------------------
Beating the program with it's own weapons
------------------


hello all!

Welcome to this short solution on how to get the serialnumber with the programs own routines.The method i'll describe here isn't used very often, although it has the same effect as a keygen but is easier to do.


part 1
-----------------
theory
-----------------

We're gonna wait till the prog calculates our serial, then move the calculated serial to another place in memory, otherwise it would get overwritten by some other stuff and finally we patch the msg-box to tell us the serial instead of the "wrong serial....." message. that's all. Easy eh?


part 2
---------------
war
---------------

Due to the fact i wanna shorten up my article i'm not gonna show you how i found the places. Just the facts:

a.) we need the place where the serial is converted,so it can be shown in a msg-box, and moved to a memory location (! that's not the place where it's calculated!).
The prog uses wsprintfa to do this.

That is the call to the routine:

0043480D 8D8500FEFFFF            lea eax, dword ptr [ebp+FFFFFE00]
00434813 57                      push edi
00434814 50                      push eax
00434815 E862FFFFFF              call 0043477C

the first line is the pointer to the textbuffer where the converted serial number gets written to ([ebp+FFFFFE00] = [ebp-200])
As i said before we've to change that pointer else the serial will get overwritten by some crap.so take softice break on that (0043480D) and assemble it to 'lea eax, dword ptr [ebp-150]'
Remember that location [ebp-150] , we'll need it again.

b.) we need the place where every thing gets pushed for the msg-box:

0041FC44 8D8580FBFFFF            lea eax, dword ptr [ebp+FFFFFB80]
0041FC4A 56                      push esi
0041FC4B 50                      push eax
0041FC4C FF7508                  push [ebp+08]
0041FC4F E873FFFFFF              call 0041FBC7

first line: lea.... puts a pointer to the string" Registering information is invalid" or something like that. Guess what we do
Yes we change that pointer to the location we've put the real serial to.
Important thing: ebp has changed its value (4bytes)
so mov to that line (lea..) and assemble it to lea eax, [ebp-154]
press f5 and you'll get the a nice msg box telling you the real serial.
Now if you wish make it static with an hexeditor and enjoy life.
Don't forget to buy the proggie if you wanna use it,
coz shareware authors are our source.

NOTE:  There are two levels of protection.  You can choose to register as "Standard" or as "Professional".  Using the same method as above, you just need to change the other location.


greetings to all i know
Special thanks,in no order to Volatility,Lord Soth,Lucifer48,Acid_burn,
WarezPup,icecream,Tornado,RevX,Lazarus,....

contact me through email: alpine@ImmortalDescendants.com
or visit us at: www.ImmortalDescendants.com