"ByeLines is comprised of a simple ASCII editor and a database of ôtaglines.ö The basic function is to allow the user to create an ASCII signature and then append the selected tagline from the database creating a signature file. This file is then used by programs such as Pegasus, Netscape or Eudora as the ôsignatureö on e-mail messages or newsgroup postings."
 

About this protection system

 
This program is registered via the 'File' menu option then by selecting the 'Register' option.
 
Your asked to enter the following information:-
 
User Name:
Registration Key:
 
The program, like many others uses a memory location to hold either a 0 or 1, which the program then checks many times while running to see if it's registered or not.  The location of this 'flag' is at memory offset: 004C5764
    

The Essay

     
I have chosen to crack this program using a simple redirection of a jump instruction, changing it from a conditional jump to a unconditional jump.  It would have been much better I think, if I had *cracked* this program through the actual registration of the program itself, instead of attacking it when it first runs..  For some reason I couldn't find out where the real serial number is stored in memory, so decided to cut my losses and find out where the program reads the System Registry File to see if it has already been registered. A simply patch of a conditional jump and a change of jump address makes the program believe its been registered.
 
On with the show as they say...

If we know how most Shareware programs operate, they read the Registry File to see if there are any entries that say if the program has been registered or not.  Some programs will store your User Name and the serial No in the registry file even if the serial number is incorrect.. This is so the program can show you what you typed in the last time you tried to register the program. Once the program has been fully loaded it reads the registration entries in the Registry File and then checks to see if the serial number is correct.  Now here's where many shareware programs follow the same route..
 
IF the serial number is incorrect they will place the following text at the top of the screen.

Example:-

"Byelines - Unregistered Version'

You will no doubt have seen this many times before.. Again, when the program is registered all you will see is just the program's name, without the ' - Unregistered Version' bit.
 
We can make very good use of this, by simply using W32Dasm to create a 'Dead Listing' of our target program then using the 'String Data Resources' we can quickly locate the exact location of where this text is used.  In the case of ByeLines we find it here:-
 
* Referenced by a (C)onditional Jump at Address: :004BD22E(C)
|

* Possible StringData Ref from Code Obj ->"ByeLines - Unregistered Version"
                                  |
:004BD255 BAA4D24B00              mov edx, 004BD2A4 ;loads the above string
                                                    ;into the edx register.

:004BD25A A15C574C00              mov eax, dword ptr [004C575C]
:004BD25F E8A85BF6FF              call 00422E0C

Look!, there is only ONE conditional jump at memory location 004BD22E that calls this block of code!. Lets now take a look at this condition jump statement..

:004BD22C 85C0                    test eax, eax
:004BD22E 7525                    jne 004BD255  ;This is the jump that
                                                ;creates our:-
                                                'Byelines Unregistered Ver'
 

:004BD230 C60564574C0001          mov byte ptr [004C5764],01 ;'FLAG CITY'!
 
                                  ;If memory Location 004C5764 has a value
                                  ;of 1 then this will tell the rest of
                                  ;the program that this program is fully
                                  ;REGISTERED.
 
                                  ;A value of 0 means it's still Shareware.

:004BD237 BA90D24B00              mov edx, 004BD290 ;Move into the edx
                                                    ;register the following
                                                    ;text "Byelines"
 
 

:004BD23C A15C574C00              mov eax, dword ptr [004C575C]
:004BD241 E8C65BF6FF              call 00422E0C
:004BD246 33D2                    xor edx, edx
:004BD248 8B8324020000            mov eax, dword ptr [ebx+00000224]
:004BD24E E831D7F6FF              call 0042A984
:004BD253 EB0F                    jmp 004BD264

Ok, on the face of what we've seen so far we *could* simply 'Patch' this program here and now, try it.. Go into ByeLines registration screen and fill in the two input boxes. Then press Ctrl-D to start up Softice and type: bpx messageboxa then x to exit.
 
Now press the 'OK' button to have Byelines check our serial number.  The program will now be halted by Softice.. Press F11 then the  'OK' button to the messagebox now displayed on your screen asking you if this serial number is correct.  We should now be in ByeLines actual code.
 
While still in Softice type bd 00 to disable our messageboxa breakpoint then bpx 004BD22E this will place a new Softice breakpoint on our jne 004BD255 instruction. Once you've done this press x to exit softice.
 
Now exit ByeLines completely and then reload it again. Did Softice break on our new breakpoint?.. The answer is NO, it didn't, that's because their must be another conditional jump somewhere, one that comes before our jump instruction and it's diverting the program's flow away from our original jump instruction..  It's this jump instruction we must locate and deal with.
 
Back to our 'Dead Listing'...
 
If we now look up from our original jne 004BD255 instruction we do indeed see another conditional jump instruction, and it's still within the same block of code..
 
Before reading this essay further examine this block of code, make sure you know where you are and where everything is in relation to our our original jne 004BD255 instruction.
 
:004BD1B4 84C9                    test cl, cl
:004BD1B6 0F85A8000000            jne 004BD264 ;Our Second conditional jump
                                               ;instruction. If it's 'set'
                                               ;then it will by-pass our
                                               ;original jump instruction
                                               ;below.
:004BD1BC 66B91F00                mov cx, 001F
:004BD1C0 66BA0C00                mov dx, 000C
:004BD1C4 66B80F27                mov ax, 270F
:004BD1C8 E80FC4F4FF              call 004095DC
:004BD1CD DD5DF4                  fstp qword ptr [ebp-0C]
:004BD1D0 9B                      wait
:004BD1D1 8D55FC                  lea edx, dword ptr [ebp-04]
:004BD1D4 B904000000              mov ecx, 00000004
:004BD1D9 A118304C00              mov eax, dword ptr [004C3018]
:004BD1DE E8FD04FEFF              call 0049D6E0
:004BD1E3 BA08304C00              mov edx, 004C3008
:004BD1E8 B910000000              mov ecx, 00000010
:004BD1ED 8B45FC                  mov eax, dword ptr [ebp-04]
:004BD1F0 E8030EFEFF              call 0049DFF8
:004BD1F5 FF75F8                  push [ebp-08]
:004BD1F8 FF75F4                  push [ebp-0C]
:004BD1FB 8D4DEC                  lea ecx, dword ptr [ebp-14]
:004BD1FE B808304C00              mov eax, 004C3008
:004BD203 8B93A8050000            mov edx, dword ptr [ebx+000005A8]
:004BD209 E83615FEFF              call 0049E744
:004BD20E 8D4DE8                  lea ecx, dword ptr [ebp-18]
:004BD211 8D45EC                  lea eax, dword ptr [ebp-14]
:004BD214 BA08000000              mov edx, 00000008
:004BD219 E89A03FEFF              call 0049D5B8
:004BD21E 8B93A4050000            mov edx, dword ptr [ebx+000005A4]
:004BD224 8B45E8                  mov eax, dword ptr [ebp-18]
:004BD227 E8E0ADF4FF              call 0040800C
:004BD22C 85C0                    test eax, eax
:004BD22E 7525                    jne 004BD255 ;Here's where our original
                                               ;conditional jump
                                               ;instruction is, the one
                                               ;that get's by-passed.
 
:004BD230 C60564574C0001          mov byte ptr [004C5764],01;'FLAG CITY'!

* Possible StringData Ref from Code Obj ->"ByeLines"
 
:004BD237 BA90D24B00              mov edx, 004BD290
:004BD23C A15C574C00              mov eax, dword ptr [004C575C]
:004BD241 E8C65BF6FF              call 00422E0C
:004BD246 33D2                    xor edx, edx

Because programmers tend to think in 'straight' lines, they will code their programs in 'straight' lines and they will use conditional jumps that only get switched 'on' i.e jump, if during the checking it finds that you've not registered the program.  Look at the above snippet of code again and see that IF you've registered the program then BOTH conditional jumps get switched 'OFF', so therefore the program's flow follows a straight line on to the 'Flag City' flag and then onto displaying the  'Byelines' text at the top of our screen.
 
Here's where a little thought goes a LONG way.. If we change the SECOND conditional jump at location :004BD1B6 so that it will ALWAYS jump to the our 'Flag City' instruction we will bypass all the checks the program does on your serial number and carries on an 'sets' our *REGISTER\UNREGISTER' flag to REGISTERED and then displays the program's name (minus the '- Unregistered Version') text at the top of our screen. Phew, quite a mouthful to explain but easier to show..  Here's what we need to do to the code to get it to work..
 
:004BD1B4 84C9                    test cl, cl
:004BD1B6 EB78                    jmp 004BD230 ;Now we jump 'over' the
                                               ;program's checks on our
                                               ;serial number straight
                                               ;to registering the program
                                               ;automatically.
:004BDB7  90                      nop          ;Since this new jump is
:004BDB8  90                      nop          ;smaller than the old jump
:004BDB8  90                      nop          ;instruction we fill in the
                                               ;excess bytes with nops.
Job Done.....
 

The 'Crack'

 
Just one item of information remains to be said here before you go patching the program.  Before patching this program enter your User Name\Handle into the program via the registration screen.. This will make the program place your Name\Handle into the System Registry file. So when you *crack* this program the program will still 'read' your name/handle from the System Registry file and use that to display on it's 'About Screen'.
   
Load up byelines.exe into your favorite hex editor then:-

SEARCH FOR THE FOLLOWING BYTES: 84C90F85A8000000
REPLACE HIGHLIGHTED BYTES WITH: 84C9E97890909090

Final Notes

 
There is still another good *crack* waiting to be discovered within this program, can you find out where the serial number is stored in this program?, then use this knowledge to *crack* this program?
 
My thanks and gratitude goes to:

Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.

 

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.