ARTEAM EZINE ISSUE IV
5.4
IDENTIFICATION OF CHECK’S ROUTINES
Having loaded Dwice under debug, i searched for all intermodular call and I put a INT 3 breakpoints on 2 API: DialogBoxParamA and GetDlgItemTextA. So, after clicked in the ‘REGISTER button’, I have landed immediately in these pieces of code:
Figure 77.
As you can notice, Ollydbg gives us many information: name of Dialog template (REGISTERDIALOG) and, expecially the DialogBox Procedure localized in the memory’s offset at 00419CA0h. Here, the target stores the License Name and License Code in two buffer long 82 bytes (respectively, at the offset 004F1020h and 004F1220h). After the last indirect call used to invoke the GetDlgItemTextA, we can see 3 strange calls: First call simply removes space’s chars at the beginning of License Name buffer; also it substitutes the spaces in the middle with only one space char, for example see Figure 78.
Figure 78. You consider the underline chars as simply spaces.
Reversing the Protection’s scheme of Alexey Pajitnov’s game Dwice by Gyver75
121