Name : MP3-Wolf Version : 1.04 Editor : Trellian Target : mwolf32.exe s/n saved : mwolf.ini Tools : W32Dasm Softice Brain Cracker : LW2000 Tutorial : No.26 http://www.trellian.com/mwolf --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. We go to the regscreen and enter the details. Registration Name: LW2000 Serial Number : 1230099 *BOOM* We get a error message, that our code is not correct. What the hell is this? Seems, that we found a bug... ;) Let's fix it. 2. Load W32Dasm with mwolf32.exe, click on the SDR and go to our string. Ok, you should be here now: :00403541 E8DC9D0000 call 0040D322 <<-- Serial Check routine :00403546 59 pop ecx :00403547 85C0 test eax, eax :00403549 59 pop ecx :0040354A 7518 jne 00403564 <<-- Check :0040354C 6A30 push 00000030 * Possible StringData Ref from Data Obj ->"Invalid Registration" | :0040354E 68245B4100 push 00415B24 * Possible StringData Ref from Data Obj -> "Invalid Registration Name or Serial " 3. To see where the error message is coming from, we scroll a bit up. In Call 0040D322 our fake serial is compared to the correct one. Are different then is eax=0, else is eax=1. Mhmm, ok, let's leave W32Dasm and start Softice. Go to the regscreen, again. Registration Name: LW2000 Serial Number : 1230099 Press[ctrl]+[d] to switch to softice and 'bpx hmemcpy'. Press F5 to return to the app. Press OK. *BOOM* Sice pops up. Press F11 to get the Caller. Now press F12 until you are in the program code. 4. 'bc *' and then set a breakpoint on 0040D322. Press F5. *Boom* Now we are here: :0040D322 55 push ebp :0040D323 8BEC mov ebp, esp :0040D325 83EC30 sub esp, 00000030 :0040D328 8B450C mov eax, dword ptr [ebp+0C] :0040D32B 53 push ebx :0040D32C 56 push esi :0040D32D 57 push edi :0040D32E 85C0 test eax, eax :0040D330 0F840F010000 je 0040D445 :0040D336 8B5D08 mov ebx, dword ptr [ebp+08] :0040D339 85DB test ebx, ebx :0040D33B 0F8404010000 je 0040D445 :0040D341 80384D cmp byte ptr [eax], 4D <<--1. Char = 4D = 'M' ? :0040D344 0F85FB000000 jne 0040D445 :0040D34A 80780157 cmp byte ptr [eax+01], 57 <<--2. Char = 57 = 'W' ? :0040D34E 0F85F1000000 jne 0040D445 :0040D354 6A13 push 00000013 :0040D356 50 push eax :0040D357 8D45E4 lea eax, dword ptr [ebp-1C] :0040D35A 50 push eax :0040D35B E849A1FFFF call 004074A9 :0040D360 83C40C add esp, 0000000C :0040D363 8D45E4 lea eax, dword ptr [ebp-1C] :0040D366 6A2D push 0000002D <<--3. Char = 2D = '-' :0040D368 50 push eax :0040D369 E8120D0000 call 0040E080 :0040D36E 8BF0 mov esi, eax :0040D370 59 pop ecx :0040D371 85F6 test esi, esi :0040D373 59 pop ecx :0040D374 89750C mov dword ptr [ebp+0C], esi :0040D377 0F84C8000000 je 0040D445 <<--3. Char = 2D = '-' ? :0040D37D 802600 and byte ptr [esi], 00 :0040D380 8D45F8 lea eax, dword ptr [ebp-08] 5. If this is not true the proggy jumps to 0040D445 and here :0040D445 33C0 xor eax, eax <<-- eax=0 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040D443(U) | :0040D447 5F pop edi :0040D448 5E pop esi :0040D449 5B pop ebx :0040D44A C9 leave :0040D44B C3 ret <<-- ret with eax=0 !!! 6. Ok, we don't want to fail... Let's enter as serial. Then we trace through the code, again... A long time later, we see this: :0040D41E 68F47A4100 push 00417AF4 :0040D423 8D45D0 lea eax, dword ptr [ebp-30] :0040D426 6A14 push 00000014 :0040D428 50 push eax :0040D429 E872040000 call 0040D8A0 :0040D42E 83C410 add esp, 00000010 :0040D431 46 inc esi :0040D432 8D45D0 lea eax, dword ptr [ebp-30] <<-- d eax Ok, we see a number, but what we can do with it? Mhmm, we take the String "MW-" and then we complete it with the new number we found out! 7. Let's try again to register! Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net !!! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best!