Software Reverse Engineering - Date Reminder v1.0 - Hardcoded Serial Numbers
Copyright (c) 1998 Volatility
Document Courtesy of The Immortal Descendants - http://pages.prodigy.net/volatility

	Another pathetic protection scheme.  You have to have a few brain cells to get the
proper sequence of codes, but you don't have to be an Einstein.

---------------------------------------------------------------------------------------------
Target:  Date Reminder v1.0 - (dater.zip) 104,115 bytes.  Download this at:

	      http://members.aol.com/wildcat727/datereminder/dater.zip

Tools Needed:  	WDASM - recommended (or disassembler of your choice)
---------------------------------------------------------------------------------------------

Prepare To Crack:

	Unzip and run the program (editor.exe).  You'll notice when you run it for the first
time, two files will be created - "Regdata.dar" and "Remind.dar" - obviously configuration
files, and Regdata.dar looks pretty obvious.  We have a good idea that our registration 
information will be stored here.

	Now you'll see the string "Unregistered" and a register button up in the right hand
corner.  Click on the button.  Ok... we need five numbers.  Enter anything in, and click ok
to get the error message.  It's usually helpful to write this down.

	Let's disassemble to see what we've got.  Disassemble with Wdasm - "Disassembler", 
"Open file to disassemble" then choose "editor.exe".  Open up the SDR (String Data Reference)
window ("Refs", "String Data References") so you can search for your error message, or any
other string of interest.

	The first thing you'll notice is LOTS of 2 and 4-digit numbers.  Do you have a pretty
good idea of what these are?  Towards the end of the numbers, you'll see a longer string -
"56432132156632".  Hmm.. let's check that out.  Double click on the string, close the SDR
window, and you'll land here:

---------------------------------------------------------------------------------------------
* Possible StringData Ref from Data Obj ->"56432132156632"
                                  |
:00402BB3 68D4B24000              push 0040B2D4
:00402BB8 8D4D88                  lea ecx, dword ptr [ebp-78]
---------------------------------------------------------------------------------------------

	Scroll up a bit further, and you'll see the following:

---------------------------------------------------------------------------------------------
* Possible StringData Ref from Data Obj ->"Registration code entered correctly. "
                                        ->" Thanks for registering!"
                                  |
:00402B81 6888B24000              push 0040B288
:00402B86 8B4D80                  mov ecx, dword ptr [ebp-80]

* Reference To: MFC40.Ordinal:0E83, Ord:0E83h
                                  |
:00402B89 E8D6520000              Call 00407E64
:00402B8E C7458400000000          mov [ebp-7C], 00000000
:00402B95 6A01                    push 00000001
:00402B97 A10CD54000              mov eax, dword ptr [0040D50C]
:00402B9C 8B00                    mov eax, dword ptr [eax]
:00402B9E 50                      push eax
:00402B9F 6A02                    push 00000002

* Possible StringData Ref from Data Obj ->"REGDATA.DAR"
                                  |
:00402BA1 68C8B24000              push 0040B2C8
:00402BA6 8D4D88                  lea ecx, dword ptr [ebp-78]
---------------------------------------------------------------------------------------------

	There's the message we get when we enter the correct codes, and there's that 
configuration file "Regdata.dar" which we're sure holds our registration information.  We now
know that the string "56432132156632" is written to this file when we enter the correct codes.

	I edited "Regdata.dar", and put this string into it.  Doesn't work, so we must need
more data.  Scroll up further until you see the following:

---------------------------------------------------------------------------------------------
* Possible StringData Ref from Data Obj ->"4444"
                                  |
:00402B5D 6880B24000              push 0040B280
:00402B62 8D45E4                  lea eax, dword ptr [ebp-1C]
:00402B65 50                      push eax
:00402B66 E8D5020000              call 00402E40
:00402B6B 85C0                    test eax, eax
:00402B6D 0F84F2000000            je 00402C65
---------------------------------------------------------------------------------------------

	This is the end of a LONG list of routines exactly like it.  Scroll ALL the way up to
the beginning of these routines, which is here:

---------------------------------------------------------------------------------------------
* Possible StringData Ref from Data Obj ->"7632"
                                  |
:00402795 6820B14000              push 0040B120
:0040279A 8D45E0                  lea eax, dword ptr [ebp-20]
:0040279D 50                      push eax
:0040279E E89D060000              call 00402E40
:004027A3 85C0                    test eax, eax
:004027A5 0F85B0000000            jne 0040285B
---------------------------------------------------------------------------------------------

	Let's write this number down, and follow the jump, which lands at 0040285B, which is
another number - "1234".  Follow the jump here again, and you'll get another number.  If you
keep following the jumps, you'll end up with five numbers.  Exactly the amount we need for
the registration screen.  Enter the five numbers you wrote down, and voila! Registered!

	There are other sequences you can use... I just started with the first number.

-Volatility-

