* StringData Ref from Data Obj ->"Caution!  We have detected a virus "
                               ->"attached to your copy of CD Wizzard. "
                               ->" Please contact BFM Software ASAP "
                               ->"for a virus-free copy.  CD Wizzard "
                               ->"will now end."
 
:00401D51 689C574300       push 0043579C
:00401D56 E96C120000       jmp 00402FC7  ;Display message then Exit program

One thing worth noting here, if your going to have a 'Virus' checking routine implemented then it makes sense to run it as-soon-as your program runs, however, the programmers call this routine ONLY after the program has validated your serial number, as though the programmers wanted to check that you didn't cheat by altering their program's code in order to fool it into accepting your fake serial number!..  He he, read on....

On successful registration the program will store all the User's details in a file called cdw.ini which can be found in the same directory as the program itself.

UserName=The Sandman
Password=11306     <----This password is generated by the program itself
IDate=10425
         

The Essay

     
This is quite an interesting program to cut one's teeth on from a newbies point of view that is.. We have a number of choices to how *we* want to crack this babe so I offer to you, my chosen approach, although you can choose a different approach if you like using the knowledge contained within this essay..
 
Let's us begin..

As always, run this program several times, get to know how it works and of course make notes on any text messages that you feel will help you to quickly locate those all important protection routines.

Using W32Dasm create a 'Dead Listing' of this program, it's going to save us a great deal of time and will help us to familiarize ourselves with the task in hand..
 
Open up the program's String Data Resources and find the text "Thank you for registering". You will find two occurrences of this text, we want to concentrate our efforts on the first occurrence of this string.
 
:00414606 E8AC0D0000             call 004153B7 ;Process the serial no's
:0041460B 83C40C                 add esp, 0000000C
:0041460E 85C0                   test eax, eax ;Serial ok?
:00414610 741C                   je 0041462E   ;no? then beggar off cracker
:00414612 6A40                   push 00000040 ;serial valid then continue
:00414614 C705C0E0430001000000   mov dword ptr [0043E0C0], 00000001
:0041461E FF15F8124300           Call USER32.MessageBeep
:00414624 6A40                   push 00000040
:00414626 57                     push edi

* StringData Ref from Data Obj ->"Thank you for registering CD Wizzard. "
                               ->" The funds will help us produce "
                               ->"more shareware!"
 
:00414627 68D47A4300             push 00437AD4
:0041462C EB21                   jmp 0041464F

From this code snippet we can make a number of educated guesses at this stage just by working out where the conditional je (jump equal) instruction goes to.  We can also say that IF the serial no is valid (program does not jump) then two lines down from this je 0041462E instruction you'll see the program place a value of '1' into the memory location [0043EC0] which, if you've examine a number of programs you'll know that this is very likely the 'Program is REGISTERED' flag by which the rest of the program will check during the course of it's use to tell it wether it is suppose to run in Shareware or Registered mode.

Since this essay is trying to teach you 'How to Crack' rather than showing you how to steal this software we're going to *crack* this babe in stages, examining as we go what happens and why we must do certain things in order to help us understand what we must do next..

OK, fire up Wizzard and select the 'Help' menu option then choose the 'About CD Wizzard' sub menu option then finally click once on the 'Register..' button.

Fill in your first and last name then type in a 8 digit number for the password.
 
At this point press the Ctrl and D keys together.. Softice appears...

Type bpx messageboxa  then x to exit softice.

We are using the system function messageboxa so that it will allow us entry into the program's code, we are not concerned too much where this will place us, since we know where we want to be and this will allow us to do this quickly and without bother..
 
Once you've type in all the details click once on the 'Register' button, Softice should now break at the beginning of the messageboxa routine, so from here just press the 'F11' key once, the program will now tell you that your registration code was invalid, no problem, just click on the 'OK' button to close this message box and once again Softice breaks..  We should now be in CD Wizzard's program code.  If you wish to confirm this for yourself then Softice should now be waiting for your next instruction at memory offset:

XXXXXXXX:004146E4        jmp 00428FF

Now you need to:-

1. Type bc * to clear away any previous breakpoints made within Softice.
 
2. Type: u 00414606 this will display the section of code within this program we're interested in.

3. Then type: bpx 00414606 this will place a softice breakpoint just before that je 0041462E instruction that decides wether the program will allow us register it or to carry on running in Shareware Mode.

4. Now type x to leave Softice and let the program continue on..
 
5. Re-run the CD Wizzard registration process again, fill in the User details and fake 8 digit serial number then click once on the 'Register' button..

Softice breaks on our single breakpoint at memory location: XXXXXXXX:0041606

00414606 E8AC0D0000             call 004153B7

6. Now type e 0041461 this will place the cursor inside the Hex-Code window and over the byte that tells the conditional jump statement where to jump to. All you need to do now is type:

00 (zero zero) then press the 'ESC'ape button once to restore your cursor back to the Softice Input Window.

The disassembly listing should NOW change to show this:-

:00414606 E8AC0D0000             call 004153B7 ;Process the serial no's
:0041460B 83C40C                 add esp, 0000000C
:0041460E 85C0                   test eax, eax ;Serial ok?
:00414610 7400                   je 00414612   ;Accept it regardless
:00414612 6A40                   push 00000040
:00414614 C705C0E0430001000000   mov dword ptr [0043E0C0], 00000001
:0041461E FF15F8124300           Call USER32.MessageBeep
:00414624 6A40                   push 00000040
:00414626 57                     push edi

* StringData Ref from Data Obj ->"Thank you for registering CD Wizzard. "
                               ->" The funds will help us produce "
                               ->"more shareware!"
 
:00414627 68D47A4300             push 00437AD4
:0041462C EB21                   jmp 0041464F

This process is EXACTLY the same as if we had patched this program using a Hex Editor, with the difference that this 'patch' does NOT effect the copy you have on the hard disk.  We have to use a Hex Editor for that.. This 'patch' is simply a memory patch, if you reload the program this 'patch' is lost and will be replaced by the original program's code.

While still in Softice press x to leave Softice.. The program now tells you that your serial number was correct and that in order to make these changes permanent the program has to be restarted again.. So OK, do this, exit the program and then restart it..

Notice that our program is STILL running in Shareware mode!.  He he, you didn't think it was that simple did you!.. No problemo, the program has saved our User details in it's cdw.ini file but it's rejected it because the saved serial no does not match the User Name you gave it..
 
OK, exit the program again.. Fire up Softice once more (Ctrl-D) then type bc * to clear away any previous breakpoints within Softice then type bpx getprivateprofileinta then x to leave Softice.

The system function getprivateprofileinta is a 32-bit system function provided by windoz to allow programs to read information from .INI files and convert the numbers which are stored in a string format and turn them into Integer's.  Don't worry too much about Integers, suffice to say that the program will read our saved serial number from a text based file and convert this serial number into a different format which will make it easier for it to handle.

Now we're ready... Start up CD Wizzard, Softice will break...Now follow these instructions exactly...

Press 'F11'
Type 'x'
 
Press 'F11'
Type 'x'
 
Press 'F11'
Type 'x'

Press 'F11'
Type 'x'
 
Press 'F11'

If all went well you should now be here..  if not, then type bc * while still in Softice then type bpx 00401C2B then type x which should get you here.. Do this ONLY  if you are unable to get to this code snippet :-.
 
 
:00401C2B 684C584300       push 0043584C ;Read "Password" from .INI file
:00401C30 56               push esi
:00401C31 889A20E14300     mov byte ptr [edx+0043E120], bl
:00401C37 FF1558114300     Call KERNEL32.GetPrivateProfileIntA
:00401C3D 50               push eax               ;You Should land here...
:00401C3E 66A3A0CC4300     mov word ptr [0043CCA0], ax
:00401C44 FF750C           push [ebp+0C]
:00401C47 6890D74300       push 0043D790
:00401C4C E866370100       call 004153B7
:00401C51 83C40C           add esp, 0000000C
:00401C54 85C0             test eax, eax ;test results from checking serial
:00401C56 0F842E010000     je 00401D8A  ;Serial # ok? no? then "beggar off"
:00401C5C 6890D74300       push 0043D790

OK, at this point type bc * then bpx 00401C2B this will make Softice break EVERYTIME you re-run CD Wizzard without having to go through the getprivateprofileIntA routine which we HAD to do when trying to find out where the program reads our serial number from it's .INI file.. Now that we know where this happens we can set a softice breakpoint here and we know the program will always stop here whenever we re-run this program.. During testing we may need to do this several times, but since I've already done this for you this won't be necessary..

By following in our dead listing, where the je 00401D8 statement takes us we know that it directs the program to the 'beggar off cracker' message routine, which we don't like very much.. It's much better if we could prevent this by forcing the program to ALWAYS jump to accepting our serial number EVERYTIME it runs..
 
I mentioned earlier about the program checking for viruses or changes to it's code only IF the program has accepted your serial number, well, a little further down the code is where it will do this, however, we're going to divert the program so that it skips over all checking of the serial number AND the routine that checks for any changes to the program's code, in fact we're going from here directly into our 'registration' routine which as it happens starts after the virus checking routine!..
 
So here's where our patch goes..

:00401C54 85C0             test eax, eax ;test results from checking serial
:00401C56 0F84FF000000     je 00401D5B  ;If invalid serial than accept it!
:00401C5C 6890D74300       push 0043D790

All we did here was to change the address where the program will go if the serial no is invalid and change it to the 'Good cracker routine'.
 
Job Done.
 

The 'Crack'

 
Here's how to 'patch' this target program so that it will be fully registered..:)
 
1. Locate the file: C:\Program Files\CD Wizzard\cdw.ini (Use Windows Notepad)
2. Enter these lines under the heading [CDWizzard]

[CD Wizzard]
UserName=PLACE_YOUR_NAME/HANDLE HERE
Password=PLACE_A_FOUR-SIX_DIGIT_NUMBER_HERE
 
3. Save this file.
4. Load up cdw..exe into your favorite Hex-Editor ( I prefer hexWorkshop-32) but just about any hexeditor will do..
 
5.SEARCH FOR THE FOLLOWING BYTES : 85C0741C6A40C705
  REPLACE WITH HIGHLIGHTED BYTES : 85C074006A40C705
 
6.SEARCH FOR THE FOLLOWING BYTES : 85C00F842E010000
  REPLACE WITH HIGHLIGHTED BYTES : 85C00F84FF000000
 

Final Notes

 
This was perhaps, a harder way to crack this program, requiring two patches to the program's code in order to make it run as a fully registered program.  It might have been easier to sniff out where the program generates it's correct serial number and use that to register the program with.. Perhaps some will do this and send in their essay on how to do this for everyone to read?

In response to the above request, 'The Snake' has written a tutorial [26/11/98] that explains how you can sniff out the serial number for CD WIZZARD which you can read HERE. Thanks Snake..:)
 
My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.
 

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.