Our First Program?

Regview 2.21...Get it here Ok, we ready!! As always, there more than one way to deal with the program, but we gonna find the serial number. I think it better to try to find a serial number first anyway, coz it much 'cleaner' than changing program code, although sometimes it harder to find a valid serial when you're starting out. Anyway, we gonna get the serial number. So unzip regview somewhere and look for any readmes in the folder. There a regform and a readme, and we told we have 30 trys and if we register, we get an updated version. It doesnt say anything about a registration number at all, and starting it up and looking at the menu items doesnt reveal any place to put a registration either. When we click on 'about' we are told we are using unregistered version and have 29 more trials. This goes down everytime we start up the program. Anyway, I going to cut to the rego number. You either start the program 30 times to bring up the registration box, or delete this line out of the registry...HKEY_CLASSES_ROOT\VR_T..., which will expire the program and so cause the rego box to appear. I used regmon to locate this key (see the excellent tut in the beginners section, for full explanation of how the regmon works)...and it small! Well a box comes up saying we have to register, click ok and rego box appears. Enter the name we want, and any number (you might notice that the name has to be longer than 4 characters, otherwise the ok button stays greyed out). Now we know what to do right?? Ctrl d softice up, and enter bpx hmemcpy/enter, then F5 out of sice, and click on ok to register...softice pops up. We ready to search for our serial. Now we going to do one thing different this time than in our previous serial tuts. You notice that there two text fields on the registration box...one for name and one for serial. We want to get to where the serial number comparison takes place..the second text box...and I not sure why (feel free to explain) but apparently a quicker way to get to this comparison is to make softice break again. We still get there if we dont, but I read that we do this, so we gonna do it. When softice breaks the first time, push F5 and it will break again. Now we carry on as normal. F11 once, disable breakpoint...bd0, then F12 to program code. When we see it between the bottom two windows, we F10 till we see something that we looking for. What we see is a ret a little down the page so F10 down to it and we end on another bit of code. This happens a few times..six actually, hmmmm very similar to crackme2, and after the 6th one we end here: xxxx:00487BDC 8B45F4 MOV EAX,[EBP-0C]<-land here xxxx:00487BDF 8D55F8 LEA EDX,[EBP-08] XXXX:00487BE2 E8FD08F8FF CALL 004084E4 XXXX:00487BE7 8B45F8 MOV EAX,[EBP-08] XXXX:00487BEA E861C1F7FF CALL 00403D50 XXXX:00487BEF 83F805 CMP EAX,05 XXXX:00487BF2 7C3E JL 00487C32 Stop and look at the code...a few calls, and remember often we looking for a call before a jump with maybe a CMPare as well. We see one a few lines down: xxxx:00487BEA E861C1F7FF CALL 00403D50 which is followed by a CMP (compare), then JL (jump if less). XXXX:00487BEF 83F805 CMP EAX,05 XXXX:00487BF2 7C3E JL 00487C32 If we look at the CMP, we see something getting compared to 5...name/serial??. Now we made both our name and serial longer than 5 so there no need to go into this call, but just for an exercise, we will. F10 to the call and F8 into it. You land here: xxxx:00403D50 85C0 TEST EAX,EAX<-land here xxxx:00403D52 7403 JZ 00403057 XXXX:00403D54 8B40FC MOV [EAX,[EAX-04] XXXX:00403D57 C3 RET See the RET a few lines down from where we landed?? This returns us to where we came from (the call we just entered), so F10 down to it (you wont jump unless you entered less than 5 characters), and you will end up at the next line down from the call that we previously entered...here: XXXX:00487BEF 83F805 CMP EAX,05<-land here XXXX:00487BF2 7C3E JL 00487C32 So we just entered a little routine where a comparison is done with 5; we jump if we less; otherwise we dont. Anyway, once we back to the original call we entered (next line down actually, coz we executed the call) we land here: xxxx:00487BDC 8B45F4 MOV EAX,[EBP-0C] xxxx:00487BDF 8D55F8 LEA EDX,[EBP-08] XXXX:00487BE2 E8FD08F8FF CALL 004084E4 XXXX:00487BE7 8B45F8 MOV EAX,[EBP-08] XXXX:00487BEA E861C1F7FF CALL 00403D50 XXXX:00487BEF 83F805 CMP EAX,05<-land here XXXX:00487BF2 7C3E JL 00487C32 xxxx:00487BF4 8D55FC LEA EDX,[EBP-04] XXXX:00487BF7 8B83D0020000 MOV EAX,[EBX+000002D0] Now look down code abit and you see other calls, and one followed by a JNZ at address: xxxx:00487C23 E838C2F7FF CALL 00403E60<- here xxxx:00487C28 7508 JNZ 00487C32 You remember from our crackme2 tuts that we were looking for a CALL followed by a Jump, so same as then, we gonna F8 into this one. We end up here: xxxx:00403E60 53 PUSH EBX<-land here xxxx:00403E61 56 PUSH ESI xxxx:00403E62 57 EDI xxxx:00403E63 89C6 MOV ESI,EAX XXXX:00403E65 899D7 MOV EDI,EDX XXXX:00403E67 39D0 CMP EAX,EDX XXXX:00403E69 0F848F000000 JNZ 00403EFE Hmmmmmm, dont you think this code looks familiar to what we found in crackme2 just before we found the correct serial? I think we may be close. You know what to do!! We gonna dump the different addresses to see if a serial pops out, so type d xxx as we F10 down the lines. At address: xxxx:00403E63 89C6 MOV ESI,EAX if you type d eax, you see the number you entered and another one (You will find it at other addresses as well). Take note of number (it goes with the name you entered), put it in the serial box, and yeah, we done it. Well that it. We done our first program?? Just be aware that there are many different protection schemes, and this way will not always work. You just have to follow tuts and get familiar with the different ones, and build up your knowledge...so GOOD LUCK!!!!!!