"Aardvark Pro for Windows is a  HyperText Markup Language (HTML) editor.

Aardvark Pro is, essentially, an ASCII editor not unlike a turbo charged version of Notepad.  The big difference is that it knows about HTML.

Many options have been included to speed up the process of creating HTML documents.   As soon as the program is loaded you are presented with a new template that has all of the main sections of a HTML document.  Simply start writing your document."
 

About this protection system

 
The protection system within this program comprises of a single registration number based on your Name/Handle.

On successful registration the program will place your User name in a file called: C:\Windows\aardvark.ini with the following entry:-

[Application Header]
User Name=The Sandman
     

The Essay

     
Let's us begin..

As always run the target program a few times, try and register it and jot down the error messages the program spits out at you when you get the serial number wrong, they will come in very handy later on..:)

Once you've done this we need to create a 'Dead Listing' of this program, I use W32Dasm V8.9 to do this but make sure you have enough disk space for the resulting file, it will be nearly 24mb in size!.

While still in W32Dasm open up the program's String Data Resources and find the line that says "Sorry! The Registration Key you entered was invalid...".  Now double-click on this line and W32Dasm will take you to this very interesting section of code:-
 
:005055A7 E8C0E9FBFF       call 004C3F6C                ;Check registration
:005055AC 3C01             cmp al, 01                   ;Result 1=correct
                                                        ;       0=invalid
:005055AE 7558             jne 00505608                 ;Beggar off Cracker
:005055B0 8D55F4           lea edx, dword ptr [ebp-0C]
:005055B3 A188075100       mov eax, dword ptr [00510788]
:005055B8 8B00             mov eax, dword ptr [eax]
:005055BA E8C1B3F2FF       call 00430980
:005055BF 8B4DF4           mov ecx, dword ptr [ebp-0C]
:005055C2 8D45F8           lea eax, dword ptr [ebp-08]

* StringData Ref from Code Obj ->"Thank you for Registering your "
                               ->"copy of "
 
:005055C5 BA58565000       mov edx, 00505658
:005055CA E885E9EFFF       call 00403F54
:005055CF 8B45F8           mov eax, dword ptr [ebp-08]
:005055D2 E819DFF3FF       call 004434F0
:005055D7 A180075100       mov eax, dword ptr [00510780]
:005055DC 8B00             mov eax, dword ptr [eax]
:005055DE 50               push eax
:005055DF A170055100       mov eax, dword ptr [00510570]
:005055E4 8B00             mov eax, dword ptr [eax]
:005055E6 8B8094070000     mov eax, dword ptr [eax+00000794]

* StringData Ref from Code Obj ->"User Name"
 
:005055EC B988565000       mov ecx, 00505688
 
* StringData Ref from Code Obj ->"Application Header"
                           |
:005055F1 BA9C565000       mov edx, 0050569C
:005055F6 E8C149F6FF       call 00469FBC
:005055FB 8B83F8010000     mov eax, dword ptr [ebx+000001F8]
:00505601 E806EAFBFF       call 004C400C
:00505606 EB0A             jmp 00505612

* Referenced by a (C)onditional Jump at Address: :005055AE(C)
 
; Here's the start of our "beggar off Cracker" message routine..
 
* StringData Ref from Code Obj ->"Sorry! The Registration Key you "
                                 ->"entered was not valid for the "
                                 ->"User Name you entered"
 
:00505608 B8B8565000       mov eax, 005056B8
:0050560D E8DEDEF3FF       call 004434F0

All the ingredients of our crack are here, the program calls memory location 004C3F6C
and process our entered serial number, then it returns with a value in the lower part of the eax register (al) which the jne (jump not equal) instruction will act upon depending wether or not the returned value is a '1' or '0'.
 
:005055A7 E8C0E9FBFF       call 004C3F6C                ;Check registration
:005055AC 3C01             cmp al, 01                   ;Result 1=correct
                                                        ;       0=invalid
:005055AE 7558             jne 00505608                 ;Beggar off Cracker
 

OK, some of you might be thinking at this point that we could nop (90h) out the jne instruction in which case the program will always *register* itself regardless of whatever serial number is entered into the program and to a point your right.  However, what will happen is that the program when run again will reject your User details and your back to square one, the program reverts back to being a Shareware program again..  Now if you were to continue with this approach you would now have to locate where in the program it rejects the user's details (after loading the info from it's aardvak.ini file ) then patch this location as well..

There is perhaps, another way, one which is sometimes overlooked by those new to cracking and that is to find out where and how the al register is 'set' to a value of '1' so that patching this will always return a value of '1' instead of a '0' which to the program represents that there either was no serial found or that it was rejected so run as a Shareware program..

Let's now take a closer look at that Call 004C3F6C instruction which comes just before the program checks the al register.  OK, now locate where in our 'Dead Listing' this memory location..

I found it here...

:004C3F6C 53               push ebx
:004C3F6D 8BD8             mov ebx, eax
:004C3F6F 8A4324           mov al, byte ptr [ebx+24]
:004C3F72 E871A3FFFF       call 004BE2E8
:004C3F77 8B432C           mov eax, dword ptr [ebx+2C]
:004C3F7A E835E3FFFF       call 004C22B4
:004C3F7F 894330           mov dword ptr [ebx+30], eax
:004C3F82 8BC3             mov eax, ebx
:004C3F84 E84F000000       call 004C3FD8
:004C3F89 3C04             cmp al, 04
:004C3F8B 740A             je 004C3F97  ;Serial Passed, now set al=1
:004C3F8D 837B3000         cmp dword ptr [ebx+30], 00000000
:004C3F91 7D04             jge 004C3F97 ;Serial Passed, now set al=1
:004C3F93 33C0             xor eax, eax
:004C3F95 5B               pop ebx
:004C3F96 C3               ret
 
If serial check passed then come here and 'set' the AL register to '1'

* Referenced by a (C)onditional Jumps at Addresses:
:004C3F8B(C), :004C3F91(C)
 
:004C3F97 B001                    mov al, 01
:004C3F99 5B                      pop ebx
:004C3F9A C3                      ret

Hmmm, so there are TWO serial checks, either one of them will make the program return a value of '1' in the AL register.  It's a good bet that the above routine will be called many times by the program so it's best to patch here rather than anywhere else..

Right, it's clear then, if we patch the the FIRST jump instruction je 004C3F97 and change it into a local jump then it will ALWAYS jump to the small routine that 'sets' the al register to '1'.  We can then forget about this conditional jump instruction since the program will never execute this code, we've permanently diverted it away from here..:)

So here's what our patched code will look like:-

:004C3F8B EB0A             jmp 004C3F97  ;Serial Passed, now set al=1
:004C3F8D 837B3000         cmp dword ptr [ebx+30], 00000000
:004C3F91 7D04             jge 004C3F97 ;Serial Passed, now set al=1
:004C3F93 33C0             xor eax, eax
:004C3F95 5B               pop ebx
:004C3F96 C3               ret

Just a one byte change makes all the difference..
 
Job Done.
 

The 'Crack'

 
Here's how to 'patch' this target program so that it will be fully registered..:)
 
1. Create or locate the file: C:\Windows\aardvark.ini (Use Windows Notepad)
2. Edit or create this entry highlighted in Bold letters:-

[Application Header]
User Name=YOUR_NAME/HANDLE_GOES_HERE

3. Save this file. This is only necessary if you wish the program to show your Name/Handle as being the registered owner of this program..  If the program can't find this file or your User Name then it will display:  Registered To: Unregistered instead.

4. Load up ardpro32..exe into your favorite Hex-Editor ( I prefer hexWorkshop-32) but just about any hexeditor will do..
 
5.SEARCH FOR THE FOLLOWING BYTES : 750A837B30007D04
  REPLACE WITH HIGHLIGHTED BYTES : EB0A837B30007F04
 
 

Final Notes

 
Is the program really this easy to *crack*?, well yes it is..Of course you need to be able to *think* like a cracker in order to do this but believe me, it will all come naturally to you as you practice and learn this art form.  Notice we didn't need to use Softice here, this was one of those programs I found I didn't need it to crack with because everything fell into place almost immediately as I studied this program from it's 'Dead Listing'..

Many people have asked me how 'Dead Listings' work and do you need to understand Assembler first before you can use 'Dead Listings' so with this in mind expect within a few days from now an essay written by me that will try and explain how these listings work. It won't be fancy but it will get you by a few hurdles and hopefully on the road to exploiting them to your own needs.
 
My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.
 

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.