It's a demo, no registration code, but when you drag your money file on the prog window the output is the recovered password with just the first two letters readable.
 
 

The Essay

     
First i begin my usual (experimented) working method: logging the install, open FILEMON, REGMON then run the target.

No problems on install, but during the first run Moneykey search for a c:\window\moneykey.ini; i'm sure that this one is a registration file but i have no clues on what could be inside.

I try to create a fake monekey.ini with different "serial", "registration code" etc... lines: obviously this method don't work.

Then i start using some Zen (thanks +Orc); when i drag a money file the output password is:
Recovering password for the file:
C:\WINDOWS\Desktop\1997.mny
The password is: 'TO*****' (no quotes)

Now i don't think that the programmers are so good to decrypt just the first two letter of a password, i think that they just use "*" to cover the others characters.

2Ah is the asci number for "*", so we must search the disassembled code for something like: move xyz, 2a (where xyz could be eax, ebx, ecx or some memory pointers).

With Wdasm or with the text generated file search for ", 2a" and you jump directly on:
 
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040135E(C)
|
:00401357 C6002A                  mov byte ptr [eax], 2A ; this put "*" (=asci 2a) over the decrypted password
:0040135A 40                      inc eax

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040134E(C), :00401355(U)
|
:0040135B 803800                  cmp byte ptr [eax], 00
:0040135E 75F7                    jne 00401357
 

Just to confirm our suspect, run the program...

1. Fire up Softice by pressing CTL-D.

2. Type: bpx hmemcpy then x to leave Softice

3. Drag your money file into the target window

4. Softice break at the beginning of Hmemcpy

5. Press 'F12' 7-8 times until you reach the monekey code.

6. Now type: bc * to clear the previous breakpoint and bpx 401357, then x to leave Softice

7. Drag another time your money file into the target window.

8. Softice break at  :00401357 C6002A mov byte ptr [eax], 2A

9. Type d eax and look at the memory window: YES it's your complete decrypted password !!!

That's all; now we know where and how patch this stupid protection.
 

The Patches

     
I use the most simple (but not elegant as +Orc say) method to patch this one: just NOP the instructions at

00401357 C6002A                  mov byte ptr [eax], 2A

and at  (the protection routine is repeated two times, i think for money97/money98 files)

:00401A8A C6002A                  mov byte ptr [eax], 2A

substituting  C6 00 2A with  90 90 90
 

First to the programmers: use your mind not just for decrypt password routines, but also for give us less obvious protections.

Second to the micro$oft users: don't use any password protection from bill "big brother" gates, they are really weak protections.

My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.
 

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will encourage them to produce even *better* software for us to use and enjoy.

Ripping off software through serials and cracks is for lamers..
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.