Cracking Tutorial for Closer 1.7

Cracking Tutorial for Closer 1.7

Before we start, please read the Disclaimer section of this essay!

Target Program:	Closer 1.7
Description:	Closer is a small program that adds 7 icons (buttons): Minimize all, Maximize all, Close all WINDOWS, and Shutdown...allowing 1-click rapid start up or shut down of all your running programs (and the computer). Instant telnet, MSDOS prompt launcher and explorer tree view are also optionally displayed at the "click" of a button.
Location:	http://www.engr.orst.edu/~schonfal If you prefer a FTP-Search, look for CLOSER.ZIP (143332 Bytes).
Protection:	User Name & Registration Number
Tools needed:	- SoftICE 3.24
Ob duh:	Do I really have to remind you all that by BUYING and NOT stealing the software you use will ensure that these software houses will continue to produce even better software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems. If you're looking for cracks or serial numbers from these pages then your wasting your time, try to search elsewhere on the Web under Warez, Cracks, etc.
Level:	(x)Beginner ( )Intermediate ( )Advanced ( )Expert

As you now should already know (if you've read my tutorial 7 / 8 / 9), the first step to crack a program is usually to have a look at it's protection. So start Closer. A NAG-Screen with reasons why we should register Closer pops up. Just press the OK-Button. Then click on Register. Now you have to enter a "User Name" & "Registration Number":
As User Name, enter "cRACKING tUTORIAL" and as Registration Number "12345678". Now enter SoftICE and set a breakpoint to HMEMCPY - then leave SoftICE and press the OK-Button. SoftICE will pop up now. Since there are two input fields, we can leave SoftICE - it will pop up once again. So do this now. Back in SoftICE again, disable the HMEMCPY breakpoint and press F10 until you get the following code:

:00430653 E83C21FEFF CALL 00412794 :00430658 8B55F4 MOV EDX,[EBP-0C] :0043065B 8D433C LEA EAX,[EBX+3C] :0043065E E8F92EFDFF CALL 0040355C :00430663 8D4DFC LEA ECX,[EBP-04] :00430666 8B533C MOV EDX,[EBX+3C] :00430669 8B4320 MOV EAX,[EBX+20] :0043066C E8BBF9FFFF CALL 0043002C :00430671 837DFC00 CMP DWORD PTR [EBP-04],00 :00430675 741F JZ 00430696 :00430677 8B45FC MOV EAX,[EBP-04] :0043067A 8B5338 MOV EDX,[EBX+38] :0043067D E80E31FDFF CALL 00403790 :00430682 7512 JNZ 00430696 :00430684 8BD3 MOV EDX,EBX :00430686 8BC3 MOV EAX,EBX :00430688 E81BFDFFFF CALL 004303A8 :0043068D 8BC3 MOV EAX,EBX :0043068F E834FDFFFF CALL 004303C8 :00430694 EB09 JMP 0043069F :00430696 8BD3 MOV EDX,EBX :00430698 8BC3 MOV EAX,EBX :0043069A E819FDFFFF CALL 004303B8 :0043069F 33C0 XOR EAX,EAX :004306A1 5A POP EDX :004306A2 59 POP ECX :004306A3 59 POP ECX :004306A4 648910 MOV FS:[EAX],EDX :004306A7 68BC064300 PUSH 004306BC :004306AC 8B45F8 MOV EAX,[EBP-08] :004306AF E8B025FDFF CALL 00402C64 :004306B4 C3 RET

At 43066C our User Name is checked against it's validity. If it's a valid one, we'll continue - but if not, we'll jump to 430696. I think you already recognized the JNZ-instruction after the CALL 403790 at 43067D. In this CALL something must be checked, which is important to 'register' Closer. What could this be? Our Registration Number? - So check EAX & EDX to be sure. EAX will contain 540562354139, which looks very like a Registration Number to me. Just check EDX and find out, that it contains our enterd Registration Number. So Closer 1.7 is now cracked. Do you have any questions?

If you're USING Closer 1.7 BEYOND it's FREE TRIAL PERIOD, then please BUY IT.

Disclaimer: This essay is for EDUCATIONAL purposes only, if you wish to use the program/game then please BUY IT.

Info: Brand and product names are trademarks or registered trademarks of their respective holders.