|
|
|
|
|
|
|
|
|
|
||
|
||
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
|
When the program screen comes up, click on Help and then click on Register.
Press CTRL-D to go into Softice,
and then set a breakpoint on GetWindowTextA (type BPX GETWINDOWTEXTA),
then exit back to the program by typing x.
Back in the program, enter a fake registration
number in the text box and click on "OK".
You'll be thrown back into Softice at
the start of USER32!GetWindowTextA. Hit F11 to step out of
this call. I took the liberty, at this point, of stepping through the next
several calls, but they aren't very interesting from our point of view.
Hit F10 until you get to:
:0043A391 CMP CL, 70
A couple of lines down from that is: :0043A396
CMP CL, 50
Well! It seems as if the program is looking
for a 'p' or a 'P' as the first character of the registration number (
if you type: d esp+1c you'll see the fake serial number that
you entered ).
To satisfy the CMP, type: r cl=70 (
or r cl=50 ).
Type F10 until you get to the next CMP instruction.
:0043A3A1 CMP CL, 72
Now the program is checking to see whether
the second character of the registration number is an 'r' or an 'R'.
Satisfy this check, too, by typing r
cl=72
Type F10 until you jump to
:0043A3B1 CMP CL, 73
Here, the program is checking to see if
the third character of the registration number is an 's' or an 'S'. As
above, satisfy the program by typing r cl=73
Type F10 until you come to the
next compare. :0043A3BD CMP BYTE PTR [ESP+23],
31
Not only is the program now looking for
a '1' ( in hex the code for 1 is 31h ), but it is looking to
see if that '1' is the eighth character that you entered!
Satisfy the program by typing eb esp+23
31 ( this allows you to edit the byte at esp+23 and change it to 31
).
Type F10 until you get to the next
compare. :0043A3CA CMP CL, 7A
Now the program is looking for a 'z' or
a 'Z' at esp+27, which is the 12th character of the registration
number.
Type r cl=7a to satisfy this check.
Type F10 a couple of times. Hmmm...no
more compares. I'm curious, now.
Disable the breakpoint ( type bd *
) and type x to return to the program.
Hey! We get a messagebox thanking us for
registering. Click on OK and then exit the program ( I told you
that I was curious, didn't I? ). Now restart the program. What's this??
The nag screen is back! Hmm...Click on "I Agree". Now try
to register the program with prsxxxx1xxxz ( the x in the
registration code can be anything that you want since the program never
checks these characters).
It works! Program cracked.
NOTE:
We got prsxxxx1xxxz because the program checked to see if the first
character was a 'p', the second character an 'r', the third character an
's', the eighth character a '1', and the 12th character a 'z'.
|
|
My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end
of the tunnel.
|
Back to Students Essay's |