http://www.wallaby95.com - Webpage
Download from their web page - (1.33Mb).
This program makes for an interesting study because it forces you to use some intuition, you might like to try disassembling, on my system it crashes W32Dasm. So, Softice remains our only weapon unless we want to try beating the anti-disassembly tricks it might be using. Start Wallaby and take a look. You'll soon locate the register option and a single dialog box, so lets proceed in our usual fashion and enter a number. Now >bpx Hmemcpy and trace to the code below:
:00450F4E MOV ECX,00000001 <-- ECX=1.
:00450F53 MOV EDX,00000003 <-- EDX=3.
:00450F58 MOV EAX,[EBP-04] <-- Serial # entered.
:00450F5B CALL 00450B2C <-- Call interesting function.
:00450F60 MOV EAX,[EBP-0C] <-- First 4 digits of code entered loaded in EAX.
:00450F63 MOV EDX,00451110 <-- EDX moved to GMA and a space (20h).
:00450F68 CALL 004011D0 <-- Compare.
:00450F6D JNZ 00451070 <-- Jump_Bad_Code.
.....
:00450F84 CALL 00450B2C <-- Call again.
:00450F89 MOV EAX,[EBP-0C] <-- Next 6 digits of code now in EAX.
:00450F8C MOV EDX,00451110 <-- EDX moved to 17195 and a space (20h).
:00450F91 CALL 004011D0 <-- Compare.
:00450F96 JNZ 00451070 <-- Jump_Bad_Code.
Time to pause here, the program continues after this to make one further check upon the next 5 digits of the entered code checking that they are indeed 3112 + a space. The final check appears here:
:00450FD6 CALL 00450B2C <-- Function called (again).
:00450FDB MOV EAX,[EBP-0C]
:00450FDE CALL 004011B0 <-- Returns the length of the remaining code in EAX.
:00450FE3 CMP EAX,03 <-- Last part of code must be greater than 3 in length.
:00450FE6 JLE 00451070 <-- Jump_Bad_Code.
So you should see how to register this software and circumvent the necessary checks. Its quite an interesting scheme although not overly complex, in some respects calling the same 2 functions on each check is weak, however I like the use of spaces in the code and the subtle final check. This program writes the registration information out to a registry key interestingly only containing the first 3 parts of the code check. The authors of this program are only asking $24.95 for registration and this program does appear worthy of support.
Wallaby '95 Version 5.0
Registration Code: GMA 17195 3112 xxxx