|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
|
|
|
|
Name: Pirate
Number: 123987
After hitting enter, *UNLESS* you are psychic or something, you will
get a messagebox saying "registration failed, check name and number"...
What to do now? Lets fire up W32dasm and load datemind.exe into it.
Once it has diss'd click on Refs/String Data References and search for,
you guessed it, the error message. Now double-click on it and W32dasm
will jump to this section of code:
:00410959 E8216C0000
Call 0041757F <-Get
the entered code
:0041095E 68E8174200
push 004217E8 <-Pushes
serial on the stack
:00410963 E828200000
call 00412990 <-Calculates
the length of
:00410968 59
pop ecx <-the
entered serial
:00410969 83F807
cmp eax, 00000007 <-Compares the length with
7
:0041096C 7428
je 00410996 <-Jumps
if the serial > 7
:0041096E 6A00
push 00000000 <-otherwise
executes the
<-"Bad Cracker Code"
:00410970 68C4024200 push 004202C4 <-"Registration Failure"
* Possible StringData Ref from Data
Obj ->"Registration Failed, check Name
->"and Number" <-- We land here!!
:00410975 6899024200
push 00420299 <-- Push rego failed onto
stack
:0041097A FF3588174200
push dword ptr [00421788]
:00410980 E8DC6B0000
Call USER32.MessageBoxA >-Display the messagebox
Well as you can probably gather from my commented code :) If you do not enter exactley 7 characters for your serial, you wont even get to the first compare, so make sure it is seven characters, so i changed my serial to: 1239876
Now double click on the error message again in W32dasm and you should land at this section of code:
* Referenced by a (C)onditional
Jump at Address: |:004109D0(C)
|
:00410A06 6A00
push 00000000
:00410A08 687F034200
push 0042037F ->"Registration Failure"
* Possible StringData Ref from Data
Obj ->"Registration Failed, check Name
->"and Number" <-- We land here!!
:00410A0D 6854034200
push 00420354 <-- Push Rego failed onto
stack
:00410A12 FF3588174200
push dword ptr [00421788]
:00410A18 E8446B0000
Call USER32.MessageBoxA <-Display the messagebox
If you look closely at the code segment, you'll see that it is called by a (c)onditional jump at address: 004109D0 , note this location down..
Once again double click on the error message and you will land at this third and final piece of code that displays our bad messaegbox:
* Referenced by a (C)onditional Jump at Address: 004109B2(C)
:00410A2B 6A00 push 00000000
:00410A2D 68BF034200 push 004203BF ->"Registration Failure"
* Possible StringData Ref from Data
Obj ->"Registration Failed, check Name
->"and Number" <-- We land here!!
:00410A32 6894034200
push 00420394 <-Push rego failed onto
the stack
:00410A37 FF3588174200
push dword ptr [00421788]
:00410A3D E81F6B0000
Call USER32.MessageBoxA <-Display the messagebox
If you look closely at this third code segment, once again it is referenced by a (c)onditional jump at address: 004109B2 , Not far from the second call to the bad messagebox, note this location down also..
Okay, so both bits of code do the same thing, basically it pushes the bad rego message onto the stack and displays our "bad cracker" messagebox.. now, obviously if we do not want this bit of code to be executed, what we must do is find a way we can jump over it somehow.. So lets now go and take a look at the two code addresses you should have copied down b4, it looks a little like this:
* Referenced by a C)onditional Jump
at Address: :0041096C(C)
|
:00410996 A09A174200
mov al, byte ptr [0042179A]
:0041099B 50
push eax
:0041099C E882110000
call 00411B23
:004109A1 59
pop ecx
:004109A2 8BD8
mov ebx, eax
:004109A4 A0EA174200
mov al, byte ptr [004217EA]
:004109A9 50
push eax
:004109AA E874110000
call 00411B23
:004109AF 59
pop ecx
:004109B0 3BD8
cmp ebx, eax
:004109B2 7577
jne 00410A2B <-- First jump to bad messagebox
:004109B4 A09C174200
mov al, byte ptr [0042179C]
:004109B9 50
push eax
:004109BA E864110000
call 00411B23
:004109BF 59
pop ecx
:004109C0 8BD8
mov ebx, eax
:004109C2 A0EC174200
mov al, byte ptr [004217EC]
:004109C7 50
push eax
:004109C8 E856110000
call 00411B23
:004109CD 59
pop ecx
:004109CE 3BD8
cmp ebx, eax
:004109D0 7534
jne 00410A06 <-- Second jump to bad messagebox
:004109D2 6A24
push 00000024
:004109D4 680A034200
push 0042030A ->"Registration Success"
From this segment of code you should gather that the code addresses 004109B2 & 004109D0 Both jump to the bad code ie the bad messagebox code above, but they both also jump over the good piece of code, being the "registration success" segment.
What can we gather from all of this? Well basically, it's a classic protection, namely:
Compare two registers
Jump to bad guy/good guy
If we look at the first jump we see it compares ebx with eax, and then the jne (jump if not equal) will jump to the bad messagebox, if they are not equal. The second jump is the same, it compares ebx with eax and then jumps to the second bad messagbox if they are not the same.
You may think, hmm, why set two compares if you are comparing the same serial twice, the answer lies ahead, read on..
Now go into help/about datemind, click yes and then enter all your details, but don't hit ok yet.
Hit CTRL + D to enter softice and type "bpx getdlgitemtexta"
Now exit softice with F5, and hit the ok button, *BOOM* we are in softice again. Don't forget we entered two pieces of info and the program needs both to process the registration, so hit F5 so softice reads in your serial. Now type "bd 0" to disable the breakpoint and press F12 to get to the programs code, when you get there, dont bother single stepping through any code as we already know where the compare(s) will take place, so go ahead and place a bpx on the first compare... Need help? OK, type "bpx 004109B0" to set a breakpoint on the first compare.
Press F5 to exit softice, *BOOM* we are back in softice, right at the first compare instruction. Disable the breakpoint with "bd 1" and enter "d ebx", nothing interesting here, so enter "? ebx" and you should get a number, mine was 7. Now it compares this with eax, so enter "? eax" and you should see the third number of your serial, in my case it was 3. So we now know that the third character of your serial should be a 7, so change your serial to reflect this, i used 1279876.
This is were the second compare comes into action, so enter your newly aquired serial and then enter softice and enable the breakpoint on getdlgitemtexta, to do this type "be 0", hit F5 to exit softice and hit the ok button *BOOM* we are back in softice. Disable the breakpoint with "bd 0", now you want to set a breakpoint on the second compare, so type "bpx 004109CE". Exit softice with F5, *BOOM* we are right back in softice, and staring us in the face is the second compare, so once again enter "? ebx" and you should see a number, mine was a 9. Go ahead and enter "? eax" and you will see the 5th number of your serial, mine was 8.
Well it should be straight forward what to do from here, enter softice and clear all the breakpoints with "bc *" and then enter your reg info, in my case it was:
Name: Pirate
Serial: xx7x9xx
Where x is anything you want :) Congratulations if this was your
first crack, if not, i hope you learnt something from it...
|
|
|
|
Greets and Thanks to: The Sandman :) , Warezpup , Hojo, Bubblegun ,
DeionXxX , Flu[X]
Sortof , all the gang at ECG and anyone else i forgot!!
|
|
Ripping off software through serials
and cracks is for lamers..
If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.
| Back to Students Essay's |