Tutorial Number 25 Written by Etenal Bliss Email: Eternal_Bliss@hotmail.com Website: http://crackmes.cjb.net http://surf.to/crackmes Date written: 11th Jun 1999 Program Details: Name: Cyber-Info WebMail Notify version 2.6 URL: http://www.cyber-info.com Tools Used: SoftIce Hexeditor Cracking Method: Serial Sniffing Code analysis Viewing Method: Use Notepad with Word Wrap switched on Screen Area set to 800 X 600 pixels (Optional) __________________________________________________________________________ About this protection system This program requires a Name/Serial to register. Before registration, the number of times you use is written to hotreg2.set in windows system directory. Upon successful registration, the Name and Serial is also written to the same file. _________________________________________________________________________ About this tutorial Since this is my 25th tutorial, I will presume that you have read the previous ones. So, my description on how to use the tools will be reduced unless there are new methods. _________________________________________________________________________ Softice First, run the program. Get to the registration box. Type in any Name you want and any serial. Set the hmemcpy breakpoint in Softice by typing "bpx hmemcpy". Exit Softice. Click on the OK button to register. Softice will pop. Disable the bp by typing "bd *". Now, keep pressing F12 until you get to the program's code and not windows'. Once you are at the program's code, just trace using F10 to avoid going into any calls. Whenever you see a mov or lea code, type "d" and the register which is involved. Eg. mov eax, dword ptr [0052AAC8] You will type "d eax" after stepping pass the line using F10. At a certain point, you will come to this piece of code... NOTE: Location shown here might not be the same as yours... :004D7118 E817730000 call 004DE434 << to calculate the serial :004D711D 8B55F4 mov edx, [ebp-0C] << edx = serial :004D7120 58 pop eax << eax = what you entered :004D7121 E87EC9F2FF call 00403AA4 << comparing :004D7126 0F94C0 sete al :004D7129 84C0 test al, al :004D712B 0F84A5000000 je 004D71D6 << jump to wrong message I've commented on the above piece of code... If your aim is to leech and not to learn reversing, this is where you stop. Just type "d edx" after :004D711D and you will see the correct codes. If you want to learn something more, carry on... Glad you are still here. 8) Well, let's take a look at the "wrong message" This is where you will go if you enter the wrong serial: NOTE: Location shown here might not be the same as yours... :004D71D6 833DC8AA520003 cmp dword ptr [0052AAC8], 00000003 :004D71DD 7521 jne 004D7200 :004D71DF 6A00 push 00000000 :004D71E1 668B0D5C724D00 mov cx, word ptr [004D725C] :004D71E8 B201 mov dl, 01 * Possible StringData Ref from Code Obj ->"Registration failed" | :004D71EA B814734D00 mov eax, 004D7314 :004D71EF E86CDCF5FF call 00434E60 :004D71F4 C7832801000002000000 mov dword ptr [ebx+00000128], 00000002 :004D71FE EB20 jmp 004D7220 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004D71DD(C) | :004D7200 6A00 push 00000000 :004D7202 668B0D5C724D00 mov cx, word ptr [004D725C] :004D7209 B201 mov dl, 01 * Possible StringData Ref from Code Obj ->"Invalid name and/or password" | :004D720B B830734D00 mov eax, 004D7330 :004D7210 E84BDCF5FF call 00434E60 :004D7215 8B83B8010000 mov eax, dword ptr [ebx+000001B8] :004D721B 8B10 mov edx, dword ptr [eax] :004D721D FF5278 call [edx+78] If you trace this piece in Softice, you will see that at :004D71EA, eax contains the location 004D7314 which points to "Registration failed" words that you will see in a messagebox. The line :004D71D6 compares the number of tries you make during registration. If it is your 3rd error, the program will open up a browser and takes you to register online. If you look at :004D720B, it looks similar to :004D71EA and you will get a messagebox saying "Invalid name and/or password" Fine... why am I going through all that?? What is there to learn? Well, let's say if we can "make" the program tell us the correct serial for a Name in the messagebox instead of that stupid message, wouldn't it be nice? 8) If you look back at the previous piece of code, you will see that mov edx, [ebp-0C] will "move" the correct serial into edx. Suppose we "move" the same info into eax at :004D71EA and :004D720B, will we get the correct serial shown to us? Let's try. In Softice, when you are the program's code, type this: "a 004D71EA" This will make softice allow us to change the codes in realtime... **Before doing this, make sure you know how many bytes are required. type in mov eax, [ebp-0C] and press Enter This will convert it to 8B45F4. But we need to replace 5 bytes and we have only 3 bytes now... So, type in NOP and Enter and do it again. Then press "Esc" to return to the instructions. You will notice that the codes are now changed. ** NOP is 1 byte (90) therefore, you must have 2 NOP Do the same for :004D720B Summary: "a 004D71EA" or "a 4D720B" << allows you to change the codes in the data window "mov eax, [ebp-0C]" << move the correct serial into eax "nop" << to fill up remaining byte "nop" << to fill up remaining byte Press "Esc" To permanently replace the bytes mentioned, search for the required bytes: 1) B814734D00 2) B830734D00 For the above two byte combination, there is only one for each... So, just use a hexeditor, search for it and replace it with the bytes you got in Softice when you did the "a" thing. Program cracked!! And you have "made" yourself a keygen... 8P __________________________________________________________________________ Final Notes This tutorial is dedicated to all the newbies like me. And because I'm a newbie myself, I may have explained certain things wrongly So, if that is the case, please forgive me. Email me if there is anything you are not clear about. My thanks and gratitude goes to:- All the writers of Cracks tutorials and CrackMes and also to all the crackers that have been supporting my site and project forum.