Dark Heaven - Tutorial: Registrierung von ImageWOLF

Programm: 	ImageWolf v1.04 Build: 002
Beschreibung: 	Suchmaschine fr Bilder
Autor: 		(C) 1997, 1998 TRELLIAN
Groesse: 	230.912 Bytes (IWOLF32.EXE)


Werkzeug: - W32DASM v8.93


1. Lade IMAGEWOLF und anschlieend W32DASM.


2. Deassembliere nun IWOLF32.EXE ber [Debug/Attach to an Active Process].


3. Mittels [Refs/String Data References] suchen wir nach der Fehlermeldung
   "Invalid Registration Name or Serial Number" (String Resource ID = 01444).
   Durch Doppelklicks auf die Referenz werden die entsprechende Zeilen im
   Listing angezeigt: 004048FE (*) und 00405470.

* Reference To: USER32.GetDlgItemTextA, Ord:00F5h
                                  |
:00404878 8B3D7C944200            mov edi, dword ptr [0042947C]
:0040487E 8D8C248C000000          lea ecx, dword ptr [esp+0000008C]
:00404885 6880000000              push 00000080
:0040488A 51                      push ecx
:0040488B 33DB                    xor ebx, ebx
:0040488D 6813040000              push 00000413
:00404892 56                      push esi
:00404893 889C249C000000          mov byte ptr [esp+0000009C], bl
:0040489A 885C241C                mov byte ptr [esp+1C], bl
:0040489E FFD7                    call edi
:004048A0 8D54240C                lea edx, dword ptr [esp+0C]
:004048A4 6880000000              push 00000080
:004048A9 52                      push edx
:004048AA 68B0050000              push 000005B0
:004048AF 56                      push esi
:004048B0 FFD7                    call edi
:004048B2 8D84248C000000          lea eax, dword ptr [esp+0000008C]
:004048B9 50                      push eax
:004048BA E871600000              call 0040A930
:004048BF 83C404                  add esp, 00000004
:004048C2 8D4C240C                lea ecx, dword ptr [esp+0C]
:004048C6 51                      push ecx
:004048C7 E864600000              call 0040A930
:004048CC 83C404                  add esp, 00000004
:004048CF 8D54240C                lea edx, dword ptr [esp+0C]
:004048D3 8D84248C000000          lea eax, dword ptr [esp+0000008C]
:004048DA 52                      push edx
:004048DB 50                      push eax
:004048DC E81FD00000              call 00411900                ; <- Execute Call
:004048E1 83C408                  add esp, 00000008
:004048E4 85C0                    test eax, eax
:004048E6 755A                    jne 00404942
:004048E8 8B0D3C774200            mov ecx, dword ptr [0042773C]

* Reference To: USER32.LoadStringA, Ord:0183h
                                  |
:004048EE 8B3D54944200            mov edi, dword ptr [00429454]
:004048F4 6800100000              push 00001000
:004048F9 68E0FB4100              push 0041FBE0

* Possible Reference to Dialog: DialogID_0069, CONTROL_ID:05A4, "0"
                                  |

* Possible Reference to String Resource ID=01444: "Invalid Registration Name or
                                                   Serial Number"
                                  |
:004048FE 68A4050000              push 000005A4          ; <- gefundene Referenz
:00404903 51                      push ecx
:00404904 FFD7                    call edi
:00404906 8B153C774200            mov edx, dword ptr [0042773C]
:0040490C 6800100000              push 00001000
:00404911 6860EB4100              push 0041EB60


4. ber der gefundenen Referenz folgen wir dem Funktionsaufruf (call 00411900)
   in Zeile 004048DC mittels [Execute Text/Execute Call].

* Referenced by a CALL at Addresses:
|:004048DC   , :004118B1   
|
:00411900 8B442408                mov eax, dword ptr [esp+08] ; v. call 00411900
:00411904 83EC30                  sub esp, 00000030
:00411907 85C0                    test eax, eax
:00411909 53                      push ebx
:0041190A 56                      push esi
:0041190B 57                      push edi
:0041190C 0F8466010000            je 00411A78
:00411912 8B7C2440                mov edi, dword ptr [esp+40]
:00411916 85FF                    test edi, edi
:00411918 0F845A010000            je 00411A78
:0041191E 803849                  cmp byte ptr [eax], 49    ;<- Kontrolle 1. 'I'
:00411921 0F8551010000            jne 00411A78
:00411927 80780157                cmp byte ptr [eax+01], 57 ;<- Kontrolle 2. 'W'
:0041192B 0F8547010000            jne 00411A78
:00411931 6A14                    push 00000014
:00411933 50                      push eax
:00411934 8D44241C                lea eax, dword ptr [esp+1C]
:00411938 50                      push eax
:00411939 E87291FFFF              call 0040AAB0
:0041193E 83C40C                  add esp, 0000000C
:00411941 8D4C2414                lea ecx, dword ptr [esp+14]
:00411945 6A2D                    push 0000002D
:00411947 51                      push ecx
:00411948 E8E3060000              call 00412030
:0041194D 8BD8                    mov ebx, eax
:0041194F 83C408                  add esp, 00000008
:00411952 85DB                    test ebx, ebx
:00411954 0F841E010000            je 00411A78
:0041195A C60300                  mov byte ptr [ebx], 00
:0041195D 8B1578BB4100            mov edx, dword ptr [0041BB78]
:00411963 A07CBB4100              mov al, byte ptr [0041BB7C]
:00411968 6A04                    push 00000004
:0041196A 8D4C2410                lea ecx, dword ptr [esp+10]
:0041196E 57                      push edi
:0041196F 51                      push ecx
:00411970 89542418                mov dword ptr [esp+18], edx
:00411974 8844241C                mov byte ptr [esp+1C], al
:00411978 E873070000              call 004120F0
:0041197D 8A542420                mov dl, byte ptr [esp+20]
:00411981 83C40C                  add esp, 0000000C
:00411984 84D2                    test dl, dl
:00411986 7421                    je 004119A9
:00411988 8D742414                lea esi, dword ptr [esp+14]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004119A7(C)
|
:0041198C 33C9                    xor ecx, ecx
:0041198E 80C209                  add dl, 09

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041199F(C)
|
:00411991 8A440C0C                mov al, byte ptr [esp+ecx+0C]
:00411995 F6EA                    imul dl
:00411997 88440C0C                mov byte ptr [esp+ecx+0C], al
:0041199B 41                      inc ecx
:0041199C 83F904                  cmp ecx, 00000004
:0041199F 7CF0                    jl 00411991
:004119A1 8A5601                  mov dl, byte ptr [esi+01]
:004119A4 46                      inc esi
:004119A5 84D2                    test dl, dl
:004119A7 75E3                    jne 0041198C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411986(C)
|
:004119A9 8A0F                    mov cl, byte ptr [edi]
:004119AB 84C9                    test cl, cl
:004119AD 7419                    je 004119C8
:004119AF 8BD7                    mov edx, edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004119C6(C)
|
:004119B1 33C0                    xor eax, eax
:004119B3 80C109                  add cl, 09

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004119BE(C)
|
:004119B6 304C040C                xor byte ptr [esp+eax+0C], cl
:004119BA 40                      inc eax
:004119BB 83F804                  cmp eax, 00000004
:004119BE 7CF6                    jl 004119B6
:004119C0 8A4A01                  mov cl, byte ptr [edx+01]
:004119C3 42                      inc edx
:004119C4 84C9                    test cl, cl
:004119C6 75E9                    jne 004119B1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004119AD(C)
|
:004119C8 8B54240C                mov edx, dword ptr [esp+0C]
:004119CC 85D2                    test edx, edx
:004119CE 7D04                    jge 004119D4
:004119D0 F7DA                    neg edx
:004119D2 85D2                    test edx, edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004119CE(C)
|
:004119D4 7505                    jne 004119DB
:004119D6 BA01000000              mov edx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004119D4(C)
|
:004119DB 81FA0F270000            cmp edx, 0000270F        ; <- Kontrolle < 9999
:004119E1 7D0D                    jge 004119F0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004119EE(C)
|
:004119E3 8D1492                  lea edx, dword ptr [edx+4*edx]
:004119E6 D1E2                    shl edx, 1
:004119E8 81FA0F270000            cmp edx, 0000270F
:004119EE 7CF3                    jl 004119E3

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004119E1(C)
|
:004119F0 81FA3F420F00            cmp edx, 000F423F      ; <- Kontrolle < 999999
:004119F6 7E19                    jle 00411A11

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411A0F(C)
|
:004119F8 B867666666              mov eax, 66666667
:004119FD F7EA                    imul edx
:004119FF C1FA02                  sar edx, 02
:00411A02 8BC2                    mov eax, edx
:00411A04 C1E81F                  shr eax, 1F
:00411A07 03D0                    add edx, eax
:00411A09 81FA3F420F00            cmp edx, 000F423F      ; <- Kontrolle < 999999
:00411A0F 7FE7                    jg 004119F8      ;   Breakpoint, 3. EAX = Code

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004119F6(C)
|
:00411A11 52                      push edx

* Possible StringData Ref from Data Obj ->"%li"
                                  |
:00411A12 6874BB4100              push 0041BB74
:00411A17 8D4C2430                lea ecx, dword ptr [esp+30]
:00411A1B 6A14                    push 00000014
:00411A1D 51                      push ecx
:00411A1E E80D050000              call 00411F30
:00411A23 83C410                  add esp, 00000010
:00411A26 8D7301                  lea esi, dword ptr [ebx+01]
:00411A29 8D442428                lea eax, dword ptr [esp+28]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411A4F(C)
|
:00411A2D 8A10                    mov dl, byte ptr [eax]
:00411A2F 8A1E                    mov bl, byte ptr [esi]
:00411A31 8ACA                    mov cl, dl
:00411A33 3AD3                    cmp dl, bl
:00411A35 752C                    jne 00411A63
:00411A37 84C9                    test cl, cl
:00411A39 7416                    je 00411A51
:00411A3B 8A5001                  mov dl, byte ptr [eax+01]
:00411A3E 8A5E01                  mov bl, byte ptr [esi+01]
:00411A41 8ACA                    mov cl, dl
:00411A43 3AD3                    cmp dl, bl
:00411A45 751C                    jne 00411A63
:00411A47 83C002                  add eax, 00000002
:00411A4A 83C602                  add esi, 00000002
:00411A4D 84C9                    test cl, cl
:00411A4F 75DC                    jne 00411A2D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411A39(C)
|
:00411A51 33C0                    xor eax, eax
:00411A53 33C9                    xor ecx, ecx
:00411A55 85C0                    test eax, eax
:00411A57 0F94C1                  sete cl
:00411A5A 8BC1                    mov eax, ecx
:00411A5C 5F                      pop edi
:00411A5D 5E                      pop esi
:00411A5E 5B                      pop ebx
:00411A5F 83C430                  add esp, 00000030
:00411A62 C3                      ret


5. Wie im obigen Listing zu sehen ist, mu der Code mit 'IW' beginnen und zum
   Beispiel das Format MW-123456 haben.

   In Zeile 00411A0F erfolgt der Vergleich des aus dem Namen berechneten Codes
   mit 999999. Da der Wert (in EDX) beim 1. Vergleich grer ist, erfolgt eine
   Division und erneuter Vergleich. Diese Schleife wird solange wiederholt, bis
   der Wert (EDX) < 999999 (000F423F) ist.

   Wir setzen also auf diesen Vergleich unseren Breakpoint [F2], wechseln zu
   IMAGEWOLF und geben beliebige Registrierdaten im obigen Format ein:

   z.B. Registration Name: Dark Heaven
        Serial Number    : MW-123456


6. Nach der Eingabebesttigung wird W32DASM beim Breakpoint aktiv und wir knnen
   uns den Inhalt der Vergleiche (cmp eax, 000F423F) anschauen.

   Sofern der Wert (EAX) > 999999 (000F423F) ist, setzen wir das Programm mit
   [F7] und [F9] fort, bis wir einen kleineren Wert erhalten.

   EDX = 0002EFB1 (hex) = 192433 (dez)  <- der gesuchte Code


7. Mit dem gefundenen Code knnen wir nun IMAGEWOLF registrieren und erhalten
   die Erfolgsmeldung "Thank you for registering ImageWolf.":

   z.B. Registration Name: Dark Heaven
        Serial Number    : IW-192433


8. Nach der erfolgreichen Registrierung trgt IMAGEWOLF folgende Zeilen in die
   Datei IWOLF.INI im Installationsverzeichnis:

   licensee=Dark Heaven
   id=IW-192433


Viel Spa beim CRACKEN!
Dark Heaven
05.03.1999


