So first of all I’d like to say that I’m newbe here.
My steps:
1. I tried to find serial bpx GetDlgItemTextA works fine here, and next step is call with pushed address of s/n string. Ok first of all this function checks whether 2 first chars are 0, when it sees that they are not it continues to manipulate with registers containing those chars (another call), I couldn’t manage to understand what is it doing, but it then checks whether eax is 0, then it calls the function which writes some data in registry hklm\software\radmin\v1.01\ViewType\Data, but I do not understand how it calculates the address of data buffer size, then it read data from registry with size 80h, there is no so much chars and functions ends with error_code, but it never checks this data . hklm\software\radmin\v1.01\ViewType\Data – this is where registration data is stored (regmon – tells the same). (all prog params are stored in hkcu\software\radmin\v2.0\).
So I couldn’t understand this part ok.
2. I tried to get time check bpx GetLocalTime – the time was checked and I found the real program entry after checking is OK - 00aaaa07 – the entry of checking prog is 00AA91C9.
So I did ‘d 00aaaa07’ and ‘d 00AA91c9’ wrote down some hex numbers. But I couldn’t find any of them in radmin.exe or in any dll it loads (AdmDll.dll, raddrv.dll, visedll.dll) (on startup it loads only AdmDll.dll). (those dll loaded dynamically (LoadLibraryA), coz “tdump –em radmin.exe” tells that it uses only kernel32 and user32 functions) So those files all packed I tried to make a dump, but I couldn’t find those lines in dump too.
I will appreciate any help or tutors on such a case. Thank you all.