Thread: Serial Fishing.

Introduction
Hey, First thing is first. The purpose of this tutorial is for education purposes only. I hereby claim no responsibility what you do with this information. As always if you like the software please purchase it.

Tools
OllyDbg
Winamp Skin Maker 1.2
Hex to Decimal Calculator (if you have windows 7 choose programmer mode on the calculator).
A small understanding of ASM operands.

Let's begin, First open olly, and open Winamp Skin Maker 1.2 (WSM for short). Let Olly analyze the code. Press F9 (run) let's get a feel for this application and how it behaves when you enter an invalid user/serial code. To do that click about > register > Enter name and any serial it doesn't matter at this point. For me i wrote MrSmith & 12345678 > click ok and what do you see ? Bam Fail, Invalid registration code. No problem. So this program just checks if the serial given matches the name, no nag no nothing else pretty straight forward.

Ok Right click Olly > Search For/View > All Referenced Strings > hit ctrl + F type "Fail" (without quotes and press Enter/Click ok. Double click the line Olly takes you to. This is what mine looks like

Code:

00406C29 . PUSH OFFSET skinner_1_2.004258B0          ; ASCII "Fail"

Scroll down a little until you see

Code:

00406D83  -  8D4424 38     LEA EAX,[ESP+38]

This is pretty much at the beginning of the routine where WMS checks your serial to the real serial for your name.
Set a breakpoint on this line with F2 then hit F9, Enter any User/serial again. I used MrSmith & 12345678. Hit ok and Olly will break and place you where you need to be (In the routine). Now you need to step through the code to see what the program is doing. To step through press F8 each time. Keeping an eye on flags EDI, EBX. As you step through you will see the program handle your name and compare your serial with the real serial. At this address

Code:

00406D96 .  50            PUSH EAX                                                   ; Arg1 = ASCII "MrSmith"

You see your name printed in ascii so you know you are at the right place. Keep stepping through (F8)

When you get to this address you will see your serial code that you entered.

Code:

00406DA5  .  50            PUSH EAX                                                  ; Arg1 = ASCII "12345678"

Interesting stuff! . Keep stepping through till you reach this address

Code:

00406DEB  . > 3BFB          CMP EDI,EBX                                                    
; compare EDI (our serial) with EBX (real serial)

Ok taking a look at our register window at the right, You will see each flag;

Code:

EAX 00BC614E
ECX 05F5E100
EDX 00989680
EBX 00322A5F ; Real serial as hex
ESP 0012F374
EBP 0012F400
ESI 000406DA
EDI 00BC614E ; Our serial as hex
EIP 00406DEB skinner_1_2.00406DEB

Convert EBX flag value from hex to decimal, for me EBX = 00322A5F (3287647) as Decimal.

Go on give it a try. Did it work ? of course it did . Congratulations.

Regards, MrSmith

guide created by: MrSmith