                                                     How to crack  using w32dasm

Name:5 or More
Version:v2.0
Operating System:Windows 95
Cracker: josephCo [ME'97/C4N]
Level:Beginner
Where:http://www.midstream.com
Size:170,008 bytes
Type:Name/Serial Number Where Serial Number is built in.

In this little tute i am going to try to show you how it is possible to get serials from proggies 
just using the deadlist approach.  The name of this proggie is 5ORMORE.  I really don't
have a clue as to what it does, but lets crack it anyway!

OK, let me say that you will find this tute easier to follow if you print it.
The tools needed for this are:     W32DASM 8.9   (however any ver. should work)

HERE ARE A FEW INSTRUCTIONS YOU WILL NEED TO KNOW

XOR EAX, EAX                         this clears eax or makes eax=0
CMP BYTE PTR [EAX+X], 31   this compares the first byte at eax with 31h
JNE                                          jump if not equal
JE                                            jump if equal 
TEST EAX, EAX                        does eax=0
also note that anything inside [ ]  is a memory address

I have placed the code at the end so you can see all of it at one time.

First of all we start up w32dasm and load 5ormore.exe into it (this is done by clicking on "open 
file to disassemble").  Now lets look for some reference to the program being registered..... we find both "Successfull regisration, Thank" and "Invalid serial number" 

Please note that if you are not sure how to find these then click on "Refs" then select " string
data references", you should see a little list of phrases and words.

Now double click on "Successfull registration, Thank" .  You can now exit from the string data
references list (hit the X at the top right of THAT box.

When u look at the code, you should be on line 4060c3 (if you can't see words, then 
change the fonts you are using).   Now scroll up the screen until you are on line 40608e.
This line should be a call.....and right above it is "KERNEL32.lstrlena".  This call goes to
the api LSTRLENA which calculates the length of something. We can't follow that call.

Now look at the code here: what do u see?         Well.... we see 3 different TEST EAX, EAX
and those are used to see if eax=0 or not.  I won't go into how, or why, but that is what the test
does, and below those TEST EAX, EAX are conditional jumps.   

TEST EAX, EAX                 is eax=0
JE 406XXX                        if equal then jump

If you pay special attention, you will notice that all of those jumps skip over our desired 
destination (thank you for registering).  What do we do? you may ask.  Well we need to see
where eax is set to zero (this is done by XOR EAX, EAX or MOV EAX, 00000000 and a few other 
ways also)..... You may be asking "How do i find out where it is set?"   The answere is 
"FOLLOW THE CALLS !!!!!!" 

But which calls do we want to follow?  Like i said all of those conditional jumps SKIP our
destination, so we follow the CALLS just before each test. Now lets THINK for a sec here.
hhmmm "If the first test is bad then we skip all of the others, and since the first one is
LSTRLENA, which is an api, we can't follow that one.... so we need to go to the next one!!"

That leads us to line 40609c. When you are on it goto the top and select "EXECUTE CALL" by clicking on the call button.  Now we are on line405eef.

What do we see?   WOW!!!!!!  we see a lot of compares and jne (jump if not equal)... this could
be a good place... but what does all of this shit mean?
                                      
                                                The first line loads something from memory address esp+04 
mov eax, dword ptr [esp+04]  although we don't know exactly what, we will say it is our serial 
test eax, eax        <---------    it is tested to see if there is anything inside..
je 00405F31             <---------   (does eax=00000000)??  If so, then jump
cmp byte ptr [eax], 31   <------ does the first byte of  [eax]=31h ?(since we are assuming
jne 00405F31                         that eax is our serial number then it is being checked to see if
cmp byte ptr [eax+01], 36      it is 31h.  When we convert 31h to ascii (look it up on your chart)
jne 00405F31                         we get the number 1!!!!!! if eax is not equal to 1 then the 
cmp byte ptr [eax+02], 31      jne goes to line 00405f31 which is a  XOR EAX,EAX
jne 00405F31                        byte ptr [eax+1] points the the 2nd byte at [eax] 
cmp byte ptr [eax+03], 33     so if the the bytes at memory location eax ------> [eax]
jne 00405F31                     are equal to 87654321... the 2nd byte would be a 7.
...........                               byte ptr [eax+2] points to the 3rd byte which is a 6 in our example.
.........                                i hope u get the point....so anyway we have [eax] should equal
.....                                      1613  by assuming that all of the compares are correct


I have given you the first four numbers... i leave the rest up to you...  (I have commented them
at the end of the tute.) 
Once you have figured out what all the numbers are write them down!!! 
You will need them.. hehe

hmm now what?   Do we try those numbers or look around more?
Well since we can run the program while we have w32dasm running, lets try them!!!

heheheh hahahahha IT WORKS!!!!

If the serial you entered didn't work, we have a little problem. You either looked up the wrong
number or wrote them down wrong.
If this was another program and the numbers you wrote down didn't work then we would trace a 
a little farther to see if we could see anything interesting.

REMEMBER: this type of protection isn't used very often so your chances of finding another
program like it are very slim. However i encourage you to look around for one.

If you have any questions, feel free to stop by #cracking4newbies on irc  EFNET
this is done by typing /j #cracking4newbies right after u connect to irc :)

Good Luck, 
Happy cracking :)         josephCo

-------------------------------------------------------------------------------------------------------------------------
* Reference To: KERNEL32.lstrlenA, Ord:0275h
:0040608E FF155C134100            Call dword ptr [0041135C]
:00406094 85C0                  test eax, eax           did the user enter any data?
:00406096 747B                  je 00406113           if not jump to messagebox
:00406098 8D45F0              lea eax, dword ptr [ebp-10] 
:0040609B 50                      push eax
:0040609C E84EFEFFFF     call 00405EEF        WE FOLLOW THIS CALL!!!!!!!!!!
:004060A1 83C404              add esp, 00000004
:004060A4 85C0                  test eax, eax                     is eax=0 (xor eax,eax)
:004060A6 746B                  je 00406113                     if eax=0 then jump
:004060A8 8D45F0              lea eax, dword ptr [ebp-10]
:004060AB 8D4DB0            lea ecx, dword ptr [ebp-50]
:004060AE 50                      push eax
:004060AF 51                      push ecx
:004060B0 E87FFEFFFF     call 00405F34   
:004060B5 83C408             add esp, 00000008
:004060B8 85C0                  test eax, eax
:004060BA 7449                  je 00406105
:004060BC 6A40                  push 00000040

* Possible StringData Ref from Data Obj ->"5-Or-More!"
                                  |
:004060BE 68ACD34000              push 0040D3AC
* Possible StringData Ref from Data Obj ->"Successfull registration, thank "
                                        ->"you!"
                                  |
:004060C3 6864D94000              push 0040D964

--------------------------------------------------------------------------------------------------------------------------

Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00406084(C), :00406096(C), :004060A6(C)    <----we don't want these 3 jumps to come here
|
:00406113 6A30                    push 00000030

Possible StringData Ref from Data Obj ->"5-Or-More!"
                                  |
:00406115 68ACD34000              push 0040D3AC

Possible StringData Ref from Data Obj ->"Invalid serial number"  :HMMM wonder what this is?
:0040611A 6834D94000              push 0040D934
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406111(U)
|
:0040611F FF7508                  push [ebp+08]

* Reference To: USER32.MessageBoxA, Ord:0188h                       this is the message box!!!!!
                                  |
:00406122 FF1538144100            Call dword ptr [00411438]


---------------------------------------------------------------------------------------------------------------------------------


:00405EEF 8B442404                mov eax, dword ptr [esp+04]
:00405EF3 85C0                    test eax, eax              did the user enter anything? if not clear eax
:00405EF5 743A                    je 00405F31
:00405EF7 803831                  cmp byte ptr [eax], 31    hmmm..... is the first byte at eax =1
:00405EFA 7535                    jne 00405F31                   if not clear eax
:00405EFC 80780136                cmp byte ptr [eax+01], 36      is the 2nd byte=6
:00405F00 752F                    jne 00405F31    <---------------- if it isn't xor eax, eax
:00405F02 80780231                cmp byte ptr [eax+02], 31       is the 3rd byte=1
:00405F06 7529                    jne 00405F31     <---------------if it isn't xor eax, eax
:00405F08 80780333                cmp byte ptr [eax+03], 33        is the 4th byte=3
:00405F0C 7523                    jne 00405F31
:00405F0E 80780435                cmp byte ptr [eax+04], 35        is the 5th byte=5
:00405F12 751D                    jne 00405F31
:00405F14 80780535                cmp byte ptr [eax+05], 35        is the 6th byte=5
:00405F18 7517                    jne 00405F31
:00405F1A 80780631                cmp byte ptr [eax+06], 31         is the 7th byte=1
:00405F1E 7511                    jne 00405F31
:00405F20 80780730                cmp byte ptr [eax+07], 30         is the 8th byte=0
:00405F24 750B                    jne 00405F31  ******* we now have [eax] = 6135510***** 
:00405F26 80780800                cmp byte ptr [eax+08], 00       make sure there is nothing else
* Possible Reference to Menu: MenuID_0001 
                                  |
:00405F2A B801000000              mov eax, 00000001 <----- eax=1 so it is a good guy!!!!!!1
:00405F2F 7402                    je 00405F33       <-----if eax+8 is =0 from cmp on 405f26 then jump
:00405F31 33C0                    xor eax, eax     <----- otherwise clear eax (this is bad)

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405F2F(C)
|
:00405F33 C3                      ret                    :return back from the call (line 4060a1 )