The Evolution of the Cool Edit Protection Scheme Part i
Cool Edit Crack V1.50
File Size 371,952 bytes.
16 Bit Code.
Cool Edit is one of those few shareware programs that you find from time
to time that is actually quite useful. The shareware version lets you try
all the functions but only two at once. The program can be registered at
three levels :-
Basic Registration - $50 and you get all the functions.
Preferred Registration - $100 and you get everything and all subsequent
updates.
Lite Registration - $25 and you get only the basic functions.
Whether or not you think that these fees are too high is not a subject
that this tutorial will be concerned with, if you think its worth the money
then buy it otherwise I don't care, I'm only interested in the development
in the 'protection' scheme.
There are a number of ways to crack this program and this tutorial will
cover quite a few, although not all, of them.
METHOD 1. - The Dump.
This is one of the first programs that one ever cracked. The protection scheme
in this version is so weak that you don't even need a debugger or a
unassembler. All you need is a program that can dump (and search)the code in
ASCII format. When I first cracked this I used Xtree Gold, but anything will
do. For example GREP, PSEDIT...
To use GREP.
GREP PASSWORD COOL.EXE
and you will get this
File COOL.EXE:
ID_SILENCE^KID_PASSWORD^JID_VARIOUS^LID_OVERWRITE^KID_WAVEINFO^KID_MUSICDLG
ID_PLEASE^LID_CUEDIALOG^JID_PLAYBOX
^@Undo Byte Swap^@^@Not enough memory for Undo. Continue anyways?^@^@Adjuste ev
ery 8-bit sample byte such that the new zero position will be adjusted by a valu
e of 128.^@Swap the high and low bytes of each 16-bit sample word.^@"%s" Already
Exists, Overwrite?^@File Save^@Various Options^@You must re-start %s for tempor
ary directory changes to take effect^@Attention^@Temporary Directory Invalid^@Yo
u must re-start %s for undo temporary directory changes to take effect^@^@Tempor
ary Undo Directory Invalid^@^@Extra^@Upgrade^@Reg Info^@^@This copy is registere
d to %s. If you obtained this pre-registered version from a BBS or elsewhere, p
lease contact me.^@This is a DEMONSTRATION version. You may distribute this fre
ely. Feel free to contact us if you have any questions.^@%s version %s%s^@ Lite
^@About the Author^@^@ID_PASSWORD^@HOJDIVAD^@^@LOVELOVE^@^@Full=%s
***********************************
And as you can see there are two string directly after the PASSWORD string
which was an obvious choice for a search string.
So now we load up cool edit and go to the register window, type our name
and the HOJDIVAD or LOVELOVE (by the way HOJDIVAD is DavidJoh which is
David Johnston the author of the program, remember crack everything in life)
but alas no luck, so there must be some kind of encryption of the string
HOJDIVAD by the Name input string. At points like these +Orc suggests a
Wodka Martini and some 'Zen Cracking'. Zen cracking roughly translates as a
bit of intelligence with a dash of luck. So if the PASSWORD string is modified
with the ID String then if we leave it blank it might not be able to modify the
PASSWORD string.
Bingo there you have it you now have a fully functional version of Cool Edit.
Name ''
Password 'HOJDIVAD' Full version
Password 'LOVELOVE' Lite Version.
Great.... but the title bar now says registered to . This is fine
but as soon as you get you debugger or unassembler you will want to see you
name in lights in that title bar.
METHOD 2 The cool, icy crack.
OK you now have your WINICE debugger.
But before you start you will realise that you program is now registered and
you cannot re-register it.. NOT so load up the cool.ini file located in you
windows directory and you will find a bit that looks like this
[Registration]
License=1
Garbleflux=5397
User=
Number=HOJDIVAD
just delete this bit if you want to re-register it.
So get the registration screen and enter You name and abcabcab as your password.
Actually you can use anything string you want. now hit Ctrl-D to enter the
debugger and type BPX getdlgitemtext (for explanation of WINICE and general
debugging/cracking) then CTRL-D again and hit [OK]. And WINICE will pop up.
Hit [F11] to return from the call to GETDLGITEMTEXT and ...hello... you are right
at the start of the protection scheme. You will then see another call to
GETDLGITEMTEXT a few instructions ahead. disable your breakpoint and [F10]
proceed through that GETDLGITEMTEXT too. Now search for you input strings.
s ds:0 lffff 'abcabcab'
and then bpm on the address.
bpm xxxx:xxxx rw
Now CTRL-D again and you should end up back inside the debugger. When you
PASSWORD string is accessed. The first time the String is accessed it is
only being UPPERCASED
3.AAE4 C746FC6802 mov word ptr [Long B], 0268
3.AAE9 C646FF45 mov byte ptr [Char E], 45
3.AAED 66FF760A push dword ptr [Add of PASSWORD]
3.AAF1 9A0EAC0000 call USER.ANSIUPPER
Hit CTRL-D again and this time the string will be compared with a series of
numbers. This part is actually really cool but we will ignore it for the
moment.
3.AD5C C47E0A les di, [Add of PASSWORD]
3.AD5F 26807D014E cmp byte ptr es:[di+01], 4E
3.AD64 7569 jne ADCF
CTRL-D again and you will get something like this :
3.ADD2 57 push di
3.ADD3 9AD3A90000 call KERNEL.LSTRLEN
3.ADD8 3D0800 cmp ax, 0008
3.ADDB 754B jne AE28
3.ADDD 8D46EE lea ax, [HOJDIVAD COPY]
3.ADE0 16 push ss
3.ADE1 50 push ax
3.ADE2 FF760C push word ptr [Address of Data Seg]
3.ADE5 57 push di
3.ADE6 9A00AE0000 call USER.LSTRCMPI
3.ADEB 0BC0 or ax, ax
3.ADED 7507 jne ADF6
3.ADEF >B80100 mov ax, 0001
3.ADF2 5E pop si
3.ADF3 5F pop di
3.ADF4 C9 leave
3.ADF5 CB retf
This is it this is where your PASSWORD (di) string is compared with the modified
(or encrypted if you could call it that) version of HOJDIVAD. so trace [F8] up
to the 'push ss' then d the HOJDIVAD string
d ax
And there you will find the string that you need to type in order to register
the program with you own name. :>
METHOD 3 Cheater!!
Don't use the following method (although it works) to crack 'password ' stuff
its is really lame and you will gain only the product itself and will miss
out on greatly more important Knowledge.
On the return from the above code you are faced with this :
3.AFC1 83C408 add sp, 0008
3.AFC4 8BF0 mov si, ax
3.AFC6 0BF0 or si, ax
3.AFC8 0F848202 je Fick OFF!! wrong PASSWORD
where if ax is equal to 0000 the product will not register. So you can invert
the jump if equal bit to jumps if not equal by search for 0F848202 with your
hex editor and replacing it with 0F858202 and the program will register will
all but the 'correct' PASSWORDS. This method always has its drawbacks
especially if there is more than one check of the code. (which I think
there might be) and you will have to trace them all down.
As I said it is generally a bad idea to use this method, I just put it in so
that you have the knowledge of its existence.
METHOD 4 Roll your own.
This is by far the best( and usually the longest) way to crack protection
schemes... no I'll rephrase that this is the most beneficial way to crack
as you really get to 'know' the protection scheme and you will be better
informed when you are faced with cracking the next version.
Here we will extract the whole protection scheme using a unassembler
(such as Windows Code Back WCB, get it!!).
To find the relevant code in cool edit is easy as the export list given at
the start of the WCB listing has a procedure call something like
REGISTERMSGproc. Find the GETDLGITEM call and copy this down to the CALL
go to the address of the CALL and copy the whole CALL. Here it is.
// MAIN PROTECTION PROC //
======================================================================
3.AF8E FF760E push word ptr [bp+0E]
3.AF91 68F403 push 03F4
3.AF94 8D46CC lea ax, [NAME STRING]
3.AF97 16 push ss
3.AF98 50 push ax
3.AF99 6A2F push 002F
3.AF9B 9AAEAF0000 call USER.GETDLGITEMTEXT
3.AFA0 FF760E push word ptr [bp+0E]
3.AFA3 68F303 push 03F3
3.AFA6 8D46F0 lea ax, [PASSWORD STRING]
3.AFA9 16 push ss
3.AFAA 50 push ax
3.AFAB 6A0E push 000E
3.AFAD 9AFDA60000 call USER.GETDLGITEMTEXT
3.AFB2 8D46F0 lea ax, [PASSWORD STRING]
3.AFB5 16 push ss
3.AFB6 50 push ax
3.AFB7 8D46CC lea ax, [NAME STRING]
3.AFBA 16 push ss
3.AFBB 50 push ax
3.AFBC 9ADEAA56A9 call ENCRYPT AND COMPARE
3.AFC1 83C408 add sp, 0008
3.AFC4 8BF0 mov si, ax
3.AFC6 0BF0 or si, ax
3.AFC8 0F848202 je Fick OFF!! (JMP if AX == 0)
=====================================================================
ENCRYPT AND CMP
===============
CA0000 retf 0000 == SHOULD BE
BAD UNASM!!
3.AAE2 57 push di
3.AAE3 56 push si
3.AAE4 C746FC6802 mov word ptr [Long B], 0268
3.AAE9 C646FF45 mov byte ptr [Char E], 45
3.AAED 66FF760A push dword ptr [Add of PASSWORD]
3.AAF1 9A0EAC0000 call USER.ANSIUPPER
3.AAF6 8D46EE lea ax, [HOJDIVAD COPY]
3.AAF9 16 push ss
3.AAFA 50 push ax
3.AAFB 1E push ds
3.AAFC 686C3C push HOJDIVAD ORGINAL
3.AAFF 9A0EAB0000 call KERNEL.LSTRCPY
3.AB04 8D46E4 lea ax, [HOJDIVAD COPY2]
3.AB07 16 push ss
3.AB08 50 push ax
3.AB09 1E push ds
3.AB0A 686C3C push HOJDIVAD ORGINAL
3.AB0D 9A1CAB0000 call KERNEL.LSTRCPY
3.AB12 8D46DA lea ax, [LOVELOVE COPY]
3.AB15 16 push ss
3.AB16 50 push ax
3.AB17 1E push ds
3.AB18 68763C push LOVELOVE ORG
3.AB1B 9A04AC0000 call KERNEL.LSTRCPY
3.AB20 33F6 xor si, si
3.LOOP-1>806AEE41 sub byte ptr [HOJDIVAD COPY + SI], 41
3.AB26 806AE441 sub byte ptr [HOJDIVAD COPY2 + SI], 41
3.AB2A 806ADA41 sub byte ptr [LOVELOVE COPY + SI], 41
3.AB2E 46 inc si
3.AB2F 83FE08 cmp si, 0008
3.AB32 7CEE jl LOOP-1
3.AB34 C746FC0C00 mov word ptr [Long B], 000C
3.AB39 33FF xor di, di
3.AB3B 897EFE mov [Long B upper], di
3.AB3E 8BF7 mov si, di
3.AB40 897EF8 mov [Int A], di
3.AB43 66FF7606 push dword ptr [Add if ID]
3.AB47 9A84AB0000 call KERNEL.LSTRLEN
3.AB4C 0BC0 or ax, ax
3.AB4E 7E42 jle Finished 1
3.LOOP-2 >C45E06 les bx, [Add if ID]
3.AB53 268A01 mov al, byte ptr es:[bx+di]
3.AB56 98 cbw CONVERT TO WORD => AX
3.AB57 99 cwd CONVERT TO DOUBLE WORD => AX,DX
3.AB58 0146FC add [Long B], ax
3.AB5B 1156FE adc [Long B upper], dx
3.AB5E 8A42EE mov al, byte ptr [HOJDIVAD COPY + SI]
3.AB61 8AC8 mov cl, al
3.AB63 02C0 add al, al
3.AB65 02C1 add al, cl
3.AB67 C0E002 shl al, 02
3.AB6A 02C1 add al, cl
3.AB6C 0411 add al, 11
3.AB6E 8842EE mov byte ptr [HOJDIVAD COPY + SI], al
3.AB71 46 inc si
3.AB72 8976F8 mov [Int A], si
3.AB75 83FE07 cmp si, 0007
3.AB78 7E05 jle Not Finished
3.AB7A C746F80000 mov word ptr [Int A], 0000
Not Finished>66FF7606 push dword ptr [Add if ID]
3.AB83 9A99AB0000 call KERNEL.LSTRLEN
3.AB88 47 inc di
3.AB89 3BC7 cmp ax, di
3.AB8B 7E05 jle Finished 1
3.AB8D 8B76F8 mov si, [Int A]
3.AB90 EBBE jmp LOOP-2
Finished 1 >33FF xor di, di
3.AB94 66FF7606 push dword ptr [Add if ID]
3.AB98 9AB7AB0000 call KERNEL.LSTRLEN
3.AB9D 0BC0 or ax, ax
3.AB9F 7E22 jle NULL ID Length
3.ABA1 8B76F8 mov si, [Int A]
3.LOOP-2 >8A46FC mov al, byte ptr [Long B]
3.ABA7 2842EE sub byte ptr [HOJDIVAD COPY + SI], al
3.ABAA 46 inc si
3.ABAB 83FE07 cmp si, 0007
3.ABAE 7E02 jle Skip
3.ABB0 33F6 xor si, si
3.Skip >66FF7606 push dword ptr [Add if ID]
3.ABB6 9ACAAB0000 call KERNEL.LSTRLEN
3.ABBB 47 inc di
3.ABBC 3BC7 cmp ax, di
3.ABBE 7FE4 jg LOOP-2
3.ABC0 8976F8 mov [Int A], si
3.NULL ID Length >33FF xor di, di
3.ABC5 66FF7606 push dword ptr [Add if ID]
3.ABC9 9AF1AB0000 call KERNEL.LSTRLEN
3.ABCE 0BC0 or ax, ax
3.ABD0 7E28 jle ABFA
3.LOOP-3 >C45E06 les bx, [Add if ID]
3.ABD5 8B76F8 mov si, [Int A]
3.ABD8 268A01 mov al, byte ptr es:[bx+di]
3.ABDB 3042EE xor byte ptr [HOJDIVAD COPY + SI], al
3.ABDE FF46F8 inc word ptr [Int A]
3.ABE1 837EF807 cmp word ptr [Int A], 0007
3.ABE5 7E05 jle SKIP-2
3.ABE7 C746F80000 mov word ptr [Int A], 0000
3.SKIP-2 >66FF7606 push dword ptr [Add if ID]
3.ABF0 9A20AC0000 call KERNEL.LSTRLEN
3.ABF5 47 inc di
3.ABF6 3BC7 cmp ax, di
3.ABF8 7FD8 jg LOOP-3
3.ABFA >8D469A lea ax, [COPY of id[UPPER CASE]]
3.ABFD 16 push ss
3.ABFE 50 push ax
3.ABFF 66FF7606 push dword ptr [Add if ID]
3.AC03 9AE4A90000 call KERNEL.LSTRCPY
3.AC08 8D469A lea ax, [COPY of id[UPPER CASE]]
3.AC0B 16 push ss
3.AC0C 50 push ax
3.AC0D 9AFFFF0000 call USER.ANSIUPPER
3.AC12 33FF xor di, di
3.AC14 897EFA mov [Int D], di
3.AC17 897EF8 mov [Int A], di
3.AC1A 8D469A lea ax, [COPY of id[UPPER CASE]]
3.AC1D 16 push ss
3.AC1E 50 push ax
3.AC1F 9A58AC0000 call KERNEL.LSTRLEN
3.AC24 0BC0 or ax, ax
3.AC26 7F06 jg AC2E
3.AC28 8B76F8 mov si, [Int A]
3.AC2B EB34 jmp AC61 NULL STRING !!!
3.AC2D 90 nop
3.AC2E >897EF8 mov [Int A], di
3.AC31 8B7EFA mov di, [Int D]
3.AC34 8B76F8 mov si, [Int A]
3.AC37 >8A439A mov al, byte ptr [COPY of id[UPPER CASE] + DI]
3.AC3A 8846FF mov byte ptr [Char E], al
3.AC3D 3C30 cmp al, 30
3.AC3F 7204 jb AC45
3.AC41 3C39 cmp al, 39
3.AC43 7606 jbe AC4B
3.AC45 >807EFF41 cmp byte ptr [Char E], 41
3.AC49 7207 jb AC52
3.AC4B >8A46FF mov al, byte ptr [Char E]
3.AC4E 88429A mov byte ptr [COPY of id[UPPER CASE] + SI], al
3.AC51 46 inc si
3.AC52 >8D469A lea ax, [COPY of id[UPPER CASE]]
3.AC55 16 push ss
3.AC56 50 push ax
3.AC57 9A77AC0000 call KERNEL.LSTRLEN
3.AC5C 47 inc di
3.AC5D 3BC7 cmp ax, di
3.AC5F 7FD6 jg AC37
3.AC61 >C6429A00 mov byte ptr [COPY of id[UPPER CASE] + SI], 00
3.AC65 C746FC0C00 mov word ptr [Long B], 000C
3.AC6A 33FF xor di, di
3.AC6C 897EFE mov [Long B upper], di
3.AC6F 8BF7 mov si, di
3.AC71 8D469A lea ax, [COPY of ID(UPPERCASE)]
3.AC74 16 push ss
3.AC75 50 push ax
3.AC76 9AB7AC0000 call KERNEL.LSTRLEN
3.AC7B 0BC0 or ax, ax
3.AC7D 7E41 jle ACC0
3.LOOP-4 >8A439A mov al, byte ptr [COPY of id[UPPER CASE] + DI]
3.AC82 2AE4 sub ah, ah
3.AC84 2BD2 sub dx, dx
3.AC86 0146FC add [Long B], ax
3.AC89 1156FE adc [Long B upper], dx
3.AC8C 8A42E4 mov al, byte ptr [HOJDIVAD COPY2 + SI]
3.AC8F 8AC8 mov cl, al
3.AC91 02C0 add al, al
3.AC93 02C1 add al, cl
3.AC95 C0E002 shl al, 02
3.AC98 02C1 add al, cl
3.AC9A 0411 add al, 11
3.AC9C 8842E4 mov byte ptr [HOJDIVAD COPY2 + SI], al
3.AC9F B011 mov al, 11
3.ACA1 F662DA mul byte ptr [LOVELOVE COPY + SI]
3.ACA4 0417 add al, 17
3.ACA6 8842DA mov byte ptr [LOVELOVE COPY + SI], al
3.ACA9 46 inc si
3.ACAA 83FE07 cmp si, 0007
3.ACAD 7E02 jle ACB1
3.ACAF 33F6 xor si, si
3.ACB1 >8D469A lea ax, [COPY of id[UPPER CASE]]
3.ACB4 16 push ss
3.ACB5 50 push ax
3.ACB6 9AC8AC0000 call KERNEL.LSTRLEN
3.ACBB 47 inc di
3.ACBC 3BC7 cmp ax, di
3.ACBE 7FBF jg LOOP-4
3.ACC0 >33FF xor di, di
3.ACC2 8D469A lea ax, [COPY of id[UPPER CASE]]
3.ACC5 16 push ss
3.ACC6 50 push ax
3.ACC7 9AE7AC0000 call KERNEL.LSTRLEN
3.ACCC 0BC0 or ax, ax
3.ACCE 7E20 jle ACF0
3.LOOP-5 >8A46FC mov al, byte ptr [Long B]
3.ACD3 2842E4 sub byte ptr [HOJDIVAD COPY2 + SI], al
3.ACD6 2842DA sub byte ptr [LOVELOVE COPY + SI], al
3.ACD9 46 inc si
3.ACDA 83FE07 cmp si, 0007
3.ACDD 7E02 jle ACE1
3.ACDF 33F6 xor si, si
3.ACE1 >8D469A lea ax, [COPY of id[UPPER CASE]]
3.ACE4 16 push ss
3.ACE5 50 push ax
3.ACE6 9A00AD0000 call KERNEL.LSTRLEN
3.ACEB 47 inc di
3.ACEC 3BC7 cmp ax, di
3.ACEE 7FE0 jg LOOP-5
3.ACF0 >8976F8 mov [Int A], si
3.ACF3 C746FC4D00 mov word ptr [Long B], 004D
3.ACF8 33FF xor di, di
3.ACFA 8D469A lea ax, [COPY of id[UPPER CASE]]
3.ACFD 16 push ss
3.ACFE 50 push ax
3.ACFF 9A22AD0000 call KERNEL.LSTRLEN
3.AD04 0BC0 or ax, ax
3.AD06 7E23 jle AD2B
3.AD08 8B76F8 mov si, [Int A]
3.LOOP-6 >8A439A mov al, byte ptr [COPY of id[UPPER CASE] + DI]
3.AD0E 3042E4 xor byte ptr [HOJDIVAD COPY2 + SI], al
3.AD11 3042DA xor byte ptr [LOVELOVE COPY + SI], al
3.AD14 46 inc si
3.AD15 83FE07 cmp si, 0007
3.AD18 7E02 jle AD1C
3.AD1A 33F6 xor si, si
3.AD1C >8D469A lea ax, [COPY of id[UPPER CASE]]
3.AD1F 16 push ss
3.AD20 50 push ax
3.AD21 9AD4AD0000 call KERNEL.LSTRLEN
3.AD26 47 inc di
3.AD27 3BC7 cmp ax, di
3.AD29 7FE0 jg LOOP-6
3.AD2B >33F6 xor si, si
3.LOOP-7 >8A42EE mov al, byte ptr [HOJDIVAD COPY + SI]
3.AD30 B11A mov cl, 1A
3.AD32 2AE4 sub ah, ah
3.AD34 F6F1 div cl
3.AD36 80C441 add ah, 41
3.AD39 8862EE mov byte ptr [HOJDIVAD COPY + SI], ah
3.AD3C 8A42E4 mov al, byte ptr [HOJDIVAD COPY2 + SI]
3.AD3F 2AE4 sub ah, ah
3.AD41 F6F1 div cl
3.AD43 80C441 add ah, 41
3.AD46 8862E4 mov byte ptr [HOJDIVAD COPY2 + SI], ah
3.AD49 8A42DA mov al, byte ptr [LOVELOVE COPY + SI]
3.AD4C 2AE4 sub ah, ah
3.AD4E F6F1 div cl
3.AD50 80C441 add ah, 41
3.AD53 8862DA mov byte ptr [LOVELOVE COPY + SI], ah
3.AD56 46 inc si
3.AD57 83FE08 cmp si, 0008
3.AD5A 7CD1 jl LOOP-7
3.AD5C C47E0A les di, [Add of PASSWORD]
3.AD5F 26807D014E cmp byte ptr es:[di+01], 4E
3.AD64 7569 jne ADCF
3.AD66 26803D41 cmp byte ptr es:[di], 41
3.AD6A 7563 jne ADCF
3.AD6C 26807D0357 cmp byte ptr es:[di+03], 57
3.AD71 755C jne ADCF
3.AD73 26807D0253 cmp byte ptr es:[di+02], 53
3.AD78 7555 jne ADCF
3.AD7A 26807D0445 cmp byte ptr es:[di+04], 45
3.AD7F 754E jne ADCF
3.AD81 26807D0552 cmp byte ptr es:[di+05], 52
3.AD86 7547 jne ADCF
3.AD88 268A4506 mov al, byte ptr es:[di+06]
3.AD8C 98 cbw
3.AD8D 3B46FC cmp ax, [Long B]
3.AD90 753D jne ADCF
3.AD92 26807D0745 cmp byte ptr es:[di+07], 45
3.AD97 7536 jne ADCF
3.AD99 8D46DA lea ax, [LOVELOVE COPY]
3.AD9C 16 push ss
3.AD9D 50 push ax
3.AD9E 8D46E4 lea ax, [HOJDIVAD COPY2]
3.ADA1 16 push ss
3.ADA2 50 push ax
3.ADA3 8D46EE lea ax, [HOJDIVAD COPY]
3.ADA6 16 push ss
3.ADA7 50 push ax
3.ADA8 1E push ds
3.ADA9 68803C push 3C80
3.ADAC 8D8636FF lea ax, [bp-00CA]
3.ADB0 16 push ss
3.ADB1 50 push ax
3.ADB2 9A86A90000 call USER._WSPRINTF
3.ADB7 83C414 add sp, 0014
3.ADBA FF360C02 push word ptr [020C]
3.ADBE 8D8636FF lea ax, [bp-00CA]
3.ADC2 16 push ss
3.ADC3 50 push ax
3.ADC4 66FF7606 push dword ptr [Add if ID]
3.ADC8 6A40 push 0040
3.ADCA 9A18A80000 call USER.MESSAGEBOX
3.ADCF >FF760C push word ptr [Add of Data Seg]
3.ADD2 57 push di
3.ADD3 9AD3A90000 call KERNEL.LSTRLEN
3.ADD8 3D0800 cmp ax, 0008
3.ADDB 754B jne AE28
3.ADDD 8D46EE lea ax, [HOJDIVAD COPY]
3.ADE0 16 push ss
3.ADE1 50 push ax
3.ADE2 FF760C push word ptr [Add of Data Seg]
3.ADE5 57 push di
3.ADE6 9A00AE0000 call USER.LSTRCMPI
3.ADEB 0BC0 or ax, ax
3.ADED 7507 jne ADF6
3.ADEF >B80100 mov ax, 0001
3.ADF2 5E pop si
3.ADF3 5F pop di
3.ADF4 C9 leave
3.ADF5 CB retf
3.ADF6 >8D46E4 lea ax, [HOJDIVAD COPY2]
3.ADF9 16 push ss
3.ADFA 50 push ax
3.ADFB FF760C push word ptr [Add of Data Seg]
3.ADFE 57 push di
3.ADFF 9A12AE0000 call USER.LSTRCMPI
3.AE04 0BC0 or ax, ax
3.AE06 74E7 je ADEF
3.AE08 8D46DA lea ax, [LOVELOVE COPY]
3.AE0B 16 push ss
3.AE0C 50 push ax
3.AE0D FF760C push word ptr [Add of Data Seg]
3.AE10 57 push di
3.AE11 9AC1A70000 call USER.LSTRCMPI
3.AE16 0BC0 or ax, ax
3.AE18 750E jne AE28
3.AE1A C70610004300 mov word ptr [0010], 0043
3.AE20 B80200 mov ax, 0002
3.AE23 5E pop si
3.AE24 5F pop di
3.AE25 C9 leave
3.AE26 CB retf
3.AE27 90 nop
3.AE28 >33C0 xor ax, ax
3.AE2A 5E pop si
3.AE2B 5F pop di
3.AE2C C9 leave
3.AE2D CB retf
====================================================================
As you can see I have done a little REVERSE ENGINEERING
(see FRAVIA Tuts on this or give me a call if you are a newby)
Now you want to convert this code into C or an assembly language program.
I won't go into detail on how to do this but if you are really lost you
can E-MAIL me and show me your own efforts and I'll give you a hand if I
think you are really interested. (Its great playing GOD:>)
Here is my code:
#include
#include
void main(void)
{
unsigned char A, B, A1;
unsigned long C=0x0c;
register int counter1, counter2=0;
int temp;
char HOJDIVAD[] = "HOJDIVAD";
char HOJDIVAD2[]= "HOJDIVAD";
char LOVELOVE[] = "LOVELOVE";
char ID[20];
char UPPERID[20];
int Length1, Length2;
printf("\n Enter Your Name Please => ");
gets(ID);
Length1 = strlen(ID);
for(counter1=0;counter17)counter2=0;
}
for(counter1=0;counter17)counter2=0;
}
temp = counter2;
for(counter1=0;counter17)counter2=0;
}
C = 0x0c;
counter2 = 0;
for(counter1=0;counter1<(Length2);counter1++)
{
C+= UPPERID[counter1];
A = HOJDIVAD2[counter2];
B = A;
A += A;
A += B;
A <<= 2;
A += B;
A += 0x11;
HOJDIVAD2[counter2] = A;
A = 0x11;
A *= LOVELOVE[counter2];
A += 0x17;
LOVELOVE[counter2] = A;
counter2++;
if(counter2 > 7) counter2 = 0;
}
for(counter1=0;counter1<(Length2);counter1++)
{
A = (char)C;
HOJDIVAD2[counter2] -= A;
LOVELOVE[counter2] -= A;
counter2++;
if(counter2>7) counter2 = 0;
}
for(counter1=0;counter1<(Length2);counter1++)
{
A = UPPERID[counter1];
HOJDIVAD2[counter2] ^= A;
LOVELOVE[counter2] ^= A;
counter2++;
if(counter2>7)counter2 = 0;
}
for(counter1=0;counter1<8;counter1++)
{
A = HOJDIVAD[counter1];
B = 0x1A;
A1 = (A%B);
A1 += 0x41;
HOJDIVAD[counter1] = A1;
A = LOVELOVE[counter1];
A1 = (A%B);
A1 += 0x41;
LOVELOVE[counter1] = A1;
A = HOJDIVAD2[counter1];
A1 = (A%B);
A1 += 0x41;
HOJDIVAD2[counter1] = A1;
}
printf( "\n Code for 'New' version => %s"
"\n 'Full' version => %s"
"\n 'Lite' version => %s\n"
,HOJDIVAD, HOJDIVAD2, LOVELOVE);
}
Now you can register with any name without having to use the debugger
and more importantly if you go through the process of Reverse engineering
the program you will know the protection scheme inside out.
Don't be lame and copy/paste this program do it yourself its really worth it.
METHOD 5 Back doors.
This is the coolest, hence the last method I will be discussing. Backdoors are
special passwords that authors place in their code for some reason or another.
They are usually fairly hard to spot unless you have gone through METHOD 4. Here
is the Back door section of Cool edit.
3.AD5C C47E0A les di, [Add of PASSWORD]
3.AD5F 26807D014E cmp byte ptr es:[di+01], 4E
3.AD64 7569 jne ADCF
3.AD66 26803D41 cmp byte ptr es:[di], 41
3.AD6A 7563 jne ADCF
3.AD6C 26807D0357 cmp byte ptr es:[di+03], 57
3.AD71 755C jne ADCF
3.AD73 26807D0253 cmp byte ptr es:[di+02], 53
3.AD78 7555 jne ADCF
3.AD7A 26807D0445 cmp byte ptr es:[di+04], 45
3.AD7F 754E jne ADCF
3.AD81 26807D0552 cmp byte ptr es:[di+05], 52
3.AD86 7547 jne ADCF
3.AD88 268A4506 mov al, byte ptr es:[di+06]
3.AD8C 98 cbw
3.AD8D 3B46FC cmp ax, [Long B]
3.AD90 753D jne ADCF
3.AD92 26807D0745 cmp byte ptr es:[di+07], 45
3.AD97 7536 jne ADCF
Here your PASSWORD string is being compared with a series of numbers
4E 41 57 53 45 52 another number located elsewhere (4D) and 45
convert these to their ASCII equivalents and you have
N A W S E R M E
If you look at the order in which this is compared with your PASSWORD
string you get
A N S W E R M E ..hello.... ANSWERME
Now try typing in you name and ANSWERME as the PASSWORD you will be pleasantly
surprised (or not). :>
That's it for this lesson be sure to check back for the remaining lessons
that will deal with the development of the protection scheme in Cool edit.
Feel free to email me with question comments etc. I'm deciding whether or not
to with hold so of my lesson in the manner of +Orc, giving out some of them
only if I decide you are working hard enough. Its seem a good idea, but I don't
want to seem too arrogant, I'm not much more than a newby in comparison to the
likes of +Orc and a few others, but hey we'll just have to wait and see.
CYA KoTToS.
Mail me :>