], 00000000
:0047A529 0F8424010000 je 0047A653
:0047A52F 8D55F0 lea edx, dword ptr [ebp-10]
:0047A532 8B8324030000 mov eax, dword ptr [ebx+00000324]
:0047A538 E8ABD0FDFF call 004575E8
:0047A53D 8B45F0 mov eax, dword ptr [ebp-10]
:0047A540 8D55F4 lea edx, dword ptr [ebp-0C]
:0047A543 E8A0DBF8FF call 004080E8
:0047A548 8B45F4 mov eax, dword ptr [ebp-0C]
:0047A54B 50 push eax
:0047A54C 8D55E8 lea edx, dword ptr [ebp-18]
:0047A54F 8B832C030000 mov eax, dword ptr [ebx+0000032C]
:0047A555 E88ED0FDFF call 004575E8
:0047A55A 8B45E8 mov eax, dword ptr [ebp-18]
:0047A55D 8D55EC lea edx, dword ptr [ebp-14]
:0047A560 E883DBF8FF call 004080E8
:0047A565 8B45EC mov eax, dword ptr [ebp-14]
:0047A568 5A pop edx
:0047A569 E8B63D0000 call 0047E324
:0047A56E 3C01 cmp al, 01
:0047A570 0F85A7000000 jne 0047A61D
:0047A576 A1E03C4800 mov eax, dword ptr [00483CE0]
:0047A57B 8B00 mov eax, dword ptr [eax]
:0047A57D 8B805C030000 mov eax, dword ptr [eax+0000035C]
:0047A583 33D2 xor edx, edx
:0047A585 E87ECFFDFF call 00457508





BUT AFTER THANKS MESSAGE ALSO the disabled function is still there
and in the about box also it still point to unregistered.whats this?
there is also a key in registry
"\Software\PGWARE\PcMedik"


* Possible StringData Ref from Code Obj ->"\Software\PGWARE\PcMedik"
|
:00481AB9 BAFC1D4800 mov edx, 00481DFC
:00481ABE 8BC3 mov eax, ebx
:00481AC0 E82F01FAFF call 00421BF4
:00481AC5 8D4DE8 lea ecx, dword ptr [ebp-18]

* Possible StringData Ref from Code Obj ->"Name"
|
:00481AC8 BA201E4800 mov edx, 00481E20
:00481ACD 8BC3 mov eax, ebx
:00481ACF E8E802FAFF call 00421DBC
:00481AD4 8B55E8 mov edx, dword ptr [ebp-18]
:00481AD7 B86C4F4800 mov eax, 00484F6C
:00481ADC E83326F8FF call 00404114
:00481AE1 8D4DE4 lea ecx, dword ptr [ebp-1C]

* Possible StringData Ref from Code Obj ->"Serial"
|
:00481AE4 BA301E4800 mov edx, 00481E30
:00481AE9 8BC3 mov eax, ebx
:00481AEB E8CC02FAFF call 00421DBC
:00481AF0 8B55E4 mov edx, dword ptr [ebp-1C]
:00481AF3 B8684F4800 mov eax, 00484F68
:00481AF8 E81726F8FF call 00404114
:00481AFD 8D45DC lea eax, dword ptr [ebp-24]
:00481B00 50 push eax
:00481B01 8B15684F4800 mov edx, dword ptr [00484F68]



AN ALSO HERE


* Possible StringData Ref from Code Obj ->"\Software\PGWARE\PCMedik"
|
:0047E387 BAECE64700 mov edx, 0047E6EC
:0047E38C 8B45EC mov eax, dword ptr [ebp-14]
:0047E38F E86038FAFF call 00421BF4
:0047E394 837DFC00 cmp dword ptr [ebp-04], 00000000
:0047E398 7428 je 0047E3C2
:0047E39A 837DF800 cmp dword ptr [ebp-08], 00000000
:0047E39E 7422 je 0047E3C2
:0047E3A0 8B4DFC mov ecx, dword ptr [ebp-04]

* Possible StringData Ref from Code Obj ->"Name"
|
:0047E3A3 BA10E74700 mov edx, 0047E710
:0047E3A8 8B45EC mov eax, dword ptr [ebp-14]
:0047E3AB E8E039FAFF call 00421D90
:0047E3B0 8B4DF8 mov ecx, dword ptr [ebp-08]

* Possible StringData Ref from Code Obj ->"Serial"
|
:0047E3B3 BA20E74700 mov edx, 0047E720
:0047E3B8 8B45EC mov eax, dword ptr [ebp-14]
:0047E3BB E8D039FAFF call 00421D90
:0047E3C0 EB20 jmp 0047E3E2

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047E398(C), :0047E39E(C)
|
:0047E3C2 8D4DFC lea ecx, dword ptr [ebp-04]

* Possible StringData Ref from Code Obj ->"Name"
|
:0047E3C5 BA10E74700 mov edx, 0047E710
:0047E3CA 8B45EC mov eax, dword ptr [ebp-14]
:0047E3CD E8EA39FAFF call 00421DBC
:0047E3D2 8D4DF8 lea ecx, dword ptr [ebp-08]

* Possible StringData Ref from Code Obj ->"Serial"
|
:0047E3D5 BA20E74700 mov edx, 0047E720
:0047E3DA 8B45EC mov eax, dword ptr [ebp-14]
:0047E3DD E8DA39FAFF call 00421DBC


where the serial and name r stored,
i put a breakpoint

bpx RegQueryValueExa If (*edi>='Name') do "dd *edi"

which i have read from a tutorial (Windows95 registry cracking by: Epic Lord on krobar) which shows the s/n and name, the breakpoint breaks softice when the software is loaded but in vain as there is so s/n which is shown in softice but after some F10 also nothing showed up.

and this software is worth using
pl help me(newbie) in serial sniffing and also patching it
thanks in advance

Do not follow the tutors to the line. try to understand what the authors trying to do and apply it to your current situation

Hi naides,
Don't be too hard on him ;p

thematrix:Think you should start reading Art of Assembly Language http://webster.cs.ucr.edu/Page_asm/0_ArtOfAsm.html
and then come back to the program.like naids said you have to understand the codes.Good luck

thematrix:

The first and primary tool of a reverse engineer is the brain. You have to use it to THINK about what you are seeing when you attempt to run the program and then you need to THINK about what you are seeing when you look at the code. So let's take a step back and THINK about what appears to be happening and that will give you a better concept of how to attack what you find in the Code. Keep in mind that this is an approach which you should make, as I do, even without looking at the code.

First, you have a "box" of some sort that comes up on your screen with a place for you to enter information. In this case it is at least "Name" and "Serial". This much you discovered. So what you should be considering is how you find out how this "box" is put on the screen and what happens after information is input into the "box."

As a reverse engineer, you need to discover how the "box" is drawn on the screen so you can find that place in the code, so you can examine what's happening BEFORE and AFTER the box is drawn. So you need to know how to intercept this type of "box". There are certain API's which will help you do this which you should know, and maybe you already do, because you found a place in the code where "something" is checked and, if that "something" doesn't exist, a jump is made to the "box".

So what it appears you did was not THINK about what was happening before the jump to the "box" and simply eliminated the posting of the box. But, THINKING would, perhaps, have suggested to you that the program wants your name and serial number and then is going to DO SOMETHING with them (i.e., put them somewhere and use them for something.) In this case, it appears that what it is going to do is create Registry Keys with the name and the Serial Number (either crypted or not).

Now, if you THINK about it, would it not make sense that the program would check to see if it is ALREADY registered BEFORE it puts up the "box"? If it didn't, it would ALWAYS put up the "box" even if the registration "name" and "serial" keys already existed. A waste of time for the user. So, assuming this is true, it would need to check these Keys BEFORE calling the "box" and IF it finds what it believes are correct entries, it skips calling the "box'.

So finding the "box" is good, because it gives you clues to what happened BEFORE it was called. REMOVING the call to the "box" does NOTHING to convince the program that it has ALREADY been registered. WHAT will convince the program that it is already registered? Somewhere it has to find WHATEVER it is that it checks and see if what it finds passes WHATEVER test has been included in the program. Does it check what you entered against a "hard coded" entry? Not to common, but possible. Does it contain some "Hash" of your serial which, when run through some code, comes out the other end with the "expected" result so that when a "compare" against the "expected result" is met, the jump to the "is registered code" takes place? More likely.

So what is a would-be reverse engineer to do when the program is unwilling to be a "victim" to those who have not taken the time to THINK? Take that time and try to THINK like a Reverse engineer. The "serial" is entered for a reason. What does the program DO with what you entered? (You did enter something, didn't you??) Do you know how to intercept your entry of the serial in the debugger? A necessary first step.

OK. If we assume you know how to catch the imput of "your" serial" and you have found where the code starts to analyze whether you have entered the correct serial or not, you will have to recognize what it is doing and, if you're luck, you will come to that mystical place where the code decides whether you are a "bad boy" or a "good cracker" and skips the "box" ON ITS OWN. Things get tougher, however, if you have to have a "correct" serial for the program to decrypt some other part of the code, but that's "another story."

So take that step back and think about HOW THINGS WORK. If you don't understand that concept, read some more, and this time, THINK about how the issue was approached, not just what code was printed in the tutorial. Code most ofter changes, fewer "general principles" change. If your own study doesn't make it clear to you, then ask questions here.

Regards.

Hi, thematrix

above your jne, you have this call 0047E324.

With a disassembler, eg: Wdasm or IDA, go to the line 0047E324, i think this function is called more than one time ( at program start ).

If this function check the serial validation, simply try this :

0047E324 B801 00 00 00 mov eax,1
0047E329 C3 ret


NOTE : Check the stack, maybe you have to realign !

Hi!

Since he tried to reverse the jump... and it didn't do any good.
That will not work either.
The reason is probably that some flag gets set in that routine if serial passes, and the result of that call is only for which message to show.

So again, check out that call!

/Manko

thanks u all guys i will try again

You should also create the "Name & Serial" stringvalues in the registry and put in some fake info, cause somtimes it's enough if the app finds a fake serial/name and then is forced to accept it, but far from often.

JohnWho.

thanks all
LOUZEW i have done according to u but the proggie gets registered but it restart the pc without informaing means we have done something wrong there