CopyTo Ver 2.14 - Tutorial

"Well here we have a fundamental tutorial by Ordoc for 'real' newbies to reverse engineering. When you first start out this type of code feeling or the 'reverse the conditional jump' game is accepted practise, in this instance you'll be lucky enough to register permanently a rather useful add-on, challenge seekers may like to study this protection in more detail, newbies may well find some elementary SoftICE tips here". "Slightly edited by CrackZ".

http://www.ne.jp/asahi/cool/kish/ - Webpage.
cpto214.exe (346k).

Welcome to my first tutorial, it will be very brief :). This is another program ruined by a single JNE to JE. First off lets run CopyTo which you can accomplish by double clicking it on your desktop (or in C:\windows\ if its not on your desktop!). Goto help and click "About...". Another box will pop up, click the "Register" button.

Hmm.. Odd. It has a dialog box for just your name. Enter your name and click OK (Harlem for me). Next a dialog box asking for your registration number pops up. Enter a dummy code (I use 272727). Now before you click OK, Ctrl+D into SoftICE and set a breakpoint on hmemcpy (bpx hmemcpy). Click OK. Like magic your back in SoftICE. You need to be in COPYTO!Code, are you? NO! (he he!). Hit F11 to get into the code then hit F12 to skip over the code until you get into COPYTO!Code. Now hit F10 through a few "rets" (returns) until you see this code.

:00466238 CALL 004660A4
:0046623D CMP DWORD PTR [EBP-10], 00000000 <-- Code input length.
:00466241 JZ 0046632F <-- Length of code was 0, jump_bad.
:00466247 MOV EDX, DWORD PTR [EBP-10] <-- Point EDX at code.
:0046624A MOV EAX, DWORD PTR [0046A8D0]
:0046624F CALL 0046601C <-- Call serial checking routine.
:00466254 TEST AL,AL <-- Tests AL for 0.
:00466256 JNZ 0046626E <-- Jump_if_not_equal to 0 (jump if good serial).

This is a VERY common protection sequence in shareware programs. So If you don't know what to do already continue reading. Hit F10 until you highlight:

:00466256 JNZ 0046626E

If you look to the right of that line SoftICE will have the words "No Jump" indicating which way the code is currently going to proceed. So we want to fix this so it will jump to the good_guy registration. Type A and hit enter. The prompt should look something like this:

xxxx:00466256

Well we want to change this so it jumps, so we need to "reverse" the JNZ. Type in:

JZ 0046626E

Hit Enter twice. Now the code should look like:

:00466256 JZ 0046626E

It should now say JUMP with a down arrow. Hit F10 to execute the jump. Now type "bc *" to clear your breakpoints in SoftICE. Hit Ctrl+D and like magic... SURPRISE it will say "Thank you for your registered." Maybe you aren't that surprised but maybe you were!!!. Congratulations on cracking CopyTo v2.14.

*Note* - You could have changed the JNZ to JMP which would make it always jump. Good serial or bad serial. Changing it to JZ makes it jump if it's the bad serial only :), you could also have easily used r fl z to toggle the zero flag.

Look for more tutorials from Harlem soon.

Protection addendum - by CrackZ

As we've seen, this protection depends on the value of AL, (CALL 0046601C is required to return AL non-zero), I can't stress enough that when you decide to trace calls always be clear on what return results your looking for. The first check is a simple length check for 8 so fix your code, the real checking is done beneath CALL 004036C4, however the protection dwells beneath CALL 0043CDDC with an uppercasing routine just before this. Its really not a bad scheme, essentially each digit is used in a mathematical loop to generate 8 word length results, the registration information finds its way into the registry.

You have finished reading another tutorial courtesy of CrackZ's Reverse Engineering Page.
Find a quick way back to more documents with these links.

Return to Main Index, New Reversers.
© 1998 Hosted by CrackZ. Ordoc 31st December 1998.