By chance i looked closer to this software and decided make small tutorial. It is not very orginal programme and finding of number occupies couple of seconds, However has paring of pieces of gossip or rather stupidity. So run programme, find posibility of correct serial number enter. We write one's own favourite data and we pass to SoftIce. Make standard - breakpoints, in chance this of programme API GetDlgItemTextA will work. That is to say bpx GetDlgItemTextA and Ctr+d and next we press Ok. SoftIce will take over inspections on first execution of function GetDlgItemTextA. Function is called three times, so behind every we go out with User32 key F11 and we receive such piece of code
014F: 00412CF2 8D8DF0FEFFFF LEA ECX, [EBP-0110] --> We are here 014F: 00412CF8 8B35F0474300 MOV ESI, [KERNEL32! lstrlen]--> calling check 014F: 00412CFE 51 PUSH ECX --> functions to know length of input 014F: 00412CFF FFD6 CALL ESI --> length of data 014F: 00412D01 85C0 TEST EAX, EAX 014F: 00412D03 7528 JNZ 00412D2D 014F: 00412D05 8D852CFFFFFF LEA EAX, [EBP-00D4] 014F: 00412D0B 50 PUSH EAX 014F: 00412D0C FFD6 CALL ESI 014F: 00412D0E 85C0 TEST EAX, EAX 014F: 00412D10 741B JZ 00412D2D 014F: 00412D12 8D852CFFFFFF LEA EAX, [EBP-00D4] 014F: 00412D18 8D8DF0FEFFFF LEA ECX, [EBP-0110] 014F: 00412D1E 50 PUSH EAX 014F: 00412D1F 51 PUSH ECX 014F: 00412D20 FF15E8474300 CALL [KERNEL32! lstrcat] 014F: 00412D26 C6852CFFFFFF00 MOV BYTE PTR [EBP-00D4], 00 014F: 00412D2D 8D85F0FEFFFF LEA EAX, [EBP-0110] 014F: 00412D33 50 PUSH EAX 014F: 00412D34 FFD6 CALL ESI 014F: 00412D36 85C0 TEST EAX, EAX 014F: 00412D38 0F8454010000 JZ 00412E92
In registers eax, ecx addresses still changes, next text is copied into memory and so on. It's not important at this time. Trace programme step after step( F10) till we will reach to such fragment of code:
014F: 00412E12 7413 JZ 00412E27 014F: 00412E14 8D45F4 LEA EAX, [EBP-0C] 014F: 00412E17 50 PUSH EAX 014F: 00412E18 E81D0D0000 CALL 00413B3A 014F: 00412E1D 83C404 ADD ESP, 04 014F: 00412E20 3D41BC1316 CMP EAX, 1613BC41 014F: 00412E25 756B JNZ 00412E92 014F: 00412E27 81EC8C000000 SUB ESP, 0000008C 014F: 00412E2D 8DB568FFFFFF LEA ESI, [EBP-0098]
This looks curiously, at last concrete function call- CALL 00413B3A and check of register EAX and then conditional jump. If in line jump JNZ 00412E92 we will change flage zero - on opposite( r fl z) and contiune programme will appera window about registering. This means that's good place to dig. Again I return to place of CALL. Would be nice to look at this call, theoretically something it there does with our number but not it is proper worry about. Quickly shows, signifant is CMP EAX, 1613BC41. When we look on value register then is there written by us number. That is to say matter iIs primitive, correct code this 1613BC41. And this is all, we write this code in window dialogue and register programme. Preety stupid, this can be done in several lines of code without lenght checking and sone.
One interestiog thing is that all infos are stored in bcr32.dll, rather rare, propably author does not like ini files nor register.
Have fun.
GustawKit