| ... Click
on Options - Register ... fill out the boxes with the following entry
as example :
Registration : [ 7171717
] [ 01010 ]
... [OK] ... #bOOm#
.. " Error : You entered a false serial number " ... what now ?! ... let's
see what can we get from 'dead listings' ... fire up W32Dasm and
disassemble photoline.exe ... wait... ^%$& wait.... !!@#$% .... waiittt
..... done !! , click REFS - STRING DATA REFERENCE, look down for the message
.... NONE !!? ... hmm ... i think Bad Gögging has read CrackZ's
protection tips no.3 ??! ... that's alright guys .... this is would
be fun ... let's check for another 'unique' text ... snip ... snip ,,,
aha ! ... '"Serialnumber500" ... double click on the text ... heeii there's
3 of them :
1. * Possible StringData
Ref from Data Obj ->"SerialNumber500"
:004DA804
6824BC5E00 push 005EBC24 ; we're gonna set bpx at here
2. * Possible StringData
Ref from Data Obj ->"SerialNumber500"
:0050ED46 6824BC5E00 push 005EBC24 ; we're gonna set bpx at here
3. * Possible StringData
Ref from Data Obj ->"SerialNumber500"
:0050F012 6824BC5E00 push 005EBC24 ; we're gonna set bpx at here
... for me these looks
like a value name in registry .. run regedit .. 'n goto HKCU\Software\Computerinsel\PhotoLine\Settings
... you'll see value "SerialNumber500"="7171717 1010" ...
we can attack this programs by setting breakpoint using RegQueryValueExA
function just before we run it.... but i'd like to try an easier
way .... now enter reg again .. fill out the entry with our example key
.. DO NOT push [OK] yet ... CTRL+D (to get in Sice)... BPX HMEMCPY [ENTER]
... X [ENTER] ... [OK] ... #bOOm# ... F12 11 times (to get in photoline
code) ... set BPX at 3 address above :
BC* [ENTER]
BPX 4DA804 [ENTER]
BPX 50ED46 [ENTER]
BPX 50F012 [ENTER]
X [ENTER]
... #bOOm# ... we're
back to photoline ... move your mouse a little bit ... #bOOm# ... Break
due to BPX # ... :50F012 ... heii we break in our 3'rd breakpoint ....
i don't like thiz ... leave Sice (X [ENTER]) ... click on ? - About Photoline
... #bOOm# ... Break due to BPX # ... :4DA804 ... aaah .. now let's analyze
the code ... keep tracing ... untill we get the following code:
| :004DA8D8 |
E853ACFBFF |
call 00495530 |
|
| :004DA8DD |
8D4C2404 |
lea ecx,
[esp+04] |
; ? EAX
: 0000001010 ... hmmm .. seems the show (keygen routine) is |
|
|
|
; about
to begin ... |
| :004DA8E1 |
89442404 |
mov [esp+04],
eax |
|
| :004DA8E5 |
51 |
push ecx |
|
| :004DA8E6 |
E875000000 |
call 004DA960 |
; STEP
IN (F8) at here ... |
... we're here now ...
| 004DA960 |
8B442404 |
mov eax,
[esp+04] |
|
| 004DA964 |
83EC08 |
sub esp,
00000008 |
|
| 004DA967 |
8B4804 |
mov ecx,
[eax+04] |
; ? ECX
: 0007171717 ... |
| 004DA96A |
85C9 |
test ecx,
ecx |
; ands
0007171717 with 0007171717 |
| 004DA96C |
750C |
jne 004DA97A |
; if zero
flag not set then jump to 4DA97A |
... we're jump to 4DA97A
....
| 004DA97A |
8D4C2400 |
lea ecx,
[esp] |
|
| 004DA97E |
51 |
push ecx |
|
| 004DA97F |
50 |
push eax |
|
| 004DA980 |
E82B650400 |
call 00520EB0 |
; keygen
routine !!! |
| 004DA985 |
8B44240C |
mov eax,
[esp+0C] |
; EAX=00006D6E85
.. ? EAX: 7168024 .. ur dummy key (7171717 01010) |
|
|
|
; has
change (fucked up) in keygen routine ... |
| 004DA989 |
83C408 |
add esp,
00000008 |
|
| 004DA98C |
A9FF0F0000 |
test eax,
00000FFF |
; first
check |
| 004DA991 |
7407 |
je 004DA99A |
|
| The
test instruction logically ands eax with the value 00000FFF. If the result
is non zero then it will clear the zero flag .. and we will be a bad cracker
,,, but if the result is zero then zero flag is set and we will jump to
004DA99A ( good cracker routine) ... of course in thiz case we will not
jump to 4DA99A ... but let's assume we have enter the valid code
.... ( i've cutted bad cracker routine from here) .... |
| 004DA99A |
2500F0FFFF |
and eax,
FFFFF000 |
|
| 004DA99F |
3D00D00700 |
cmp eax,
0007D000 |
; second
check |
| 004DA9A4 |
7407 |
je 004DA9AD |
; if zero
flag is set then jump to 004DA9AD (good cracker) |
| This
instruction performs the computation eax-0007D000 and sets the flags depending
upon the result of the computation. The zero flag is set if and only if
eax = 0007D000. |
| 004DA9AD |
A138A26200 |
mov eax,
[0062A238] |
; at here
.. EAX=00000000 |
| 004DA9B2 |
85C0 |
test eax,
eax |
; final
check |
| 004DA9B4 |
7417 |
je 004DA9CD |
; if everythings
is OK then jump to 004DA9CD (good cracker) |
|
|
|
|
| 004DA9CD |
66B80100 |
mov ax,
0001 |
; good
cracker routine |
| 004DA9D1 |
83C408 |
add esp,
00000008 |
; good
cracker routine |
| 004DA9D4 |
C3 |
ret |
|
... hmm ... those 3 checks
routine above looks very interesting for me ! ... thiz time i'd like to
give you an alternative solution ( READ : Re-Coding ) for this prot scheme
'n i think thiz would be more fair (at least for me) rather than examine
the keygen routine ... clear all breakpoints 'n set BPX at 004DA985 ...
enter reg again with "512000" in 1'st entry 'n enter any number in 2'nd
entry ...
Registration : [ 512000
] [7171717]
.. [OK] ... #bOOm#
.. we land here :
| 004DA985 |
8B44240C |
mov eax,
[esp+0C] |
; EAX=0007D49D
.. ? EAX: 513181
.. |
... Interesting ?! ....
NO ???? .... 7D000h - 7DFFFh = 512000 - 516095 ... enter reg again :
Registration : [ 516095
] [7171717]
.. [OK] ... #bOOm#
.. we land here :
| 004DA985 |
8B44240C |
mov eax,
[esp+0C] |
; EAX=0007D364
.. ? EAX: 512868
.. |
... Got it ?! ... YEAH
I can see it now !! ... as long as we enter a value from 512000 to
516095 in the first entry then EAX register at 4DA985 will have a value
:0007DXXX ... now let's continue executing the next code ...
| 004DA989 |
83C408 |
add esp,
00000008 |
|
| 004DA98C |
A9FF0F0000 |
test eax,
00000FFF |
; at here
type : A [Enter] .. now enter this instruction : |
| TEST
EAX,00000000 [Enter] then press [ESC] key ... now any value in eax will
result zero (set zero flags) |
| 004DA991 |
7407 |
je 004DA99A |
; so we'll
always jump to 004DA99A |
| 004DA99A |
2500F0FFFF |
and eax,
FFFFF000 |
; and
0007D364, FFFFF000 ... EAX=0007D000 |
| 004DA99F |
3D00D00700 |
cmp eax,
0007D000 |
; cmp
0007D000,0007D000 ... set zero flags ... |
| 004DA9A4 |
7407 |
je 004DA9AD |
; we'll
always jump to 004DA9AD |
|
|
|
|
| 004DA9AD |
A138A26200 |
mov eax,
[0062A238] |
; at here
.. EAX=00000000 |
| 004DA9B2 |
85C0 |
test eax,
eax |
; ands
00000000,00000000 ... set zero flags ... |
| 004DA9B4 |
7417 |
je 004DA9CD |
; we're
jump to 004DA9CD |
|
|
|
|
| 004DA9CD |
66B80100 |
mov ax,
0001 |
; good
cracker routine |
| 004DA9D1 |
83C408 |
add esp,
00000008 |
; good
cracker routine |
| 004DA9D4 |
C3 |
ret |
|
... heii ... it was registered
...
... Load up photoline.exe
into your favorite Hex-Editor.
Search for the following
bytes : A9FF0F0000
Replace with following
bytes : A900000000
... enter reg screen
with any value from
512000 to
516095 in
1'st entry... you can type any number in 2'nd entry or leave it blank. |
