Hi britedream,
I first thought that JackD's way would indeed give a full registered app... but that's not the case
Quote:
|
if you are wondering about registration, at address 578685 mov edx, dword ptr ds:[620484],the value 620484 is point to an address make sure this addres point to anything except zeroes. (this is what I understood from the post)
|
I've figured that one out. But: if the address you mention points to something containing zeros, it's not a problem. The app still runs fine, but the "Register..." part in the "Help" menu is enabled and when you take a look at the "About" box you'll see that you are still in trial mode.
If the above mentioned address points to an ASCII string, the "Register..." part is no longer there and the About box shows said string as the name of the registered user. But in fact the app is still unregistered since some of it's functions produce a "Function only available for registered users" message.
But since I only wanted to unpack and not crack it, that's no problem with me
About the part on how to find the first address: I think I've found a straighter way to get there...
Assuming the data at 00620480 and afterwards is the same as "data AFTER ASPR dips" (which was true for my dump), simply start the app in Olly and try to open the "About" box. Olly pops up with an access violation. Looking at the stack you'll see the ret address of the call to the function that produces the violation. Go to this address and you're two or three lines below 578685.
Regards
Wurstgote