http://www.drs-digitrax.com - Webpage.
drstelep.exe - (1.01Mb).
Welcome to another requested tutorial, without further ado lets start the target and locate the all so familiar register option. You should be confronted with the following screen and note here a subtle trick used by the author to maybe confuse new SoftICE users, there are actually a total of 9 dialog boxes, so when you >bpx Hmemcpy remember that you must allow 9 breaks, I'm using CrackZ & 1 2 3 4 5 6 7 8 and in this instance I have left the PRO version box unchecked.
So after allowing all of our required breaks lets trace to the following code, I recommend using F12 to get inside the program before using F10 to actually reach the code I've shown below. Now before we jump into tracing all of these function calls lets actually zen a little, would a program call of these functions if the code was being checked digit by digit, although not beyond the realms of possibility it seems unlikely.
:0045CD58 MOV EAX,[EBP-0104] <-- Name.
:0045CD5E LEA EDX,[EBP-012C]
:0045CD64 CALL 004077EC <-- Check_name_was_at_least_1.
:0045CD69 PUSH DWORD PTR [EBP-012C]
.....
:0045CE65 CALL 00454A60 <-- This_is_the_only_important_function.
:0045CE6A TEST AL,AL <-- Good_code_sets_AL_non-zero.
:0045CE6C JZ 0045CF97 <-- Jump_bad_code.
Well, just take a quick look at the code I'm going to talk about, look how
much of the code I've omitted in between, the reason, well at this stage we
are not really interested in the finer points of the protection and between
those 2 addresses there aren't any conditional jumps to exit us from
the scheme. We can see that good_guy/bad_guy is decided by just one JZ and
therefore that the CALL 00454A60 must return non-zero for the code to be good.
So lets take a closer look inside 00454A60, firstly under the disassembler.
It seems 00454A60 is a popular call, being referenced 4 times, most likely because it is the function responsible for checking the start-up status as well, just feel the function code and look at this snippet.
:00454AEB CALL 00402D84 <-- Compare_codes.
:00454AF0 SETE AL <-- Set AX-low depending on return.
:00454AF3 CMP AL,01 <-- Compare_with_1.
:00454AF5 JNZ 00454AFE <-- Jump_and_AX-low_is_returned_0.
:00454AF7 MOV [ESI+00000375],01 <-- Flag moved to 1.
This protection is now surely sunk, you can trace 00402D84 and snatch the
good code from EAX fairly easily, this also applies when the PRO version box
is checked. So the choice is yours, either locate your good code or patch the
protection scheme, I'll show you both options.
Well, reversers, remember that its not always best to start tracing every function inside a protection scheme live in SoftICE, obviously if you want a key generator you'll need to locate the calculation routine. Note also the program uses a key file telescre.key to track the registration status.