Introduction

 

Since this is my first essay, please forgive my writing.

 

About this protection system

 

When you run the program, you need to enter 9 numbers or 9 letters, if the serial you entered is right, it shows "WOW!YOU DID IT!!!",otherwise it shows "Come again when you got CORRECT ONE!!!CYA!"

So,The serial is hardcoded.

 
 

The Essay

 

Let's start...

 

Run the program, type in any serial, but don't press ENTER.

Hit CTRL-D to enter softice, let's say I type in "KSC" for the serial, then I type in " S DS:0 LFFF 'KSC'

Softice returns "Pattern found at xxxx:xxxxxxxx" isn't it ? If no, exit softice and return softice, type it again,until it returns the address.

Set a breakpoint there, type in " bpm xxxx:xxxxxxxx " (the address softice returns), then hit CTRL-D to leave Softice. Press ENTER. Softice now breaks on the address, right ?

You can now see the code below in softice :

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0001.5372(C)
|
:0001.5376    0AC9                or cl , cl
:0001.5378    7406                 je 5380
:0001.537A   32ED                xor ch, ch
:0001.537C   F3                    repz
:0001.537D   A6                    cmpsb
:0001.537E   7502                 jne 5382                              ;We land here
                                                                   ;This jump will take us to the error message

So, let's take a big look at the code :

:0001.535C    FC                    cld
:0001.535D    8BDC                mov bx, sp
:0001.535F    8CDA                mov dx, ds
:0001.5361    36C57708          lds si, ss:[bx+08]                  ;load our fake serial to SI
:0001.5365    36C47F04          les di, ss:[bx+04]                  ;load the real serial to DI
:0001.5369    AC                    lodsb                                   ;load the length of fake serial to AL
:0001.536A    268A25             mov ah, es:[di]                       ;load the length of the real serial to AH
:0001.536D    47                    inc di
:0001.536E    8AC8               mov cl , al
:0001.5370    3ACC               cmp cl , ah
:0001.5372    7602                 jbe 5376
:0001.5374    8ACC               mov cl , ah

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0001.5372(C)
|
:0001.5376    0AC9                or cl , cl
:0001.5378    7406                 je 5380
:0001.537A   32ED                xor ch, ch
:0001.537C   F3                    repz
:0001.537D   A6                    cmpsb                                 ;compare the the real serial and the fake one
:0001.537E   7502                 jne 5382                              ;if not equal, jmp to error message

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0001.5378(C)
|
:0001.5380    3AC4               cmp al , ah      ;compare the length of the real serial and the fake one

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0001.537E(C)
|
:0001.5382    8EDA               mov ds, dx
:0001.5384    CA0800             retf 0008

If AH and AL are not equal at 0001.5380, after returning from this call, it will jmp to error message either.

We can set a breakpoint at 0001.537C

When softice breaks on there, use +ORC's menthod. dump the memory echo of DI, It will show you what the real serial is.

It is JA735AEWD

Final Notes

 

 

Actually, if we only want to get the serial, we don't need to do some many things. We can simply use
any file editor (like MS-DOS Editor) to edit the program file, we can find the real serial JA735AEWD.

However, as a cracker, We must understand how the program check the serial, but not only get the serial.

 

 

Many thanks to :

The Sandman - for providing so many tutorials for newbies (like me).
                           - for providing a place (his cracking forums) for newbies to ask questions about cracking.
The Iczelion - for providing so many tools for newbies.
                        - for providing Win32 Assembly Language information for me.