"+Backs up Thirteen different files, the Start Menu, the Desktop, Favorites,and Recent items, plus any additional files that you specify.
+Backs up and Restores only the files that you specify.
+Provides FIVE different ways to restore the Registry.
+Streamlines and Fixes the Registry.
+Specify Location of WinRescue Backups.
+DOS version of WinRescue 95 for Emergency Recovery.
+Makes a Special Bootup Diskette.
+Makes UNLIMITED backups or limit the number to 1, 3, 5, or 10.
+Backs up to and restores from multiple diskettes.
+Compresses backups into PKZip files."
      

About this protection system

 
Registration is via the nag screen that shows each time you run the program.
Here you will be asked to enter:-

Registration  Code :
 
        

The Essay

     
Notice that your only asked to enter one item of information into the program and nothing else?.   This should tell you straight away that the program expects just one registration code and that the protection system employed within this program will more than likely consist of simply comparing it's own key registration code against the code entered by the you.
 
So registration in this case is by handing over $25.95 and the author will email me the 'registration key' by return post.. Yes, we can make these assumptions because if you think about it, if the author gave every registered owner a different serial number then the program HAS to also know of these 'registration keys' in order to recognize them, however, it's much easier to just have just one registration key, that way it will save a little downloading time and save the User a few extra bytes on his hard disk.
 
So which point of attack shall we choose?. We could try setting a few breakpoints with Softice on system functions such as MessageBoxA etc but where in the target program's code do we go next?.  No, let's get a dead listing of this babe using W32Dasm and see if we can gather some more clues from the Author before we make our mind up on the best attack method..
 
Right, I assume you've now created a dead listing of this program, so lets check out it's String Data Resources as this tells you a lot about the workings of a program.
 
Did you make notes on what you found in here? Find anything interesting? Did your notes contain this string reference "msR3I8aUi9y2E84L" ?
 
A lot of programs will contain similar 'garbage' looking text strings, sometimes left overs from when the program was developed but as *crackers* we must start to check everything we find very carefully, else we will miss the clues that point to how we can best crack the program. Remember, we're suppose to be *crackers*, so if a program is going to use a single registration key how can the programmer protect it?. What are the basic principles to choosing a Registration key?
 
1.  Make the registration key quite long, this should make random guesses by the User very hard.
 
2. Make the registration key with 'random' letters and numbers, the more 'garbage' looking the easier it is to hide it in the program itself, which, in itself 'looks' unintelligible under a hex editor.
 
3. Use a simple XOR encryption on the registration key. While this is possibly one of the most simplest encryption methods you can do it does have the benefit of 'hiding' the registration key even from utilities such as W32Dasm.  In which case you would have to exam the code until you recognized the encryption routine then it's a *relativily* simple process thereafter to work out the registration key.  This would at least prevent anyone from casually examining the code and 'spotting' the registration key..

Lets go back to that suspicious looking string, here it is again:"msR3I8aUi9y2E84L"
 
What's the best way in W32Dasm to check this string out, to see if it's important to us and if it can help us in anyway to crack this program.
 
Your first job is to locate where in the program this string is used.
 
I found it here.
 
* Possible StringData Ref from Code Obj ->
                                  |
:0046CABF B8ECCB4600              mov eax, 0046CBEC ;="msR3I8aUi9y2E84L"
:0046CAC4 E80775F9FF              call 00403FD0
:0046CAC9 85C0                    test eax, eax
:0046CACB 7472                    je 0046CB3F
 
So far so good, from the surrounding code it looks as though we're in the program's protection system, and if we 'follow' where that je 0046cb3f instruction goes we will see it sends us to the 'Beggar off cracker' routine.. Mmm, very interesting..
 
We're not finished yet, we want to understand what happens to this string, for all we know this string could be used as the basis for some other routine that would then use this string to calculate the final registration key..
 
:00403FD0 85C0                    test eax, eax ;Does our Serial number
                                                ;equal "msR3I8aUi9y2E84L"

:00403FD2 7440                    je 00404014   ;if yes then exit routine

:00403FD4 85D2                    test edx, edx
:00403FD6 7431                    je 00404009
:00403FD8 53                      push ebx
:00403FD9 56                      push esi
:00403FDA 57                      push edi
:00403FDB 89C6                    mov esi, eax
:00403FDD 89D7                    mov edi, edx
:00403FDF 8B4FFC                  mov ecx, dword ptr [edi-04]
:00403FE2 57                      push edi
:00403FE3 8B56FC                  mov edx, dword ptr [esi-04]
:00403FE6 4A                      dec edx
:00403FE7 781B                    js 00404004
:00403FE9 8A06                    mov al, byte ptr [esi]
:00403FEB 46                      inc esi
:00403FEC 29D1                    sub ecx, edx
:00403FEE 7E14                    jle 00404004

* Referenced by a (C)onditional Jump at Address: :00404002
|
:00403FF0 F2                      repnz
:00403FF1 AE                      scasb
:00403FF2 7510                    jne 00404004
:00403FF4 89CB                    mov ebx, ecx
:00403FF6 56                      push esi
:00403FF7 57                      push edi
:00403FF8 89D1                    mov ecx, edx
:00403FFA F3                      repz
:00403FFB A6                      cmpsb
:00403FFC 5F                      pop edi
:00403FFD 5E                      pop esi
:00403FFE 740C                    je 0040400C
:00404000 89D9                    mov ecx, ebx
:00404002 EBEC                    jmp 00403FF0

* Referenced by a (C)onditional Jump at Addresses:
:00403FE7(C), :00403FEE(C), :00403FF2(C)
 
:00404004 5A                      pop edx
:00404005 31C0                    xor eax, eax
:00404007 EB08                    jmp 00404011

* Referenced (C)onditional Jump at Address: :00403FD6(C)
 
:00404009 31C0                    xor eax, eax
:0040400B C3                      ret
 
* Referenced by a (C)onditional Jump at Address: :00403FFE(C)
 
:0040400C 5A                      pop edx
:0040400D 89F8                    mov eax, edi
:0040400F 29D0                    sub eax, edx

* Referenced by a (C)onditional Jump at Address:00404007(U)
 
:00404011 5F                      pop edi
:00404012 5E                      pop esi
:00404013 5B                      pop ebx

* Referenced by a (C)onditional Jump at Address :00403FD2(C)
 
:00404014 C3                      ret ;Returns with register eax holding
                                      ;our serial key.

Notice that the above routine tests for our special "msR3I8aUi9y2E84L" registration key first, before doing anything else and if it's presence is found it will exit this routine without doing any form of processing on this string.

This suggests that this 'special' string is what the programmer used while testing his protection system, that will also explain why no User Name is calculated from this string for when the About Box is shown, where it will show who this software is Registered to..
 
So we can now make an educated guess that our Username is turned into a serial number, that the above routine starting at memory location: :00403FD0 converts this serial number that you enter back into your UserName.

Job Done.....
 

The 'Crack'

 
Since we  can use the inbuilt serial No msR3I8aUi9y2E84L we can use this key to register the program with and not have to perform any patches on the program.

Should you wish to register any serial number you type into the program you could always change the line:

:0046CACB 7472                    je 0046CB3F
 
INTO

:0046CACBE 90                    nop
:0046CACBF 90                    nop

and this will do the trick.. However, remember, that the protection while accepting your fake serial number will still try and convert this serial into a valid Username, so you might see garbage printed in the ABout Screen when it tries to turn your serial number into a User Name!.
 
As a little exercise, can you see any other way to *crack* this program?.  Please, by all means email me with your *cracks* for this program, and if you feel up to it then why not write an essay yourself on how you found and tested your *crack*  then have it shown here!.
 

Final Notes

 
Anyone learning Assembly and want some good routines that handle file accesses either read or write will find this program an excellent source of routines to borrow or improve upon.
 
This Essay is slightly different to my 'other' essay's in so much that I have left you with some work to do yourself, such as what bytes to search for in your hex editor so that you can locate the  je 0046CB3F instruction, so that you can nop it out. I've also delibratley not commented the actual serial key de-cryption routine in the hope you will do this yourself so that you will know how it works for yourself and perhaps produce a Key generator program from it?. Why not write an essay on how you think this protection system works, I've not mentioned everything about it in this essay.

My thanks and gratitude goes to:

Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.

 

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.