Introduction

The author says about ClipHound:

"When ClipHound is running, it will monitor the Windows 95 clipboard.  Whenever you cut or copy some text, ClipHound will take a look at it and determine if it should take action.  Usually, this means ClipHound will make a private copy of the text you put on the clipboard in its own list.  However, if you
have PasteBack enabled, ClipHound will check the text you placed in the clipboard against the names of items already in ClipHound. If a match is found, the full contents of the item matched is placed in the clipboard, overwriting the name.  You can then paste this back into your application."
 

About this protection system

This program is registered by selecting the 'About' button, then the 'Register' button and finally via the 'Enter Code' Button'!!.

Name:
 Code:
 

The Essay

 
  As with most program's that require a serial number to be entered into it we have a number of choices to how best to *crack* this program.. We could for instance, trace through the actual protection code and find out how where the serial number lies in memory then use that knowledge to register the program with, or we could simply patch the code so that it automatically registers itself with whatever name we choose first time round.  Since I was unable to locate the location in memory where the registration key is stored I have decided to use the patch method on this babe, which means I don't have to worry about any registration serial numbers because the program will accept any I give it.

Run the program several times, lets get a 'feel' for the way the program works, make notes as you go.  This should by now, be automatic to you and I shouldn't have to tell you this.  As you already know, the program makes many decisions as it loads, one of which is wether or not to show Cliphound - Unregistered Shareware at the top of it's screen or wether to show something else.  Since I'm not going to crack this program using it's serial number routines I'm going to short circuit this whole area by mimicking what happens when the program is registered properly.

Right, make a 'Dead Listing' of this program using W32Dasm so we can see where we're going and what code we will have to change or nop out.  When you've done this search for the text "Unregistered Shareware".  When you've found this string reference check again to see if there are any more references of this string, better safe than sorry..

OK, there's only one reference, good, that makes our job a bit easier..

:004021E3 C645FC03     mov [ebp-04], 03
:004021E7 66813ED007   cmp word ptr [esi], 07D0 ;The program here is
                                              ;checking to see if these
                                              ;two bytes [07D0] is stored
                                              ;at the memory location
                                              ;pointed to by esi.

:004021EC 7505         jne 004021F3           ;If any other bytes found
                                              ;other than [07D0] then
                                              ;the program isunregistered

:004021EE 8B45EC       mov eax, dword ptr [ebp-14]
:004021F1 EB17         jmp 0040220A

* Possible StringData Ref from Data Obj ->"Unregistered Shareware"

:004021F3 6814914200   push 00429114            ;Program comes here IF
                                                ;it has NOT been registered
:004021F8 8D4DD8       lea ecx, dword ptr [ebp-28]
:004021FB E8C72F0100   call 004151C7
 

Looking at the above code we *could* just nop(90h) out that jne 004021F3 instruction completely and yes, the program would run as though it has been registered but that is not the whole story here..  Look what W32Dasm is telling us..

It is telling us that the program tries to see if, at a certain memory location pointed to by the [esi] register that there exists two bytes [07D0] and if whatever is currently stored at [esi] is NOT EQUAL to [07D0] (i.e not the same) then the program knows that it has not been registered!.

In order to see the importance of this we must now use W32Dasm and search for any other locations within the program's code to see if it performs the same check for these two magic bytes [07D0] anywhere else, if it does then we can assume that these represents the differences in the way the program works between being a Shareware program and being a fully registered program..

While still in W32Dasm search for the bytes: 6681 these two bytes make up just a part of the cmp word ptr [esi], 07D0 instruction and will find variations of this same instruction as well.  Right, we should see that there are four other locations within this program that checks to see if the program is registered or not. Can you see what I'm trying to say here?.  If we simply NOP (90h) out the jne 004021F3 instruction at memory location :004021EC then we WON'T be placing the magic [07D0] bytes in the computer's memory, that then tells the rest of the program that it has been registered even though we can fool it into accepting our fake serial number by nop'ing the jne instruction!! If you are to understand *cracking* then you really must understand this statement.

OK, then what must we do?.. Well, we MUST make sure that the bytes [07D0] get placed in the [esi] register BEFORE we can proceed to the 'Good Guy' routines so why not change the cmp word ptr [esi], 07D0 instruction and turn it into mov word ptr [esi], 07D0 which we CAN do easily. Next, since our two magic bytes [07D0] have now been placed correctly into memory we can no get rid of that jne 004021F3 instruction since there is now no comparison instruction being executed, so now we can nop it out knowing that it is no longer needed.

Here's what our new routine looks like:-

BEFORE:

:004021E3 C645FC03     mov [ebp-04], 03
:004021E7 66813ED007   cmp word ptr [esi], 07D0
:004021EC 7505         jne 004021F3
:004021EE 8B45EC       mov eax, dword ptr [ebp-14]
:004021F1 EB17         jmp 0040220A

* Possible StringData Ref from Data Obj ->"Unregistered Shareware"

:004021F3 6814914200   push 00429114
:004021F8 8D4DD8       lea ecx, dword ptr [ebp-28]
:004021FB E8C72F0100   call 004151C7

AFTER:

:004021E3 C645FC03     mov [ebp-04], 03
:004021E7 66C706D007   mov word ptr [esi], 07D0
:004021EC 90           nop
:004021eD 90           nop
:004021EE 8B45EC       mov eax, dword ptr [ebp-14]
:004021F1 EB17         jmp 0040220A

* Possible StringData Ref from Data Obj ->"Unregistered Shareware"

:004021F3 6814914200   push 00429114
:004021F8 8D4DD8       lea ecx, dword ptr [ebp-28]
:004021FB E8C72F0100   call 004151C7

See, we've changed a cmp instruction into a mov instruction then nop'd out a redundant jne instruction and now we have a fully registered ClipHound program!

Job Done.
 

The 'Crack'

Load up cliphound.exe into your favorite hex editor then:-

SEARCH FOR THE FOLLOWING BYTES: 66813ED0077505
THEN REPLACE HIGHLIGHTED BYTES: 66C706D0079090
 

Final Notes

This was an interesting exercise in *cracking*, changing a compare into a move then nop'ing a redundant jne instruction so that the program then believes it has been registered.  Because we bothered to check the magic 07D0 bytes we found that a just nop'ing the jne instruction was not enough on it's own to properly *crack* this program. A little investigation on our part can save a great deal of time looking for the reason why the program produces unexpected results after being *cracked*..

My thanks and gratitude goes to:-

Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.

+ORC for showing me the light at the end of the tunnel.
 

Ob Duh

Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.

If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.