Teleport Pro v1.29 - Tutorial

http://www.teleport.com - Webpage.

"I really like this fundamental essay for newer reversers who are still learning how to "keygen" programs, the included ASM source is a nice bonus. A worthy essay by PaRKER, and besides, Teleport Pro is rather a useful program for all you web site addicts. Slightly edited by CrackZ".

Firstly I'd like to thank to tKC, Flu[X] and many others, I have learned how to crack and I'd like to share with other persons the few things I know now. So let's start this first tutorial with a small piece of shareware, Teleport Pro, which is a rather useful www site grabber. To crack this shareware, you'll need SoftICE and an assembler / compiler to make the key generator (easier in assembler).

First of all, if it's your first use of SoftICE, you'll need to edit your winice.dat file. Remove the ";" before the lines where you see kernel32.dll, gdi32.dll and user32.dll. Then restart your computer. OK, now you are ready. Launch Teleport Pro. In the help menu, you'll see the "Register" choice. An input box will appear and in the left bottom corner, three text fields : Name, Organization and Serial.

Hmm, let's see what happens. Name : PaRKeR, Organization : , Serial : 12345. OK. Not Registered. Let's reverse engineer this monster (CrackZ - "monster?" *smile*). Ctrl-D brings you to the SoftICE window. Let's modify some stuff now : "lines 43" add more lines, "wr" brings the registers window, "wd" brings the data window. We add the breakpoints now : to read the info. from text fields, the functions usually are GetWindowTextA, GetDlgItemTextA, or GetDlgItemInt. Try "bpx getwindowtexta", "bpx getdlgitemtexta" first.

Ctrl+D and your are back to the Register window. Press OK. You are returned to SoftICE due to GetWindowTextA. Let's think a bit. Three text fields, it would be logical to have three breaks. Get out of the call by pressing F11. Press F11 again to continue. Another break. F11, F11, last break, F11. If you press another time F11, you'll get out of the SoftICE because there aren't anymore breaks.

So let's trace with F10 now. It will allow you to step over calls. Press F10 again and again till you get to the following lines :

:004246CD XOR EBX,EBX <-- Clear EBX.
:004246CF PUSH 0A
:004246D1 PUSH EBI
:004246D2 PUSH PTR [ESI+000000DD] <-- Push parameters.
:004246D8 CALL 0042A960

Just after the call, you'll see that the register EAX has changed. Now EAX=00003039 and 3039 hex is 12345 decimal. We've located our input code. Let's continue :

:004246DD MOV EBP,EAX <--- The code is now in EBP.
:004246DF MOV EAX,[00484C5C]
:004246E4 ADD ESP,0C
:004246E7 CMP [EAX+0000029F],BL
:004246ED JZ 0042482A
:004246F3 CMP EBP,EBX <--- Interesting compare.
:004246F5 MOV EDI,00429AD4
:004246FA JZ 00424755

Hmm, EBP is compared here with our code ... but EBX=0 : not the good code. Let's trace on :

:004246FC PUSH DWORD PTR [ESI+000000D5]
:00424702 CALL 00424FAF <--- Interesting function call.
:00424707 CMP EBP,EAX <--- Hmmm, interesting compare again.
:00424709 POP ECX <-- ECX from the stack.
:0042470A JNZ 0042471B <-- Deciding jump.

Now EBP is compared with EAX. Type "? eax" and it will give you an ASCII string, a value in hex and a decimal number. We'll write it down. We disable the breakpoints by typing "bd *", press Ctrl+D. Enter 1944573845 as the new serial # - (the number I got in EAX), and now I'm Registered. That rocks ! Close Teleport Pro.

Well, we'll have to check the key generation routine now. To unregister the shareware (thing that you MUST do if you are not the owner of a license), ("agreed" - CrackZ). Launch Regedit.exe, and remove HKEY_CURRENT_USER/Software/Tennyson Maxwell directory. Close Regedit and head back to an unregisterd Teleport Pro.

Open the Register window and enable the breakpoints by typing "be *" in SoftICE. Let's have a look at the piece of code above; you feel a while and it appears clearly that the key is generated at 00424FAF and is stored in EAX. Press OK, the break. Clear all breakpoints by typing "bc *". Now you can add a new breakpoint by typing "bpx 424702" : that is where the code generation call is - hmmm. Press F11. Now we are at the good address. Let's step into the call by pressing F8. F8 until you reach :

:00424FCE MOV ESI,5DFEE4A4 <--- I think this is important.
:00424FD3 XOR EBX,EBX <--- EBX will be the number of the char considered.
:00424FD5 TEST EDI,EDI <--- Is name entered in EDI empty ?.
:00424FD7 JZ 00424FE2 <--- Bye, bye.
:00424FD9 PUSH EDI
:00424FDA CALL 0042A020 <--- Step over this call.
:00424FDF POP ECX
:00424FE0 JMP 00424FE4 <-- Good_guy.
:00424FE2 XOR EAX,EAX <-- Bad_guy.
:00424FE4 ADD EAX,-4 <--- Length-4.
:00424FE7 CMP EBX,EAX <--- Have we reached Length-4?.
:00424FE9 JAE 00424FF7 <--- If yes, let's go out.
:00424FEB XOR ESI,[EDI+EBX] <--- If not, let's XOR ESI with a strange number.

(it's the 4 bytes of the name char EBX - reversed).

:00424FEE TEST BL,40
:00424FF1 JZ 00424FF4
:00424FF3 INC EBX
:00424FF4 INC EBX <--- Next char.
:00424FF5 JMP 00424FD5 <--- And we loop.
:00424FF7 MOV EAX,ESI <--- And we finally have it.

I would advise you code the key generator as an exercise. I chose TASM to make mine (source code attached). ASM is easier IMHO because you just have to copy some of the code and adapt it to your own. Just a hint : if you didn't get it, just before the piece of code above, Teleport Pro checks if the length of your name is greater or equal than 5.

I hope you had fun with the tutorial, and I'll be back soon for other adventures. Special thanks go to tKC and CrackZ.

Teleport Pro v1.29 ASM Key Generator

Mail comments, suggestions to parker__@caramail.com

© 1998 Hosted By CrackZ. PaRKeR 14th December.