"TechView v1.20 - 6/1/97 Shareware Dean Software Design. www.winutils.com
Registration $19.99.
 
TechView is a Windows 95/NT utility to view any file or folder of any size. TechView allows you to view a file as it appears on your system or in Hex (debug) mode, or with a specific number of bytes per line or by having each line end with a character you specify. TechView has a registry viewer to examine the file registry. TechView also has Windows 95 screen capture tool to let you capture any window or portion of the screen then view it, save it, print it or copy it to the clipboard. TechView will accept files dropped onto it from other applications or files from the command line. You can search locally or on remote drives for:
Files, Words in Files, Images and Cont- ents of compressed files.  This is the Windows 95/NT (32bit) rewrite of the popular 16bit InfView file viewer (superior shareware)."
 

About this protection system

 
This program is registered by selecting the 'Help' button, then the 'About' button and finally via the 'Use Registration Key' Button'!!. 
 
First Name:
Last Name:
Registration Key:
 
On successful registration the following entries are created within your Registry File:
 
HKEY CURRENT USER\Software\Dean Software\Techview\Config\

RegStat= "TSBJJ7800"
 

The Essay

     
Our first job as always is to run the target program a few times and make notes of any/all messages regarding failed registration attempts etc.  These will be our 'sign posts' for when we create a 'dead listing' of this program.  It's amazing that Shareware programmers still don't try and hide these messages within their code,  it would certainly give 'us' crackers more entertainment than simply searching through the 'dead listing' for certain text sequences which we know will take us to almost the center of their protection system.. Oh well..
 
Next, create a 'dead listing' of this program using W32Dasm, this will give us a better view of the overall program as well as show us how best to attack this program.
 
OK, do your search in the target program's String Data Resources and make notes of any references to the System registry file and for anything that *looks* like a 'serial number', yep, even today many shareware programs have their serial number(s) pre built into their program in full, easy view of any hex-editor!.
 
At this point I performed a search for the text "Registration Key Failed!" since this is the text that is used when we try and register this program and fail.
 
* Referenced by a (C)onditional Jump at Address:00466141
 
:0046620E 6A30               push 00000030
:00466210 E877F5F9FF         Call user32.MessageBeep
:00466215 B82C634600         mov eax, 0046632C ;"Registration Key Failed!"
:0046621A E8C9EBFCFF         call 00434DE8
:0046621F 8B45FC             mov eax, dword ptr [ebp-04]
:00466222 E891FAFBFF         call 00425CB8
 
Incidentally, if you look above this routine in W32Dasm you'll see the routine that display's: "Registration Key accepted!" when the User enter's a valid serial number into the program. Can you see that the programmer(s) have tried to make it a ittle difficult for you to find out where this 'Good Guy' routine is called from?. There aren't any references to it, unlike the 'Beggar off Cracker' message.. Hehehe, that's ok because we don't need to know this..:)
 
Ok, W32Dasm tells us that at memory offset ::00466141 there is conditional jump instruction that, when 'set' (serial number found to be incorrect) it jumps to our 'Beggar off cracker' routine, so lets see this section of code:-
 
:0046613C E843CAF9FF              call 00402B84 ;Check your serial No
                                                ;against the one the
                                                ;program expects you to
                                                ;have typed in.

:00466141 0F85C7000000            jne 0046620E  ;If serial numbers are
                                                ;NOT equal, then jump to
                                                ;the 'beggar off cracker
                                                ;routine.

:00466147 8D45AB                  lea eax, dword ptr [ebp-55]

OK, we know know where the conditional jump is, and where it will jump when the program finds our serial number invalid, so we should now get a softice breakpoint on this jne instruction to analysie it further. Fire up the target program again, select the 'Help' then 'About' menu options and then click on the 'Use Registration Key' button.  Now fill-in the details asked by the program.

In my case I used:-

First Name          : The
Second Name    : Sandman
Registration Key: 7777777

Once you've done this press 'Ctrl-D'  keys together so that we can start up Softice.

OK, what we're going to do is to tell Softice to break on any calls to the system function hmemcpy, since this program does not use the 'conventional' MessageboxA or messagebox routines. (32-bit programs naturally use 32-bit system functions that end with the letter 'A' after the function name while 16-bit programs use the similar sounding function names but don't have the letter 'A' at the end of them.   Routines ending with 'A' signify 32-bit code, those without the letter 'A' signify 16 bit functions.

Hmemcpy is a system function, which in this particular case  'grabs' key presses and converts them to ascii letters, then displays these key presses on your screen. It has many other uses but this won't be covered in this essay.

Ok, now type: bpx hmemcpy then x to leave Softice.

Once you've done that now try and add an extra number to your fake registration key, so if you have seven '7's try and type an extra 7 so that you end up with eight 7's.
 
Softice will now break at  exactly the same time as you pressed a key but before it has been displayed on your screen.
 
Right, now we must somehow get back into Techview's code and we can do this simply by pressing the 'F12' key TEN TIMES..
 
It's unimportant where we land in the target program's code, all we want to do is place a softice breakpoint close by that jne 0046620E instruction that we worked out in our dead listing calls the 'Beggar off cracker' routine.. Never lose sight of your objects..
 
Now that we're in the target program's code lets get rid of the hmemcpy breakpoint still set within Softice by typing bc * then  type: bpx 0046613C
 
This will tells Softice to break on the call 00402B84 that compares our serial number against the one the program expects you to have typed in.
 
Now type x to leave Softice and we should now see our 'extra' digit/letter added to our fake serial number.  If you used my SEVEN '7's for the registration key then now their will be EIGHT '7's showing..
 
NOW press the 'Register' button, Softice should now break on our call 00402B84 instruction at memory offset: :0046613C
 
At this point, had we decided to attack the program via it's actual registration number then if you type: d eax then you will see TWO serial numbers, the first one is the 'real' serial the program expects you to use and the second one is the area in memory where  the program has set aside to use as a kind of scratch pad ( I think). Notice that the first serial number is preceded with a '09' byte.. I will let you work out yourself what '09' means.. Oh, one more thing, if you try and use the serial number shown by the eax register then you still won't be able to register the program, you need to explore the code called by the Call 00402B84 to see why..:)  Perhaps someone want's to write an essay to show how the program can be registered via the serial number method?. I leave that to you.
 
Anyway, back to this essay...
 
Here's where some clever thinking can make the difference between a *good* patch and *good* crack!.

Lets examine again, the section of code we're working on in a little more detail..

:0046613C E843CAF9FF              call 00402B84 ;Check your serial No
                                                ;against the one the
                                                ;program expects you to
                                                ;have typed in.

:00466141 0F85C7000000            jne 0046620E  ;If serial numbers are
                                                ;NOT equal, then jump to
                                                ;the 'beggar off cracker
                                                ;routine.

:00466147 8D45AB                  lea eax, dword ptr [ebp-55]
 
Since the jne 0046620E decides wether or not to allow the program to become registered or display the 'Beggar off cracker' message we have a number of choices to how we can *patch* this program so that anyone using can easily get it to register itself:-

CRACK METHOD ONE - Noping a conditional jump
 
1. The obvious choice for newbies is to simply Nop (90h) out the jump instruction completely, but you must be aware that *some* program will, and do check to see if you do this and then take the necessary action as defined by the programmer(s).  If the program does not check for this kind of *cracking* then this method is usually 100% effective.
 
Load up techview.exe into your favorite hex edit then:-

SEARCH FOR THE FOLLOWING BYTES: FF0F85C7000000
THEN REPLACE HIGHLIGHTED BYTES: FF909090909090
 
The code will now look like this after it's been patched:
 
:0046613C E843CAF9FF              call 00402B84
:00466141 90                      nop
:00466142 90                      nop
:00466143 90                      nop
:00466144 90                      nop
:00466145 90                      nop
:00466146 90                      nop
:00466147 8D45AB                  lea eax, dword ptr [ebp-55]
 
 

CRACK METHOD TWO - Changing a conditional jump into a unconditional jump
 
2. You could change the jne instruction into a unconditional jump so that it 'jumps' to the NEXT LINE BELOW ITSELF.  This is another 'newbie' method of *cracking* and again, *some* programs do check for this kind of *cracking*. If the program does not check for this kind of patching then this method is usually 100% effective.
 
Load up techview.exe into your favorite hex edit then:-

SEARCH FOR THE FOLLOWING BYTES: FF0F85C7000000
THEN REPLACE HIGHLIGHTED BYTES: FFEB0090909090
 
The resulting code will look like this:-

:0046613C E843CAF9FF              call 00402B84
:00466141 EB00                    jmp  00466143
:00466143 90                      nop
:00466144 90                      nop
:00466145 90                      nop
:00466146 90                      nop
:00466147 8D45AB                  lea eax, dword ptr [ebp-55]
 
* Please note, since we have changed a 'far' jump instruction that takes six bytes and replaced it with a a 'local'jump instruction we have four 'spare' bytes to fill-in with nop's. *
 
 
CRACK METHOD THREE - Reversing the rules of acceptance of serial numbers
 
3. Change the jne instruction into a jz instruction.  Which means that if the User types in the wrong serial number then the program will 'treat' this as being correct and allow the program to *register* itself just as though you had typed in the correct serial number in the first place!. This method is a little different from the 'normal' methods used to crack programs and is not normally checked for, I haven't come across a program checking for this kind of crack yet.  The only dis-advantage to this *cracking* method is if the User guesses correctly or, enters the *real* serial number into the program, then the program will then treat the serial number as being 'invalid'!.. In this case the User would then have to type in a serial key (any sequence of numbers) that they know is DEFINITELY wrong so that the program accepts it.  No big deal..
 
Load up techview.exe into your favorite hex edit then:-

SEARCH FOR THE FOLLOWING BYTES: FF0F85C7000000
THEN REPLACE HIGHLIGHTED BYTES: FF0F84C7000000
 
The resulting code will look like this:-
 
:0046613C E843CAF9FF              call 00402B84
:00466141 0F85C7000000            jz 0046620E
:00466147 8D45AB                  lea eax, dword ptr [ebp-55]
 
*What I've done here was to check which internal flags were NOT 'set' when you get the serial number wrong and then said: If the Zero flag is not set 'i.e User entered an invalid serial number' then accept the serial as being the correct. *

Job Done.
 

The 'Crack'

 
See the above THREE examples.
 

Final Notes

 
Another interesting program to practice on.  We explored three different methods to perform our patch on a single instruction, taking into account the advantages and disadvantages associated with each method. Increasingly, we are compelled to learn more and more assembler to perform better cracks & patches if we are to stay ahead of the programmer(s).

My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.
 

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.