May 1999

"NoteWorthy32" ( serial echo )

Win '95 PROGRAM Win Code Reversing  

 

by Snakebyte

 

 

Code Reversing For Beginners 

   

  Program Details
Program Name: nwcsetup.exe
Program Type: Music Composition Utility
Program Location: Here
Program Size: 777,777K   

    Tools Used: Softice 3.2

Rating

Easy ( X )  Medium (   )  Hard (    )  Pro (    ) 

There is a crack, a crack in everything. That's how the light gets in.

    


  NoteWorthy32 V1.55a ( 'serial echo') Written by Snakebyte
 
 

Introduction

  This unregistered version limits the use of some features, such as Save and Print.
 

About this protection system

 
Crippled Features Protection.
This program is registered by selecting 'File' from the Menu bar, then 'Register' .
 
Name: Pirate Copy
 Code: 5551212
 

The Essay 

      Install NoteWorthy32. During the installation select " no, i want to evaluate...". Run the program and the "unregistered version" box pops up. Click on "accept". The "tips" box pops up. Click on "close". From the menu bar select "file" and then "register"... the registration window pops up. enter:
Name: Pirate Copy
Code: 5551212
press ctrl-d to enter softice...type bpx getdlgitemtexta and hit enter...I
always try this one first...type x to exit softice...back at the registration
window...click on OK...the "not valid..." screen pops up...breakpoint
bpx getdlgitemtexta did not work...click ok...press ctrl-d to re-enter
softice...type bc * to clear the incorrect breakpoint...
type bpx getwindowtexta and hit enter...( getwindowtexta is my second choice)...
type x to exit softice...wait a moment and the ok button should re-activate
click on ok...Hey! softice breaks...hit F11...this takes us to

xxxx:0041d5d3 call user32!getwindowtexta
xxxx:0041d5d8 lea eax,[ebp-40] <-- we land here!

NOTICE: we are one instruction past the first windows API call to
"getwindowtexta" (our breakpoint - 'bpx getwindowtexta') here
is where it "grabs" our username. Prove this by "dumping" the data
at memory location ebp-40... type d ebp-40 at the softice command line
and look in the data window...Hey!- there's our fake username, Pirate Copy
NOW: type 'x' to exit softice...softice breaks again immediately...hit "F11"
getwindowtexta has grabbed our fake serial number...we are at
xxxx:0041d5fd lea eax, [ebp-60] <---- you are here
let's dump this memory address... d ebp-60

HEY!- there's our fake code number...just above our fake username...
now...we will hit F10 29 times...this will trace through several calls that
perform the algorithms that produce the 'correct' serial number for our username
and ultimately decide if we are legitimate...however, this is an 'echo' crack...
we will not concern ourselves with the method the program uses to determine
the 'correct' serial or the matching process...we will simply 'F10' over these
calls until, right after the call to 0045c70e at:
xxxx:0041d6a8 call 0045c70e

look up in the data window

at memory location xxxx:0075f0a8
hey!- that looks like a serial number... 000-348-240136
type bc * to clear our existing breakpoint...
type 'x' to exit softice
click 'ok' to remove "invalid" screen
type correct serial number and...click 'ok'
Congratulations...

Final Notes 

 
This is an example of the classic 'serial echo' as described by the ORC+...
Please e-mail me if you find this useful...
snakebyte

 
My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.
 

Ob Duh 

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.
 


   

 Next   Return to Essay Index   Previous 

 



Essay by:          snakebyte
Page Created: 14th May 1999