How to find the password for Davids Backgammon 

by DABERT

Tutorial# 1



David's Backgammon  
Version; 2.7.7
Size; 458 Kb
Type of software; Shareware

Author: David Byrum
David's Backgammon Home Page
http://members.aol.com/WinGammon/backgammon/

Tools used; Softice 3.25
Type of protection; serial [three letter password]

David's Backgammon is an excellent version of the classic board game played against a friend or a computer opponent.
David's Backgammon lets you get advice on moves and the doubling cube, take back moves and doubles of the cube, pick up more than one piece at a time, display the best moves, set up any board situation, change board colors or create your own, choose from multiple board sizes, keep statistics on up to four pairs of players, and more. You can choose from five skill levels for your computer opponent, so all players from beginner to advanced can enjoy the game. It also features an extensive help system including rules of the game, tournament play, an easy-to-use interface with great graphics, sound effects, and more.

Limitations in downloadable version:
You cannot save games. You are able to finish about only half of the games.Well we're going to fix that are'nt we.

Well first of all unzip the game to a directory of your choice and run the game.A little dialog screen pop's up saying that this is a demo version and that you can only finish about half the games you play unless you send the author the three letters shown and $20 so you can receive an unlock code to make the game fully functional.So what we want to do now is click on the ok button and then click on REGISTRATION on the menu bar and down to ENTER PASSWORD.Ok enter any three letters [I done dab] but don't click OK.Enter Softice [ctrl-d] and put a breakpoint on HMEMCPY,just type bpx hmemcpy and hit return,ctrl-d again to get out of softice and return to the game.Now you can hit the OK button and you should be back in softice.

KERNELL!HMEMCPY
012F:9E18  55                  PUSH    BP    <-------- WE LAND HERE
012F:9E19  8BEC                MOV     BP,SP
012F:9E1B  1E                  PUSH    DS
012F:9E1C  6657                PUSH    EDI
012F:9E1E  6656                PUSH    ESI
012F:9E20  FC                  CLD
012F:9E21  668B4E06            MOV     ECX,[BP+06]
012F:9E25  67E377              JECXZ   9E9F                          
012F:9E28  6633F6              XOR     ESI,ESI
012F:9E2B  668BFE              MOV     EDI,ESI
012F:9E2E  C5760A              LDS     SI,[BP+0A]
012F:9E31  C47E0E              LES     DI,[BP+0E]
012F:9E34  668B460A            MOV     EAX,[BP+0A]
012F:9E38  663B460E            CMP     EAX,[BP+0E]
012F:9E3C  734E                JAE     9E8C      

Now we'll disable the breakpoint we set like this; type bd 00  and hit return
We don't want to be here so press F11 to get out of this function and we should end up here.

17C7:0B40  9A189E2F01          CALL    KERNEL!HMEMCPY
17C7:0B45  FF35                PUSH    WORD PTR [DI]    <-------- WE LAND HERE 
17C7:0B47  9AB0013701          CALL    KERNEL!LOCALUNLOCK
17C7:0B4C  8BC6                MOV     AX,SI
17C7:0B4E  5E                  POP     SI
17C7:0B4F  5F                  POP     DI
17C7:0B50  C9                  LEAVE
17C7:0B51  C20A00              RET     000A

We don't want to be here also,so we press F12 4 times then F10 a number of times until we end up at this piece of code.You should see DGAMMON!CODE+000214e1 at the bottom of the code window.F10 all the way to where I've marked WE WANT TO FOLLOW THIS CALL.

014F:004224E1  E8937D0400          CALL    USER32!SendDlgItemMessageA
014F:004224E6  0FBFD6              MOVSX   EDX,SI             <--------WE LAND HERE
014F:004224E9  C64415F500          MOV     BYTE PTR [EDX+EBP-0B],00    
014F:004224EE  6A01                PUSH    01
014F:004224F0  53                  PUSH    EBX
014F:004224F1  8B4B0C              MOV     ECX,[EBX+0C]
014F:004224F4  FF5120              CALL    [ECX+20]
014F:004224F7  83C408              ADD     ESP,08
014F:004224FA  8B4319              MOV     EAX,[EBX+19]
014F:004224FD  0584CE0000          ADD     EAX,0000CE84
014F:00422502  8D55F4              LEA     EDX,[EBP-0C]
014F:00422505  50                  PUSH    EAX
014F:00422506  52                  PUSH    EDX
014F:00422507  FF7319              PUSH    DWORD PTR [EBX+19]
014F:0042250A  E83579FFFF          CALL    00419E44    <--------WE WANT TO FOLLOW THIS CALL

Press F8 where I've marked FOLLOW THIS CALL and we should end up here at the following piece of code.

014F:00419E44  53                  PUSH    EBP    <--------WE LAND HERE
014F:00419E45  8BEC                MOV     EBP,ESP
014F:00419E47  51                  PUSH    ECX
014F:00419E48  53                  PUSH    EBX
014F:00419E49  8B4508              MOV     EAX,[EBP+08]
014F:00419E4C  8D55FC              LEA     EDX,[EBP-04]
014F:00419E4F  52                  PUSH    EDX
014F:00419E50  FF7510              PUSH    DWORD PTR [EBP+10]
014F:00419E53  50                  PUSH    EAX
014F:00419E54  E81D020000          CALL    0041A076
014F:00419E59  83C40C              ADD     ESP,0C
014F:00419E5C  8B5D0C              MOV     EBX,[EBP+0C]
014F:00419E5F  53                  PUSH    EBX    <--------OUR FAKE PASSWORD
014F:00419E60  8D45FC              LEA     EAX,[EBP-04]
014F:00419E63  50                  PUSH    EAX    <--------THE GOOD PASSWORD 
014F:00419E64  E8EC000500          CALL    KERNEL32!lstrcmp
014F:00419E69  85C0                TEST    EAX,EAX
014F:00419E6B  7507                JNZ     00419E74                  
014F:00419E74  33C0                XOR     EAX,EAX
014F:00419E76  5B                  POP     EBX
014F:00419E77  59                  POP     ECX
014F:00419E78  5D                  POP     EBP
014F:00419E79  C3                  RET

Now if you sit on PUSH EBX and do d ebx you will see your fake password in the data window,F10 down to PUSH EAX and do d eax you will see the correct password in the data window.Make sure you write your 3 letter password down and ctrl-d to get out of softice.Now enter what you found and you will have a fully functional copy of Davids Backgammon,for evaluation of course.
I don't have to tell you that if you want to keep this game please send David the $20 he's asking for this excellent backgammon game.He's gone to a lot of trouble to make this one of the best around.

This tutorial is for educational purposes only and should not be used to steal software.

Many Thanks
Go to all the Crackers out there who find the time to help people like myself learn the ART of Reverse Engineering.

SeeYa
DABERT