The programs are -:

GSC GroundStation Control.  This program provides housekeeping and scheduling functions for the complete groundstation package.  Features include file deletion and log processing along with system wide setup functions.

MSPE MicroSat Protocol Engine.  This program provides all the uploading and downloading functions required to access the satellites.

View-Dir View Directory.  This provides the directory viewing and message viewing/reply functions, along with some message housekeeping functions.

MsgMaker Message Maker.  All message creation and replies are performed through Message Maker.  It gives the user a large amount of flexibility when sending messages and binary files while still providing a quick, automated function.

ProcMail Process Mail.  Processes received messages as they are downloaded from the satellite, and places them in the required directories for viewing.

MsgView Message Viewer.  Views all ASCII messages received from the satellite.  Messages can be replied to and deleted.

UpdKeps Update Keps.  Automatically updates the keplerian database when new keps files are received from the satellite.

WiSP-TLM. The WiSP Telemetry decoder works with MSPE to display real time telemetry while the pass is in progress."
 

About this protection system

 
This program relies on a serial number to be entered into it in order for the program to be run without hindrance from any nag screens.  On running the program you will be greeted with a nag screen prompting you to Register this program.

ON Successful registration your CALL SIGN (user name) you used to register this program with will be placed in your System Registry file here:-
 
HKEY_LOCAL_MACHINE\SOFTWARE\WiSP\Station
 
Callsign = "GB 34567"   <----Change this to whatever you wish.
 

The Essay

     
In response to a request from someone to help them understand how the protection system works in WISP I decided to crack this program and write this essay in answer to their request.  As a rule I don't crack on request, I just don't have the time but after looking at this program's protection system I saw a good opportunity for other newbies to practice their cracking skills on.

Although I cracked this program without resorting to a dead listing I still recommend to everyone that they still create one using W32dasm. It will help you greatly if you get a visual idea on where these protection routines are and how they connect with each other..
 
Lets begin..

Firstly, fire up GSC.EXE and you'll be prompted to enter your User Name and a Registration Number, so put in some details into these input boxes.

Next, press Ctrl-D to start up Softice and type bpx messageboxa then 'X' to leave Softice.

Now click on the 'Register' button.

Softice now breaks at the start of the MessageBoxA routine, so press the 'F11' key once. A messagebox appears on your screen informing you that the registration code was incorrect.. Click on the 'OK' button and Softice breaks again and we land here.
 
:0041FDC3 E822FCFFFF             call 0041F9EA ;Check Registration Numbers
                                               ;returns either:
                                               ;EAX = 0 Wrong Serial
                                               ;EAX = 1 Correct Serial
 
:0041FDC8 85C0                   test eax, eax ;Incorrect serial?
:0041FDCA 7437                   je 0041FE03   ;Then Beggar off cracker
 
; Look! memory location [00452A00] is having the value of '1' placed into
; it! This is a 'classic' example of how the 'REG FLAG' is used within
; programs.  If the serial is found to be correct then place a '1' into
; a specific memory location that the program then checks while it's
; running to see if it's been registered.  The default value for this
; memory location is 99 times out of 100 always '0', representing that it
; is running in Shareware Mode.
 
:0041FDCC C705002A450001000000   mov dword ptr [00452A00], 00000001
:0041FDD6 6A40                   push 00000040
:0041FDD8 6898AF4400             push 0044AF98 ->"Registration Complete"

* StringData Ref from Data Obj ->"Thank you for registering your "
                               ->"copy of WiSP."

:0041FDDD 68B0AF4400             push 0044AFB0 ;The 'Thank you for..' messg
:0041FDE2 8B0DB4204500           mov ecx, dword ptr [004520B4]
:0041FDE8 51                     push ecx
:0041FDE9 FF15A8764500           Call USER32.MessageBoxA
:0041FDEF 68E0AF4400             push 0044AFE0 ;Msg box title
:0041FDF4 8B15B4204500           mov edx, dword ptr [004520B4]
:0041FDFA 52                     push edx
:0041FDFB FF1598764500           Call USER32.SetWindowTextA
:0041FE01 EB25                   jmp 0041FE28
:0041FE03 8B45EC                 mov eax, dword ptr [ebp-14] ;If serial is
                                                             ;invalid then
                                                             ;come here.
:0041FE06 50                     push eax
:0041FE07 FF1558744500           Call ADVAPI32.RegCloseKey
:0041FE0D 6A30                   push 00000030
:0041FE0F 68F8AF4400             push 0044AFF8 ->"Registration Error"

* StringData Ref from Data Obj ->"Incorrect registration number. "
                               ->" Please ensure your number and "
                               ->"callsign are correct and try again."
 
:0041FE14 680CB04400              push 0044B00C
:0041FE19 8B0DB4204500            mov ecx, dword ptr [004520B4]
:0041FE1F 51                      push ecx
:0041FE20 FF15A8764500            Call USER32.MessageBoxA ;Show Beggar off
                                                          ;Cracker Message.
:0041FE26 EB0C                    jmp 0041FE34 ; We land here after
                                               ; returning from setting a
                                               ; Softice Breakpoint on:
                                               ; bpx messageboxa
 
Look at the above code and study it. My own personal approach to cracking this type of program is to back-track through the code starting from the where the 'Beggar off cracking' message is UNTIL I come across the FIRST Conditional jump instruction that decides which of the above two messages gets executed.

Our two messages are: "Thank you for registering..." and "Incorrect registration..."

OK, here again is the first conditional jump statement I found:-
 
:0041FDC3 E822FCFFFF             call 0041F9EA ;Check Registration Numbers
                                               ;returns either:
                                               ;EAX = 0 Wrong Serial
                                               ;EAX = 1 Correct Serial
 
:0041FDC8 85C0                   test eax, eax ;Incorrect serial?
:0041FDCA 7437                   je 0041FE03   ;Then Beggar off cracker

Simply nop'ing out the je 0041FE03 statement won't help you here, because as soon as you run the program again it will find that you don't have a registration number and it will continue on running in Shareware mode.
 
Our next plan of attack is shown by the instruction  test eax,eax which tells us that the above call 0041F9EA returns a value in the EAX register depending on wether the program found an invalid or correct registration number.  In this case the call 0041F9EA will return either a '0' meaning invalid serial number entered or a '1' meaning correct serial number found.  This kind of setup is a 'classic' example of what many programs uses today and the patch I'm about to show you will work on many of these programs with little or no modification to the patch I'm about to reveal to you.

OK, lets follow in our Dead listing where this call goes to..

* Referenced by a CALL at Addresses: :0040BD0F   , :0041FDC3
 
; This routine is Call'd in two places by this program.
; The firs time at startup and the second time to check your serial number
; when you try and register this program. So if we can 'break' this
; protection system here then we don't need to patch this program anywhere
; else!.

:0041F9EA 55                      push ebp
:0041F9EB 8BEC                    mov ebp, esp
:0041F9ED 83EC30                  sub esp, 00000030
:0041F9F0 56                      push esi
:0041F9F1 57                      push edi

Snip...

; The rest of this routine is quite large so I've cut a large section of
; this code out, besides, it's irrelevant for this purpose of this essay..

:0041FC33 3B4DD4                  cmp ecx, dword ptr [ebp-2C]
:0041FC36 7507                    jne 0041FC3F
:0041FC38 B801000000              mov eax, 00000001 ;look!, here's where
                                                    ;this routine returns a
                                                    ;a '1' in the EAX
                                                    ;register if the serial
                                                    ;is found to be valid.
 
:0041FC3D EB02                    jmp 0041FC41 >-:  ;Perform housekeeping
                                                 :  ;tasks and exit this
                                                 :  ;routine
:0041FC41 5F                      pop edi <------:
:0041FC42 5E                      pop esi
:0041FC43 8BE5                    mov esp, ebp
:0041FC45 5D                      pop ebp
:0041FC46 C3                      ret               ;Return

Can you see now how to *crack* this program yet?.  No?
 
Tsk Tsk.. let me show you...
 
The above routine must return either a '1' or a '0' in the EAX register, in our case we want to always make this routine return a value of '1' meaning our registration number was accepted by the program.  Lets borrow just TWO instructions from this whole serial number checking routine and make them work for us..

Lets borrow:

Move eax,00000001
ret

and rewrite the BEGINNING of this routine with just these two instructions so that it looks like this:-
 
* Referenced by a CALL at Addresses: :0040BD0F   , :0041FDC3
 
; This routine is Call'd in two places by this program.
; The firs time at startup and the second time to check your serial number
; when you try and register this program. So if we can 'break' this
; protection system here then we don't need to patch this program anywhere
; else!.

:0041F9EA B801000000              move eax, 00000001 ;Force EAX = 1
:0041F9EF C3                      ret                ;Tell program to
                                                     ;return, thereby
                                                     ;ignoring the rest of
                                                     ;this routine!
:0041F9ED 83EC30                  sub esp, 00000030
:0041F9F0 56                      push esi
:0041F9F1 57                      push edi

Snip...

Can you see now?. We've just cut short a large routine and made it a two line instruction routine instead. Now every time this routine gets called it will simply place a value of '1' into the EAX register then return the program execution back to wherever it was original called from. This 'patch' method will work in many programs currently available today on the web.

Job Done.
 

The Crack

     
Using your favorite Hex Editor load up GSC.EXE.
 
SEARCH for the following bytes  : 558BEC83EC4057C745
REPLACE with the following bytes: B801000000C3565745
 

My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.
 

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will be encouraged to producing even *better* software for us to use and enjoy.

Ripping off software through serials and cracks is for lamers..
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.