Author : Argoth
Target : GifMovieGear 2.63
WebSite: http://www.gamani.com/



Foreword

This is my first little tutorial. I am writing this one, because I understand what is going on in the program. This program is easy to understand, this is the first app I am having the idea of understanding parts of the scheme completely. I hope u will like it somehow.

Before we start

I assume that you have SoftIce installed and know how to work with it. I am not writing this tutorial to explain the basics of SoftIce, but as a small introduction to Serial Fishing. What I will do is give the commands I type in SoftICE. If you don't have SoftIce or don't know how to use it, please refer to the following pages:

http://zor.org/krobar/ 
-A tutorial site, it's great! Tutorials on programs, cracks and tools.

http://cracktools.cjb.net/     
-THE site for downloading your tools, worth a look.

http://tsehp.cjb.net/
-A page for everything, also contains links to several messageboards. Crackers like to help  crackers, so ask! 

HINT(!!!)  -> Print this tutorial on paper. Since SoftICE freezes your Windows, you will not be able to read this all the time.

Start

First we will go to the registration part. Fill out your name (I used Argoth) and a serial number. It doesn't matter what you use now. Pop the SoftICE window and set a breakpoint on getwindowtexta. (BPX GetWindowTextA) Now go back to GifMovieGear and click OK. We will end up in SoftICE at a GetWindowTextA function. Press CTRL-D and we are again at a GetWindowTextA function.
(There were two white boxes remember?). Press F11 to go to the point the funtion was called.
Here: 

0042C33F   lea ecx, dword ptr [esp+78]

Set a breakpoint here. (BPX 0042C33F) Trace the code with F10 for a while and a 'No! Wrong!' messagebox will appear. Let's click ok, (SI will pop, press CTRL-D to return to GifMovieGear) and ok again. As you noticed while tracing it for the first time, there was only one CALL before the messagebox. The one located here:

0042C349   call 0042C0C0

So let's trace into it (Trace into a CALL with F8). After only a few line we land here:

0042C0C8   cmp byte ptr [ebp+00], 6D
0042C0CC   jne 0042C172
0042C0D2   cmp byte ptr [ebp+01], 76
0042C0D6   jne 0042C172
0042C0DC   cmp byte ptr [ebp+02], 67
0042C0E0   jne 0042C172
0042C0E6   cmp byte ptr [ebp+03], 32
0042C0EA   jne 0042C172

Some compares and jumps to the same location. When u now trace over one of the jumps, u will be send straight to the messagebox telling us that we have to type our registration information just as we received it. But since we never got anything, that will be hard  :)
What is this then? Do your thing and return to the 0042C0C8 line again. Let's see. Type '? 6D' (without the '' ofcours). We will see something like this: 0000006D  00000109  "m". Hmm, ebp+00 should be an 'm', otherwise it will jump. Let's see what is in EBP. (Type 'd ebp') WoW! Our fake serial! This means our serial has to start with an 'm'. We might want to check out what these other values are. Do this the same way: type '? 76', '? 67' and '? 32'. SoftICE will give us:

0000006D  00000109  "m"
00000076  00000118  "v"
00000067  00000103  "g"
00000032  00000050  "2"

So our serial has to start with 'mvg2'. Press CTRL-D (we want to fill out a new serial right?). Then type some serial NUMBER which starts with mvg2. I used mvg2666123. Done?, now let's press Ok and return to 0042C0C8 again. As u notice, u will not jump to the nasy messagebox. YaY! We're through the first part. From here, it is getting interesting. Study this:

0042C0F0   mov ebx, 004462A8
0042C0F5   mov edx, dword ptr [ebx]
0042C0F7   or ecx, FFFFFFFF
0042C0FA   mov edi, edx
0042C0FC   xor eax, eax
0042C0FE   repnz

U might want to clear all your breakpoints (bc *) and set a breakpoint on 0042C0F0 (BPX 0042C0F0), the line after the last jump. Trace 2 lines down. We are now at 0042C0F5. When we now type 'd EBX' we will see interesting stuff. Serials!, but there are so many. Press F10 once, so we will land on 0042C0F7 and type 'd edx'. Bingo! Here is one serial standing alone in a register, thus highly suspicious. The serial I saw here was mvg21951736. Well, what are you waiting for? Fill out your new serial number and press ok and CTRL-D a few times. Dammit! Whats this? It doesn't work. *Sigh* It couldn't have been this easy.

Guess we have to go to SoftICE again, so press ok until we return to our 'not working serial' section. Trace some further in de code. We now notice that 

0042C116   jl 0042C0F5

Sends us back to 0042C0F0   mov ebx, 004462A8. SO the whole part looks like this: (Don't be scared of this big piece of code)

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
  0042C116(C)

0042C0F5   mov edx, dword ptr [ebx]       <--- Our 'not working serial' is put into edx
0042C0F7   or ecx, FFFFFFFF
0042C0FA   mov edi, edx
0042C0FC   xor eax, eax
0042C0FE   repnz
0042C0FF   scasb
0042C100   not ecx
0042C102   dec ecx
0042C103   mov edi, edx
0042C105   mov esi, ebp
0042C107   xor eax, eax
0042C109   repz
0042C10A   cmpsb
0042C10B   je 0042C172
0042C10D   add ebx, 00000004              <--- Add 4 to ebx
0042C110   cmp ebx, 0044635C              <--- Compare ebx to 4481884 
0042C116   jl 0042C0F5                    <--- If ebx is lower than 4481884, jump 

0042C118   cmp byte ptr [ebp+04], 73
0042C11C   jne 0042C11F                   <--- Compare 5th char to 's', if it isn't; Jump-.
0042C11E   inc ebp                                                                        |
0042C11F   add ebp, 00000007                                                    Here <----'

See those 3 lines before 0042C118? There's a small loop here. It does something with all those serials we found. It jumps if ebx is lower than 4481884. And since ebx is 4481700 (type '? ebx' to see this), it will take us a very long time to get out of this loop. So let's disable our previous breakpoints ('bd *') and set a breakpoint on the line after the jump up. Type BPX 0042C118 to do this. 
What do we have here then? A compare which sees if the next character is an 's'. (Type '? 73' to see for yourself) If it isn't an 's', it will skip only one line. This might not be interesting, but let's see what happens on the 'inc ebp'. Type 'd ebp' to see what is in ebp first. We see the serial we filled out. Now make sure we don't jump. ('r fl z' to do this). Trace over the 'inc ebp'. Type 'd ebp' again to see what happened. We see our serial, except for the m. So 1 was added to ebp. Return to our program by typing CTRL-D. Now press Ok again. (We don't fill out the 's', because it isn't that big a deal; it only skips the inc ebp). Now we are back at 0042C118. Trace further until you trace over:

0042C11F   add ebp, 00000007

Type 'd ebp' again to see our serial's end. It adds 7 to ebp, which makes ebp shift 7 places further. So instead of mvg2666123, I only see 123. The first 7 characters have moved out of ebp. Wait! This means that we can make up the first three numbers. This is also the case when we had typed an 's', because if we would have added an s, the 'inc ebp' also adds 1. So only my last few cyphers count. Now that we know this, let's move on until:

0042C122   push ebp
0042C123   call 00437D5C
0042C128   mov edx, dword ptr [esp+18]    <--- Move edx to our name
0042C12C   add esp, 00000004
0042C12F   mov edi, edx
0042C131   xor ecx, ecx
0042C133   mov dl, byte ptr [edx]
0042C135   mov esi, 000006FE              
0042C13A   test dl, dl                    <--- Did we fill out a name? If no, jump.
0042C13C   je 0042C164                    

Trace over the CALL at 0042C123 and we see EAX and ECX changing. Let's see what values they contain. 'd ecx' will show us our last few cyphers. There's a small value in EAX, so we type '? eax' and WoW! Here we also see our last few numbers. For me there was 123 in ECX and 7B in EAX. (7B = 123 in HEX). When we trace only a few steps further we land in a loop again. The loop starts here:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
  0042C162(C)

0042C13E   movsx edx, dl
0042C141   inc ecx                         <--- ECX + 1
0042C142   imul edx, ecx                   <--- Multiply the values of our character with pos.
0042C145   add esi, edx
0042C147   cmp esi, 00000DFD
0042C14D   jle 0042C155
0042C14F   sub esi, 00000DFD
0042C155   cmp ecx, 0000000A
0042C158   jle 0042C15C
0042C15A   xor ecx, ecx
0042C15C   mov dl, byte ptr [edi+01]
0042C15F   inc edi
0042C160   test dl, dl
0042C162   jne 0042C13E

This is actually where the last numbers of our code are calculated. Let's see. In this part, ECX is the position of the letter in EDX. I.E. When EDX is 114 (114 = r), ECX is 2, because 'r' is the 2nd letter of my name. On line 0042C135, ESI was made 000006FE. 
Each time EDX is multiplied by ECX, the outcome is added to ESI:

0042C142   imul edx, ecx
0042C145   add esi, edx

If ESI is bigger than DFD (DFD = 3581 in HEX), DFD is substracted from ESI.

0042C147   cmp esi, 00000DFD
0042C14D   jle 0042C155
0042C14F   sub esi, 00000DFD

When ECX is bigger than 0A (0A = 10 in HEX), ECX will be made 0, so lower values will be added to ESI. If this wouldn't happen, the values added to ESI will be very big when long names are used.

0042C155   cmp ecx, 0000000A
0042C158   jle 0042C15C
0042C15A   xor ecx, ecx

If all letters of the name have been processed, then the program doesn't jump back and therefore the loop ends. (The last part wasn't too interesting if you just want to find a serial, but if you want to understand the code and maybe want to try to make a keygen, I think this is very useful).

Now we come to the last part of the protection which is also very important for finding the missing last numbers.

0042C164   cmp esi, eax                      <--- Ok, bring it on!
0042C166   jne 0042C172
0042C168   pop edi
0042C169   pop esi
0042C16A   pop ebp
0042C16B   mov eax, 00000001                 <--- This means that our serial is correct
0042C170   pop ebx
0042C171   ret

I hope you have fully read this tutorial, so you know what was in EAX. (Right! Our last numbers in HEX). With this knowledge it shouldn't be too hard to figure out what EAX contains: Our missing last numbers. Type '? esi' for the last time in this tutorial. In my case I got:

? esi
000001CB   00000459   "-Some bullsh*t characters-"

Alright! I bet my last few numbers should be 459, so I really want to try this out. 
Gif MovieGear, prepare to meet thy doom!
My name remains Argoth and I change my serial to mvg2666459. I am now a registered user.  :)

Ofcourse we could bring out the registration as our serial, which will make our name appear in the program of others. That would be cool, but what we also could do: make a crack. It's so very easy. Just reverse the jump at line 0042C166 or NOP it. And the hardest way to bring out our crack is to make a keygen. Well, now that we fully understand the calculation process, it shouldn't be too hard either. I might want to write my first keygen now    :)

I hope you enjoyed this tutorial a little. I started very easy in the beginning and later on, I just skipped the 'now press CTRL-D to return to SoftICE' lines.

Grtz all!

Argoth

PS. I am writing this as a proud trial of DiGiTAL ReAliTY. My personal greetings to the whole group.