October 1998
"Cracking Site Builder v1.2"
Win '95 PROGRAM
Win Code Reversing
 
 
by KLee8084 
  
 
Code Reversing For Beginners 
 
 
 
Program Details
Program Name: setup.exe
Program Type: HTML Editor
Program Location: here 
Program Size: 6.2 meg
 
   
Tools Used:
Softice V3.2 - Debugger
 
Rating
Easy ( X )  Medium (  )  Hard (    )  Pro (    ) 
 There is a crack, a crack in everything. That's how the light gets in.
 
  
 
Site Builder v1.2 Serial Number Fishing
Written by KLee8084
  (as requested by Jerry)
 
 
Introduction
 
Site Builder v1.2 is a nice HTML editor with FTP capabilities, etc...
 
About this protection system
 
This program uses the standard Name/Serial number protection system.
 
The Essay 
     
First of all, this program plays a trick on you. If you have previously installed this program and tried to register it, it changes the memory location of the real serial number.
 
To start from scratch, you need to edit your system's registry (use regedit). Find and delete all SITEBUILD and Patrik Nilsson keys. This will bring the program back to the virgin state. Ready? Let's go!
 
Install the program and run it. A nag screen will pop up that tells you that you have only 50 uses and makes you wait a number of seconds until you can click on the OK button.
Let the nag screen run, and then click on the OK button.
 
A tip window will then pop up. Click on the window's CLOSE button.
 
Now, in the program itself, click on Help and then click on Register.
 
In the box that pops up, enter your Name and a fake Serial number. The Name that I had entered was Registered and the fake serial number was 1234-5678.
 
Now, hit CTRL-D to go into Softice.
 
Once in Softice, set a breakpoint on the MessageBeep function (the other functions don't seem to work...try them) by typing BPX MESSAGEBEEP.
 
Now, hit CTRL-D again to return to the program.
 
Ready? Click on OK.
 
We are now in Softice at the start of USER32!MessageBeep.
 
F11 to step out of this function.
 
We return here:

:0040AE77    PUSH 00

If you look upwards, you'll see this:

:0040AE6E    JMP 0040AEC4
:0040AE70    PUSH 00                    <- Start of the MessageBeep routine
:0040AE72    CALL USER32!MessageBeep
:0040AE77    PUSH 00                    <- We are here, now

Notice that this MessageBeep routine really starts at :0040AE70.
Scroll upwards (CTRL-UP ARROW) until you find a reference to 0040AE70.

:0040AD55    JZ 0040AE70

Do you see the call that is 3 instructions above this jump?

:0040AD4D    CALL 0046E684

You'll want to set a breakpoint on this call (don't forget to kill off your other breakpoint by typing bc *) by typing BPX 0040AD4D.
 
Press CTRL-D to return to the program.
 
Click on OK.
 
Now, again click on Help and then on Register.
 
Enter your Name and fake Serial number.
 
Click on OK.
 
We are now back in Softice at the call:

:0040AD4D    CALL 0046E684

F8 into this call.
F8 until:

:0046E68C    MOV [EBP-04], EAX

If you type d @eax you'll see your fake serial number.
F8 until:

:0046E698    CALL 00493F60

F8 into this call.
F8 until you reach the next call:

:00493F7A    CALL 00493144

F8 into THIS call as well.
F8 until:

00493148    CALL [0050871C]

F8 into this call.
F8 until you reach:

:00492D48    CALL KERNEL32!EnterCriticalSection

This call can be stepped over.
F10 over this call.
F8 until you reach this interesting instruction:

:00492DD4    CMP EDI, [0050F294]

I wonder what's at 0050F294?
Type d @0050F294

Hmmm....I see 561568-566443-396428
 
If you don't see your number, then use regedit and delete all SITEBUILD and Patrik Nillson keys, and then redo the steps in this tutorial.
 
Clear your breakpoint by typing bc *
 
CTRL-D to go back to the program.
 
Re-register with your Name and the Serial number that you found.
 
Tada! Program cracked...
 
The 'Crack' 
 
None.
 
Final Notes 
 
SiteBuilder v1.2 has a simple protection scheme (other than the memory relocation if the program is not in the virgin state).

 
Ob Duh 
 
 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.
 

 
 
 [ Return ] 
 

Essay by: KLee8084
Page Created: 18th October 1998