Dark Heaven - Tutorial: Registrierung von Download Butler

Programm: 	Download Butler v1.5d - 32 bit
Beschreibung: 	Internet-Tool
Autor: 		(C) 1995, 1998 Lincoln Beach Software
Groesse: 	819.200 Bytes (BUTLER.EXE)


Werkzeug: - W32DASM v8.93


1. Lade DOWNLOAD BUTLER und anschlieend W32DASM.


2. Deassembliere nun BUTLER.EXE ber [Debug/Attach to an Active Process].


3. Suche nun mittels [Refs/String Data References] nach der Fehlermeldung
   "Invalid Key!". Durch einen Doppelklick wird die entsprechende Zeile im 
   Listing angezeigt: 00497B2B.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00497A65(C)
|
:00497B20 6A00                    push 00000000       ; <- Sprung hierher suchen
:00497B22 668B0D687B4900          mov cx, word ptr [00497B68]
:00497B29 B201                    mov dl, 01

* Possible StringData Ref from Code Obj ->"Invalid Key!"
                                  |
:00497B2B B8307C4900              mov eax, 00497C30      ; <- gefundene Referenz
:00497B30 E8BBD8F9FF              call 004353F0


4. Um den Sprungbefehl zur Fehlermeldung zu finden, suchen wir mittels [Search/
   Find Text] nach der Adresse 00497B20.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049799C(C)
|
:00497A03 90                      nop
:00497A04 55                      push ebp
:00497A05 8BEC                    mov ebp, esp
:00497A07 33C9                    xor ecx, ecx
:00497A09 51                      push ecx
:00497A0A 51                      push ecx
:00497A0B 51                      push ecx
:00497A0C 51                      push ecx
:00497A0D 51                      push ecx
:00497A0E 51                      push ecx
:00497A0F 51                      push ecx
:00497A10 53                      push ebx
:00497A11 56                      push esi
:00497A12 57                      push edi
:00497A13 8BD8                    mov ebx, eax
:00497A15 33C0                    xor eax, eax
:00497A17 55                      push ebp
:00497A18 68587B4900              push 00497B58
:00497A1D 64FF30                  push dword ptr fs:[eax]
:00497A20 648920                  mov dword ptr fs:[eax], esp
:00497A23 8D55FC                  lea edx, dword ptr [ebp-04]
:00497A26 8B83C4010000            mov eax, dword ptr [ebx+000001C4]
:00497A2C E877F6F7FF              call 004170A8
:00497A31 8B45FC                  mov eax, dword ptr [ebp-04]
:00497A34 50                      push eax
:00497A35 8D55F8                  lea edx, dword ptr [ebp-08]
:00497A38 8B83B8010000            mov eax, dword ptr [ebx+000001B8]
:00497A3E E865F6F7FF              call 004170A8
:00497A43 8B45F8                  mov eax, dword ptr [ebp-08]
:00497A46 50                      push eax
:00497A47 8D55F4                  lea edx, dword ptr [ebp-0C]
:00497A4A 8B83B4010000            mov eax, dword ptr [ebx+000001B4]
:00497A50 E853F6F7FF              call 004170A8
:00497A55 8B55F4                  mov edx, dword ptr [ebp-0C]
:00497A58 A1C01C4B00              mov eax, dword ptr [004B1CC0]
:00497A5D 59                      pop ecx
:00497A5E E8C141FFFF              call 0048BC24                ; <- Execute Call
:00497A63 84C0                    test al, al
:00497A65 0F84B5000000            je 00497B20      ; <- Sprung zur Fehlermeldung
:00497A6B 6A00                    push 00000000
:00497A6D 668B0D687B4900          mov cx, word ptr [00497B68]
:00497A74 B202                    mov dl, 02


5. In Zeile 00497A65 ist der gesuchte Sprungbefehl zur Fehlermeldung zu finden
   (je 00497B20). Wir folgen dem oberhalb stehenden Funktionsaufruf (call
   0048BC24) mittels [Execute Text/Execute Call].

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048BBBD(C)
|
:0048BC24 55                      push ebp                ; <- von call 0048BC24
:0048BC25 8BEC                    mov ebp, esp
:0048BC27 83C4F4                  add esp, FFFFFFF4
:0048BC2A 53                      push ebx
:0048BC2B 56                      push esi
:0048BC2C 57                      push edi
:0048BC2D 33DB                    xor ebx, ebx
:0048BC2F 895DF4                  mov dword ptr [ebp-0C], ebx
:0048BC32 894DF8                  mov dword ptr [ebp-08], ecx
:0048BC35 8955FC                  mov dword ptr [ebp-04], edx
:0048BC38 8BF0                    mov esi, eax
:0048BC3A 8B45FC                  mov eax, dword ptr [ebp-04]
:0048BC3D E8667DF7FF              call 004039A8
:0048BC42 8B45F8                  mov eax, dword ptr [ebp-08]
:0048BC45 E85E7DF7FF              call 004039A8
:0048BC4A 8B4508                  mov eax, dword ptr [ebp+08]
:0048BC4D E8567DF7FF              call 004039A8
:0048BC52 33C0                    xor eax, eax
:0048BC54 55                      push ebp
:0048BC55 684FBD4800              push 0048BD4F
:0048BC5A 64FF30                  push dword ptr fs:[eax]
:0048BC5D 648920                  mov dword ptr fs:[eax], esp
:0048BC60 33DB                    xor ebx, ebx
:0048BC62 8D55F4                  lea edx, dword ptr [ebp-0C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048BBF4(C)
|
:0048BC65 8B45FC                  mov eax, dword ptr [ebp-04]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048BC01(C)
|
:0048BC68 E857AEF7FF              call 00406AC4
:0048BC6D 8B45F4                  mov eax, dword ptr [ebp-0C]
:0048BC70 E87F7BF7FF              call 004037F4

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048BC0E(C)
|
:0048BC75 85C0                    test eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048BC06(C)
|
:0048BC77 0F8EAF000000            jle 0048BD2C
:0048BC7D 8D55F4                  lea edx, dword ptr [ebp-0C]
:0048BC80 8B45F8                  mov eax, dword ptr [ebp-08]
:0048BC83 E83CAEF7FF              call 00406AC4
:0048BC88 8B45F4                  mov eax, dword ptr [ebp-0C]
:0048BC8B E8647BF7FF              call 004037F4
:0048BC90 85C0                    test eax, eax
:0048BC92 0F8E94000000            jle 0048BD2C
:0048BC98 8D55F4                  lea edx, dword ptr [ebp-0C]
:0048BC9B 8B4508                  mov eax, dword ptr [ebp+08]
:0048BC9E E821AEF7FF              call 00406AC4
:0048BCA3 8B45F4                  mov eax, dword ptr [ebp-0C]
:0048BCA6 E8497BF7FF              call 004037F4
:0048BCAB 85C0                    test eax, eax
:0048BCAD 7E7D                    jle 0048BD2C
:0048BCAF 68FF3F0000              push 00003FFF
:0048BCB4 6800000080              push 80000000
:0048BCB9 6A00                    push 00000000
:0048BCBB 8D45F4                  lea eax, dword ptr [ebp-0C]
:0048BCBE E82DBEF7FF              call 00407AF0
:0048BCC3 8B55F4                  mov edx, dword ptr [ebp-0C]
:0048BCC6 8B86B0020000            mov eax, dword ptr [esi+000002B0]
:0048BCCC 83C04C                  add eax, 0000004C
:0048BCCF E8FC79F7FF              call 004036D0
:0048BCD4 8B9EB0020000            mov ebx, dword ptr [esi+000002B0]
:0048BCDA C6433C02                mov [ebx+3C], 02
:0048BCDE 8D432C                  lea eax, dword ptr [ebx+2C]
:0048BCE1 8B5508                  mov edx, dword ptr [ebp+08]
:0048BCE4 E8E779F7FF              call 004036D0
:0048BCE9 8B86B0020000            mov eax, dword ptr [esi+000002B0]
:0048BCEF 83C020                  add eax, 00000020
:0048BCF2 8B55FC                  mov edx, dword ptr [ebp-04]
:0048BCF5 E8D679F7FF              call 004036D0
:0048BCFA 8B86B0020000            mov eax, dword ptr [esi+000002B0]
:0048BD00 83C040                  add eax, 00000040
:0048BD03 8B55F8                  mov edx, dword ptr [ebp-08]
:0048BD06 E8C579F7FF              call 004036D0
:0048BD0B 8B86B0020000            mov eax, dword ptr [esi+000002B0]
:0048BD11 E8365BFFFF              call 0048184C
:0048BD16 3C04                    cmp al, 04
:0048BD18 0F94C3                  sete bl
:0048BD1B 84DB                    test bl, bl
:0048BD1D 740D                    je 0048BD2C
:0048BD1F 8B45F8                  mov eax, dword ptr [ebp-08]
:0048BD22 E8E174FFFF              call 00483208
:0048BD27 8BD8                    mov ebx, eax
:0048BD29 80F301                  xor bl, 01

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0048BC77(C), :0048BC92(C), :0048BCAD(C), :0048BD1D(C)
|
:0048BD2C 33C0                    xor eax, eax
:0048BD2E 5A                      pop edx
:0048BD2F 59                      pop ecx
:0048BD30 59                      pop ecx
:0048BD31 648910                  mov dword ptr fs:[eax], edx
:0048BD34 6856BD4800              push 0048BD56

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048BD54(U)
|
:0048BD39 8D45F4                  lea eax, dword ptr [ebp-0C]
:0048BD3C BA03000000              mov edx, 00000003
:0048BD41 E85A79F7FF              call 004036A0
:0048BD46 8D4508                  lea eax, dword ptr [ebp+08]    ; <- Breakpoint
:0048BD49 E83279F7FF              call 00403680
:0048BD4E C3                      ret


6. Nach langer Suche gelangen wir zur Zeile 0048BD46, setzen hier mittels [F2]
   unseren Breakpoint, wechseln zum DOWNLOAD BUTLER und geben beliebige Re-
   gistrierdaten ein:

   z.B. Name   : Dark Heaven
        Code   : 1122334455
        Special: 123456789


7. Nach der Eingabebesttigung wird W32DASM beim Breakpoint aktiv und wir knnen
   uns den Inhalt der einzelnen Register anschauen.

   EDX = 00C57110: EDX+00000000 = Dark Heaven
                   EDX-00000018 = 1122334455
                   EDX+00000018 = 1122334455
                   EDX+00000030 = 2b5c8013   ( Code ?, nein )
                   EDX+00000048 = 2a4b1823   ( Code ?, ja )
                   EDX+00000064 = 567656-2b5c8013-V12345678900-  ( intern ? )


8. Mit dem gefundenen Code knnen wir den DOWNLOAD BUTLER registrieren und
   erhalten die Erfolgsmeldung "Thank you for registering Download Butler,
   please exit and restart.".

   z.B. Name   : Dark Heaven
        Code   : 2a4b1823
        Special: 123456789


9. Nach der erfolgreichen Registrierung trgt DOWNLOAD BUTLER den folgenden
   Schlssel in die Registry:

   [HKEY_CURRENT_USER\Software\Lincoln Beach Software\Butler\Registration]
   "UserName"="Dark Heaven"
   "RegCode"="2A4B1823"
   "Special"="123456789"



Viel Spa beim CRACKEN!
Dark Heaven
31.01.1999


