May 1999 |
"NoteWorthy32" ( serial echo ) |
Win '95 PROGRAM Win Code Reversing |
|
by Snakebyte |
|
|
Code Reversing For Beginners |
|
Program
Details |
||
Tools Used: Softice 3.2 | ||
Rating |
Easy ( X ) Medium ( ) Hard ( ) Pro ( ) |
There is a crack, a crack in everything. That's how the light gets in. |
Introduction |
This unregistered version limits the use of some features, such
as Save and Print.
About this protection system |
Crippled Features Protection.
This program is registered by selecting 'File'
from the Menu bar, then 'Register' .
Name: Pirate Copy
Code: 5551212
The Essay |
Install NoteWorthy32. During the installation select " no, i want
to evaluate...". Run the program and the "unregistered version"
box pops up. Click on "accept". The "tips" box pops
up. Click on "close". From the menu bar select "file"
and then "register"... the registration window pops up. enter: Final Notes
Name: Pirate Copy
Code: 5551212
press ctrl-d to enter softice...type bpx getdlgitemtexta and hit enter...I
always try this one first...type x to exit softice...back at the registration
window...click on OK...the "not valid..." screen pops up...breakpoint
bpx getdlgitemtexta did not work...click ok...press ctrl-d to re-enter
softice...type bc * to clear the incorrect breakpoint...
type bpx getwindowtexta and hit enter...( getwindowtexta is my second choice)...
type x to exit softice...wait a moment and the ok button should re-activate
click on ok...Hey! softice breaks...hit F11...this takes us to
xxxx:0041d5d3 call user32!getwindowtexta
xxxx:0041d5d8 lea eax,[ebp-40] <-- we land here!
NOTICE: we are one instruction past the first windows API call to
"getwindowtexta" (our breakpoint - 'bpx getwindowtexta') here
is where it "grabs" our username. Prove this by "dumping" the data
at memory location ebp-40... type d ebp-40 at the softice command line
and look in the data window...Hey!- there's our fake username, Pirate Copy
NOW: type 'x' to exit softice...softice breaks again immediately...hit "F11"
getwindowtexta has grabbed our fake serial number...we are at
xxxx:0041d5fd lea eax, [ebp-60] <---- you are here
let's dump this memory address... d ebp-60
HEY!- there's our fake code number...just above our fake username...
now...we will hit F10 29 times...this will trace through several calls that
perform the algorithms that produce the 'correct' serial number for our username
and ultimately decide if we are legitimate...however, this is an 'echo' crack...
we will not concern ourselves with the method the program uses to determine
the 'correct' serial or the matching process...we will simply 'F10' over these
calls until, right after the call to 0045c70e at:
xxxx:0041d6a8 call 0045c70e
look up in the data window
at memory location xxxx:0075f0a8
hey!- that looks like a serial number... 000-348-240136
type bc *
type 'x'
click 'ok' to remove "invalid" screen
type correct serial number and...click 'ok'
Congratulations...
This is an example of the classic 'serial echo' as described by the ORC+...
Please e-mail me if you find this useful...
snakebyte
My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end of
the tunnel.
Ob Duh |
Do I really have to remind you all that
by buying and NOT stealing the software you use will ensure that these
software houses will continue to produce even *better* software for
us to use and more importantly, to continue offering even more challenges
to breaking their often weak protection systems.
If your looking for cracks or serial numbers
from these pages then your wasting your time, try searching elsewhere on
the Web under Warze, Cracks etc.
Next | Return to Essay Index | Previous |