Summary for this cracking tutorial:
 
 

Briefing

            That's the first "Week cracking target" from C4N (click here to go to the web page)
 
 
 

ToOlZ Of ThE TraDe...: "What's goin' on Q?"

Well... here are the toolz of the trade u need to crack this program:
 
 

            For this crack, u call use W32DASM too... but it's not really necessary. W32DASM
            is just here to search the string reference.

            And the famous SoftIce 4.0... To test if we made good job ... :)

Seeking for what going wrong:

            Let's Go!

            We have 2 methods: whether we do it "live" with softice and the useful breakpoints
            like bpx GetDlgItemTextA and GetWindowTextA or hmemcpy) but i didn't use that
            method to crack...

            Or let's disassembly it with W32DASM and search (who knows?) for a string reference
            for "Sorry this registration code is invalid!". At the beginning i thought that I won't
            find this string reference... but I was wrong... :)

            Well... we find it @ offset 00471CB1... :)

            The cracker's usual job... let's scroll up... we see...

:00471CAA    push 10        ; maybe a error reference

            Well this conditionnal jump is meaningful... let's go back to 00471C70:

            Before step into the call, i tried to modify the return value (AL) and set it up to AL=1

            In SoftIce: R EAX=1

            The program tells me that i'm registered but i'm not! I run the program again and
            that nasty nag comes back! arf :)

            It's not hard to understand that this call does not only check for a good serial...
            It also updates the program information about the user and register it for further use.

            So... it's time to kick ass and step into the call! :)

            BPX 471C69 and let's run again this program!
 

Where is it hidden??
 

            So let's go again!

            SoftIce stops @ the call... press F8 to step into the call and let's debug!

            The call is not very long... we're going to trace it with F10 all the time...

            In W32DASM we know that this subrutine is called twice... surely at the beginning
            of the program and when u enter a serial!

            We can then crack it by 2 ways... whether:

            1) we try to patch like "Conan the Barbarian" => let's go to 46D040 and then do the
                job with this shit => bad idea!

            2) we scroll down a little like "James Bond" and watch what's going on...
                => VERY GOOD IDEA!

            We trace with only one thing in mind : FIND A COMPARISON BETWEEN THE GOOD
            and the BAD serial since it's UNIVERSAL! :)

            The only interesting part of the call begin here:

... and other comparison follow ...

            Let's explain...

            The call @ 0046CCE7 returns the lenght of the string given by the user. How can we
            know that? Simply because we entered a value (like "007" -> it's just an example! :) )
            and it returns the lenght (try if u don't trust me!).

            The return value is in EAX... why? because it's the only register modified by the
            call and the returned value is immediatly tested!

            It's not hard to understand then that the UNIVERSAL SERIAL MUST BE 12
            caracters long!

            If the code given is 12 caracters long then it begins checking caracters...

            This is now the most important part of the crack!

"Target Locked... Destroy..."
 

            Then... we continue tracing with SoftIce and each time a value is compared by
            [eax+...] (like @ 46CCF8) then type:

            In SoftIce: "D EAX"

            Ok that's it... but how r we going to find the right code?

            Or we know now that we MUST enter 12 caracters ... take a pencil and a paper and
            draw a chart like below...
 
 

This is the chart u have to draw on the paper

memory address	[eax]	[eax+2]	[eax+3]	[eax+4]	[eax+8]	[eax+9]	[eax+0A]	[eax+0B]
Compared value	38	33	31	39	30	35	53	45
ASCII equivalent	"8"	"3"	"1"	"9"	"0"	"5"	"S"	"E"

            There r 3 other ways to crack it:

            1) u replace all jump references by NOP
            2) u jump the check part by jumping @ 46CCEF
            3) replace directly in memory... well that's ok too...

            But they r not good things to do because:
            for the 1) and 2) u'll need to distribute a patch
            3) it's ok when u debug but when u want to distribute ur serial... that's better to
            have a written serial than a "memory patched" serial.

            Ok... except these considerations, what can we tell about the chart?

            So?... If u were attentive u certainly remarked that not all values are checked...
            There are values in the code given that r not checked...

            Indeed... many "holes", many bytes r not checked... like for example
            [eax+1], [eax+5], [eax+6], [eax+7] .

            We can draw another chart like this:
 
 

Summary chart about the serial check

Memory address	Decimal comparison	ASCII equivalent	Remarks
[eax]	38	"8"	First value
[eax+1]	?	?	Not checked!
[eax+2]	33	"3"	Checked!
[eax+3]	31	"1"	ditto
[eax+4]	39	"9"	ditto
[eax+5]	?	?	Not checked!
[eax+6]	?	?	ditto
[eax+7]	?	?	ditto
[eax+8]	30	"0"	Checked!
[eax+9]	35	"5"	ditto
[eax+0A]	53	"S"	ditto
[eax+0B]	45	"E"	ditto

            Is it hard to understand now? I don't think so...
            To have a good serial it must be like:

            8?319???05SE

            And u just have to replace "?" by WHAT U WANT! :))))

            For example:
            8B31900705SE

            And IT WORKS! :))))

            That's all folks! :)
 

            Yup... and appendice... what for? 2 things...:

            Did u find that hard? Not me!!!! It's kinda funny that shareware programmers
            continue to distribute their programs with so a weak "protection"... I underlined
            protection because i can't name it "protection"... :)

            Last thing... The code analysis was made by an indexed and based addressage...

            Based means that the value of EAX depends on a memory location defined by
            a base (EBP = Extended Base Pointer) and indexed because there r a displacement
            [eax+1]...

            I can't explain all here because it's hard to explain in a few words... :)

            But I can suggest to u to buy a book, which will teach u assembly... this WILL be
            useful for ur future practices in cracking!