The program..........AKoff Guitar Assistant...version 1.01......get it at http://www.download.com
The tools................Softice.... I using version 4.
AKoff Guitar Assistant can assist in visually tuning your guitar with a microphone or an electric guitar connected to your PC's sound card.
It analyzes in real time a stream of audio signals from the WAV input of your sound card and then calculates the main frequency. This frequency is shown by a pointer on the graphic guitar signature stamp (frets), comparing it to the proper frequency. Tuning a string now simply means centering the pointer on the appropriate graphic fret.
This trial version has a nag screen. The registered version sells for $19.
Start program, click register, and put in email address and any shit number.
Ctrl D into softice, and set breakpoint...bpx GETDLGITEMTEXTA. F5 out of sice and click register...and ....back into softice .
Now push F5 again, to get to the serial routine, then F11 to get out of the call, and disable breakpoint...bd00. You should have landed in the program code, on a call:
* Reference To: user32.GetDlgItemTextA, Ord:00E5h
|
:004019F5 E8D29E0100 Call 0041B8CC
:004019FA E87DFAFFFF call 0040147C <-LAND HERE
:004019FF 833D14E2410000 cmp dword ptr [0041E214], 00000000
:00401A06 741C je 00401A24
:00401A08 E863FCFFFF call 00401670
:00401A0D 68A1114000 push 004011A1
:00401A12 6A00 push 00000000
:00401A14 6A0C push 0000000C
:00401A16 FF3518E24100 push dword ptr [0041E218]
Now remember!! Quite often we looking for a call, closely followed by a cmp/test, then a je or jne, and shit, looks like that here!!
So F8 into the call at 004019FA and you'll land here:
* Referenced by a CALL at Addresses:
|:004011CD , :004019FA
|
:0040147C 55 push ebp
<-LAND HERE
:0040147D 89E5 mov ebp, esp
:0040147F 83EC18 sub esp, 00000018
:00401482 57 push edi
:00401483 8A057B144000 mov al, byte ptr [0040147B]
:00401489 8845EC mov byte ptr [ebp-14], al
:0040148C 8D45ED lea eax, dword ptr [ebp-13]
:0040148F 6A13 push 00000013
:00401491 6A00 push 00000000
:00401493 50 push eax
* Reference To: crtdll.memset, Ord:01ADh
|
:00401494 E86F660100 Call 00417B08
:00401499 83C40C add esp, 0000000C
:0040149C 8D7DEC lea edi, dword ptr [ebp-14]
:0040149F 57 push edi
:004014A0 E8DBFDFFFF call 00401280
:004014A5 31D2 xor edx, edx
:004014A7 88D0 mov al, dl
:004014A9 FC cld
:004014AA B9FFFFFFFF mov ecx, FFFFFFFF
:004014AF F2 repnz
:004014B0 AE scasb
:004014B1 83C404 add esp, 00000004
:004014B4 83F9F2 cmp ecx, FFFFFFF2
:004014B7 7512 jne 004014CB
:004014B9 BF10E14100 mov edi, 0041E110
:004014BE FC cld
:004014BF B9FFFFFFFF mov ecx, FFFFFFFF
:004014C4 F2 repnz
:004014C5 AE scasb
:004014C6 83F9F2 cmp ecx, FFFFFFF2
:004014C9 7402 je 004014CD
I think somewhere around here we going to find the serial, so it really a case of dumping whats in memory as we F10 down, and see if we can locate it. Now we see the call at 004014A0. If we F8 into this, we'll find ourselves in what appears to be the serial routine. We'll see our email address we entered getting mucked around with, and we'll find ourselves in a couple of loops. When we eventually reach a ret, and exit that routine, we'll be at the next line after the call we just entered...here:
:004014A0 E8DBFDFFFF call 00401280
:004014A5 31D2 xor edx, edx
<-HERE
:004014A7 88D0 mov al, dl
:004014A9 FC cld
:004014AA B9FFFFFFFF mov ecx, FFFFFFFF
:004014AF F2 repnz
:004014B0 AE scasb
:004014B1 83C404 add esp, 00000004
:004014B4 83F9F2 cmp ecx, FFFFFFF2
:004014B7 7512 jne 004014CB
:004014B9 BF10E14100 mov edi, 0041E110
:004014BE FC cld
:004014BF B9FFFFFFFF mov ecx, FFFFFFFF
:004014C4 F2 repnz
:004014C5 AE scasb
:004014C6 83F9F2 cmp ecx, FFFFFFF2
:004014C9 7402 je 004014CD
and at address 004014A5 XOR EDX, EDX if you type d edx, the correct number should be displayed in the data window.
F5 out of softice and poke this number where it belongs. You dont get any thanks but instead of displaying unregistered, you'll now be using the registered version.
