|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
|
|
|
|
004376F1 mov fs:[eax], esp
004376F4 lea edx, [ebp-14h]
004376F7 mov eax, [ebp-4]
004376FA mov eax, [eax+1E8h]
00437700 call sub_41B960
00437705 push dword ptr [ebp-14h]
===> READ THE FIRST PART OF THE FAKE CODE
00437708 push offset loc_4379A0
0043770D lea edx, [ebp-18h]
00437710 mov eax, [ebp-4]
00437713 mov eax, [eax+1F0h]
00437719 call sub_41B960
0043771E push dword ptr [ebp-18h]
===> READ THE SECOND PART OF THE FAKE CODE
00437721 lea eax, [ebp-8]
00437724 mov edx, 3
00437729 call sub_4039F8
0043772E mov eax, [ebp-8]
00437731 call sub_436C30
===> CHECK THE CODE
00437736 test al, al
00437738 jz loc_4377E0
Go to 436C30 and we find the big validation routine; it's boring analyze this part of the code so we jump directly to the end where the program store the important value on AL:
00436DFB sahf
00436DFC jnz short loc_436E06
===> PATCH HERE WITH TWO 'NOP'
00436DFE mov al, [ebp+var_5]
00436E01 xor al, 1
00436E03 xor [ebp+var_5], al
00436E06
00436E06 loc_436E06:
00436E06
00436E06 xor eax, eax
00436E08 pop edx
00436E09 pop ecx
00436E0A pop ecx
.......
00436E27 lea eax, [ebp+var_58]
00436E2A call sub_4036BC
00436E2F retn
I prefer to patch here instead at 00437736 because the protection routine
is called three times, so change just two bytes make all the work. Now
the fake code is accepted and a new file COPERNIC.DLL appear in the directory
proofing that Copernic 98 Plus is now registered.
But what about the register ? Until now we have no problem with the
register just a simple serial code validation routine; run now COPERNIC
98 Plus and you jump into the electronic registration form. As i wrote
before you can skip this one just two time, when you run the program for
the third time you need to fill the form and press the "SEND" button or
exit because the "REMIND ME LATER" button is grayed. Now it's time
to look at the Windows Register and just to confirm our suspects
open REGMON and run COPERNIC: punctual a message carefully say that you
must close your register monitor program. This routine could be easily
reversed (it's still in COPERNIC.EXE some bytes after the previously patched
routine) but i accept the challenge and try another Register Monitoring
program. I run ExeSpy98 a good tool that you can use to monitor directly
the API systems calls, set the program to follow the REGQUERYVALUEEXA and
REGSETVALUEEXA functions and re-run COPERNIC: wow, no more boring message
and we could look undisturbed at the Register. When we reach the registration
form take a look at ExeSpy98 report there's a call to register key RegCardSkipCount
: bingo !!! When the program start for the first time (checked by
FirtsUse register key) write the value AEh in RegCardSkipCount key
then at each next run this value is decreased until the program don't
permit to skip the Registration form. I have tried to change directly the
value in this register key but without result: COPERNIC use the value in
the as seed for some calculation.
Ok, it's time to return to SoftIce, bpx RegQueryValueExa (but enable the breakpoint after some seconds or you need to skip more than ten RegQueryValueExa calls) and you arrive at this part of code located in COPERNICSVR.EXE:
004433A7 push eax
=====> LOOK EAX WHEN POINT TO "RegCardSkipCount" STRING
004433A8 mov eax, [ebx+4]
004433AB push eax
004433AC call j_RegQueryValueExA_0
The value in EAX at 004433A7 point to the string of the key that RegQueryValueExA search and the value read in the register is stored in ESI; when at 004433A7 we find a value that point to "RegCardSkipCount" string follow the value in ESI after the call at 004433AC using the BPM breakpoint and you arrive here:
00448230 push ebp
00448231 mov ebp, esp
00448233 add esp, 0FFFFFFF8h
00448236 mov [ebp+var_4], eax
00448239 push 0ABh
0044823E mov ecx, offset aRegcardskipcou
00448243 xor edx, edx
00448245 mov eax, [ebp+var_4]
00448248 call sub_4492F4
=====> to RegQueryValue routine
0044824D xor eax, 0ABh
=====> EAX = value of RegCardSkipCount key
00448252 mov [ebp+var_8], eax
00448255 mov eax, [ebp+var_8]
this routine is called at
005147CB call sub_448230
005147D0 cmp eax, 5
=====> EAX = number of times that you run the program
005147D3 jl short loc_5147E5
=====> if EAX < 5 disable the "Remind Me Later" button
005147D5 mov eax, [ebp-4]
005147D8 mov eax, [eax+20Ch]
005147DE xor edx, edx
The value in EAX, that is the RegCardSkipCount value, is XOR with ABh
(the first time you run AE XOR AB = 5) if the result is less than 5 the
"Remind Me Later" button is grayed. But we don't want that the Registration
Form appear so we need to search before where this routine is called.
The code that we see in IDA is terrible, full of nested routine very
difficult to understand easily, so i will use here an approach that i read
some time ago in one essay in Fravia site: in SoftIce when you break at
00448230 search the stack to see all the previous call typing STACK
in the SoftIce command line; you read now many calls that refer to
the same file COPERNICSVR the first six or seven are located in the same
part of code of the routine, but next you find a call located at 00517D5F,
the main call must be from here ....
00517D3F cmp dword ptr [ebp-8], 0
00517D43 jl short loc_517D67
=====> Patch here with JMP 517D67
00517D45 mov ecx, [ebp-4]
00517D48 mov dl, 1
00517D4A mov eax, ds:off_514120
00517D4F call sub_42FC8C
00517D54 mov [ebp-0Ch], eax
00517D57 mov eax, [ebp-0Ch]
00517D5A call sub_432DA8
=====> to the Registration Form
00517D5F mov eax, [ebp-0Ch]
00517D62 call sub_403094
Now the program work fine and you don't see anymore the Registration Form screen.
|
|
My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end of the tunnel.
|
|
Ripping off software through serials
and cracks is for lamers..
If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.