(04 September 1997, slightly edited by fravia+)
Courtesy of fravia's page of reverse engineeringAM I DREAMING ?
I was really surprised with this program. It is useful, one of +our tools:
techfacts95 v1.3 (get it at fravia's). This nice program may be used one
zillion years without registering, and now I know why.
The only annoying feature is a nasty nag window at start, so I decided to
award it with some workshopping.
If you do it, you'll realize there are no "typical-dialog" resources.
The nag is cleary identified as TMYSPLASH, but the dialogs are not
available in the usual way. I don't know if it is on purpose.
For one moment I hoped it could be a tough protection scheme...
When filling the registration (wrongly of course) you receive a short
"Registration Key Failed!". Ok, wdasm it and you'll see firstly that
there are no imported dialog-resources and secondly this incredibly
stupid code snippet:
:0047B934 E89B73F8FF call 00402CD4; << c'mon PATCH ME! :0047B939 0F8528010000 jne 0047BA67 ... some lines, calls and still no jumping... (how mysterious :-) :0047BA39 5A pop edx :0047BA3A 59 pop ecx :0047BA3B 59 pop ecx :0047BA3C 648910 mov dword ptr fs:[eax], edx :0047BA3F 6854BA4700 push 0047BA54; >- pushing address! * Referenced by a Jump at Address:0047BA52(U) | :0047BA44 8B45F4 mov eax, dword ptr [ebp-0C] :0047BA47 E8B075F8FF call 00402FFC :0047BA4C C3 ret; <<< return to :47BA54 ; DO THEY THINK WE ARE STUPID? ; LOOK AT THESE SILLY JUMPS! :0047BA4D E9B67AF8FF jmp 00403508 :0047BA52 EBF0 jmp 0047BA44 * Possible StringData Ref from Code "Obj.class" tppabs="http://fravia.org/Obj.class">"Registration Key accepted!"
|
:0047BA54 B898BB4700 mov eax, 0047BB98 >-pushed address!
:0047BA59 E83EBEFBFF call 0043789C
:0047BA5E C6051AF34C0000 mov byte ptr [004CF31A], 00
:0047BA65 EB11 jmp 0047BA78
* Referenced by a Jump at Address:0047B939(C)
|
:0047BA67 6A30 push 00000030
* Reference To: user32.MessageBeep, Ord:0000h
|
:0047BA69 E822A7F8FF Call 00406190
* Possible StringData Ref from Code Obj ->"Registration Key Failed!"
|
:0047BA6E B8BCBB4700 mov eax, 0047BBBC
:0047BA73 E824BEFBFF call 0043789C
I can't believe, an old one. I thought I could only find this kind of
protections at our +HCA (Historical Cracking Archive :-)
At times I feel lazy about restarting a session with softice, so I
recommend you to use sometimes Wdasm as a debugger, yeah.
It carries some advantages:
* You have always in front of you your wdasmed dead-list (references...)
* There's a nice API analyzer (for checking parameters)
* The GUI is a little bit friendlier :-)
* You may switch among tasks while your babe is stopped.
Of course it is less powerful (a lot less), and more buggy.
Also single stepping presents some problems when modifying things
on-the-fly... but try it out in some cases, just to learn how to use
an alternative debugger.
Well, I placed on the conditional jump, and changed on-the-fly zero-flag,
and so I became a good guy.
I was awaiting the famous "thank you for your support" and so on, you know,
kind of boring; it did (and crashed a little bit :-) but BELIEVE IT OR NOT
changing this flag on the fly, registered me for ever and ever, from ages
to ages, until the futurer golden aera when nobody will be aware of what
was Micro$oft. I repeat: I did not have to PATCH THE REAL CODE with an
hexeditor!
It is close to mental cracking (the top of zen cracking), you crack this
without "touching" a single bit of the code. You may be able to fight against the
toughest forces of evil, yet you'll not be able to unregister it, unless
you reinstall it from scratch.
May be I was right introducing a random code :-D
Come on "Dean Software Design" guys, give it out for free.
SiuL+Hacky
(c) SiuL+Hacky, 1997. All rights reversed.
Back to project 7
homepage
links
anonymity
+ORC students' essays tools
cocktails academy database
antismut search_forms mail_fravia
is reverse engineering legal?