Name : Lockdown 2000 Version : 3.01 Editor : LockDown Corp Target : Lockdown2000.exe Tools : W32Dasm Softice Brain Cracker : LW2000 Tutorial : No.48 http://lockdown2000.com --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Ok, start Lockdown and go to the regscreen and type 1230099 as serial. *BOOM* 'The unlock code you have entered '. What the hell is this? Seems, that we found a bug... ;) Let's fix it. Load the file in W32Dasm and go to our string. (you should know how to do this - if not read my tut No.1 first.. ;) * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004C4BAC(U) <-- here we go | :004C4BB0 84DB test bl, bl :004C4BB2 7523 jne 004C4BD7 :004C4BB4 6A00 push 00000000 :004C4BB6 668B0DE44C4C00 mov cx, word ptr [004C4CE4] :004C4BBD 33D2 xor edx, edx *Possible StringData Ref from Code Obj->"The unlock code you have entered" 2. Fine, lets go to :004C4BAC and take a look at the code: :004C4BA2 58 pop eax :004C4BA3 E894F4F3FF call 0040403C <- reg check routine :004C4BA8 7504 jne 004C4BAE :004C4BAA B301 mov bl, 01 :004C4BAC EB02 jmp 004C4BB0 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004C4BA8(C) | :004C4BAE 33DB xor ebx, ebx 3. Ok, lets see whats inside the call 0040403C. * Referenced by a CALL at Addresses: |:0041210B , :00416D07 , :0041804D , :0041D59D , :0041E51C |:0042A4CE , :00431F9E , :00432029 , :00432C8F , :00432F04 |:0043DA13 , :0043DFFD , :0043E16D , :0043E2E1 , :00440F89 |:0044104D , :00441428 , :004414E7 , :00441942 , :00441B96 |:00442101 , :004422BF , :0044FD13 , :0045F23F , :0045F676 |:00460C3C , :0046336B , :00463D3C , :004762A8 , :0047668D |:0047E88F , :0047E9D6 , :0047FBAE , :0047FBC0 , :0048079E |:00480A42 , :00480A51 , :00480A60 , :00480A6F , :00480FF2 |:00481F3B , :00488BB7 , :0048AEBB , :0048B712 , :0048B776 |:0048B78E , :0048B8A3 , :004A33F9 , :004A4722 , :004A52A2 |:004A5D12 , :004A620C , :004A68A9 , :004A8382 , :004A8B24 |:004ABD83 , :004AC29F , :004ACA0F , :004ACCD4 , :004ACF05 |:004AD0B5 , :004AD0E0 , :004AD0FC , :004AD149 , :004AD286 |:004AD3C2 , :004B05CD , :004B06D1 , :004B0901 , :004B30C6 |:004B30D5 , :004B30E4 , :004B30F3 , :004B3421 , :004B3861 |:004B3993 , :004B64A0 , :004B6529 , :004B6904 , :004B69C6 |:004B69D8 , :004B6A9F , :004B6AC7 , :004B6B6F , :004B6D34 |:004B6D53 , :004B6D7D , :004B6D9C , :004B71D0 , :004B780E |:004B7880 , :004B85C7 , :004B8BDB , :004B8C18 , :004BC159 |:004BC9AB , :004BD23A , :004BD40D , :004BE3A9 , :004BEC7D |:004BECFB , :004C0E48 , :004C0E97 , :004C156C , :004C158D |:004C3AD2 , :004C3C6D , :004C4BA3 , :004C54A1 , :004C5A0A |:004C5E1E , :004C5E58 , :004C5ECA , :004C5F04 , :004C5F76 |:004C5FB0 , :004C6022 , :004C605C , :004C60C9 , :004C6125 |:004C6181 , :004C61DD , :004C659E , :004C65D0 , :004C99A2 |:004C9E90 , :004CA568 , :004CAF3D , :004CAF72 , :004CB762 |:004CBA39 , :004CBAF2 , :004CBB18 | :0040403C 53 push ebx :0040403D 56 push esi :0040403E 57 push edi :0040403F 89C6 mov esi, eax <- Mov serial1 to esi :00404041 89D7 mov edi, edx <- Mov serial2 to edi :00404043 39D0 cmp eax, edx <- CMP them =) :00404045 0F848F000000 je 004040DA :0040404B 85F6 test esi, esi :0040404D 7468 je 004040B7 :0040404F 85FF test edi, edi :00404051 746B je 004040BE :00404053 8B46FC mov eax, dword ptr [esi-04] :00404056 8B57FC mov edx, dword ptr [edi-04] :00404059 29D0 sub eax, edx :0040405B 7702 ja 0040405F :0040405D 01C2 add edx, eax 4. Ok, write 00404043 down. Exit W32Dasm program and start Lockdown. Press [ctrl]+[d] to switch to sice and set a breakpoint on 00404043. 'bpx 00404043' Then press F5 to continue and try to register. *BOOM* Sice pops up. Then type 'd eax' and 'd edx'. Now you see your fake serial and the correct one. Write it down, kill the bpxs (bc *) and give it a try! Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best!