Well, the first thing I
recognized after executing 3DMark 99 was it's window title: "3DMark 99
Lite". So it seems to be function disabled, if you haven't registerd it (you may also
read this info in the help files). So click on Register, Register 3DMark. Now a dialog box
with a input field for your User Name and a input field for your Registration Code get's
displayed. So enter "cRACKING tUTORIAL" as User Name and "12345-67890"
as Registration Code. Now enter SoftICE by pressing CTRL-D and set a BPX to HMEMCPY. Then
leave SoftICE and press the "OK"-Button. SoftICE will now pop up. Since there
were two input fields, we can leave SoftICE, because it will pop up again. So do this now.
As SoftICE poped up again, press F12 (about 8 times), until you get the following code
snippet, which is BTW located in MFC42.DLL:
:5F415185 FF1574054D5F CALL [USER32!GetWindowTextA]
:5F41518B 8B4D10 MOV ECX,[EBP+10]
:5F41518E 6AFF PUSH FF
:5F415190 E826D7FEFF CALL 5F4028BB
:5F415195 5F POP EDI
:5F415196 5E POP ESI
:5F415197 5D POP EBP
:5F415198 C20C00 RET 000C |
As you see at 5F415185,
we could also have set a BPX to GetWindowTextA. But why shouldn't we prepare ourself for the
day, when there are (hopefully) no lame programmers, who will use GetWindowTextA
left? Better to 'practice' using HMEMCPY now, isn't it? Ok. Now press F10 until you've
executed the "RET 000C" instruction. Now you'll be looking at the following code
snippet:
:00405BA6 5F
POP EDI
:00405BA7 5E
POP ESI
:00405BA8
C20400
RET 0004 |
Since there's nothing
interesting here, press F12. Now you'll be looking at the following code snippet:
:5F4030F5 C7450801000000 MOV DWORD PTR [EBP+08],00000001
:5F4030FC 8B45E8 MOV EAX,[EBP-18]
:5F4030FF 8B4DF4 MOV ECX,[EBP-0C]
:5F403102 8987B8000000 MOV [EDI+000000B8],EAX
:5F403108 8B4508 MOV EAX,[EBP+08]
:5F40310B 5F POP EDI
:5F40310C 5E POP ESI
:5F40310D 64890D00000000 MOV FS:[00000000],ECX
:5F403114 5B POP EBX
:5F403115 C9 LEAVE
:5F403116 C20400 RET 0004 |
This code is located in
MFC42.DLL again, so it's absolutely useless for us. So we need to press F12 again. After
you did this, you'll be confrontated with the following code snippet:
:00405C87 E856E30800 CALL 00493FE2
:00405C8C 8B4F64 MOV ECX,[EDI+64]
:00405C8F 8B41F8 MOV EAX,[ECX-08]
:00405C92 85C0 TEST EAX,EAX
:00405C94 0F8493000000 JZ 00405D2D
:00405C9A 8B4760 MOV EAX,[EDI+60]
:00405C9D 8B40F8 MOV EAX,[EAX-08]
:00405CA0 85C0 TEST EAX,EAX
:00405CA2 0F8485000000 JZ 00405D2D
:00405CA8 83F811 CMP EAX,11
:00405CAB 741D JZ 00405CCA
:00405CAD 6A00 PUSH 00
:00405CAF 6A00 PUSH 00
:00405CB1 689EF00000 PUSH 0000F09E
:00405CB6 B950D44B00 MOV ECX,004BD450
:00405CBB E8E04E0400 CALL 0044ABA0
:00405CC0 50 PUSH EAX
:00405CC1 E8D4E20800 CALL 00493F9A
:00405CC6 5F POP EDI
:00405CC7 5E POP ESI
:00405CC8 5B POP EBX
:00405CC9 C3 RET |
At 405C8C, ECX, will be
assigned our User Name. Then at 405C8F, EAX will be assigned the length of our User Name.
After that it's checked if we have enterd something as our User Name. If this isn't the
case, we'll jump to 405D2D ("Incorrect registration information"). At 405C9A,
EAX will be assigned our Registration Code. Then at 405C9D, EAX will be assigned the
length of our Registration Code. After that it's checked if we have enterd something as
our Registration Code. If this isn't the case, we'll jump to 405D2D ("Incorrect
registration information"). There's another check of EAX. It is checked, if EAX is
11h, which means 17 dec - so our Registration Code must be 17 chars long.
So exit WinICE and re-enter our registration code. Now enter
"1234567890-ABCDEF" as Registration Code and do the same what you've done before you found out this - until you've executed
that JZ instruction at 405CAB. Now you'll be looking at the following code snippet:
:00405CCA E8D1FBFFFF CALL 004058A0
:00405CCF 8B7760 MOV ESI,[EDI+60]
:00405CD2 8A10 MOV DL,[EAX]
:00405CD4 8A1E MOV BL,[ESI]
:00405CD6 8ACA MOV CL,DL
:00405CD8 3AD3 CMP DL,BL
:00405CDA 751E JNZ 00405CFA
:00405CDC 84C9 TEST CL,CL
:00405CDE 7416 JZ 00405CF6
:00405CE0 8A5001 MOV DL,[EAX+01]
:00405CE3 8A5E01 MOV BL,[ESI+01]
:00405CE6 8ACA MOV CL,DL
:00405CE8 3AD3 CMP DL,BL
:00405CEA 750E JNZ 00405CFA
:00405CEC 83C002 ADD EAX,02
:00405CEF 83C602 ADD ESI,02
:00405CF2 84C9 TEST CL,CL
:00405CF4 75DC JNZ 00405DD2
:00405CF6 33C0 XOR EAX,EAX
:00405CF8 EB05 JMP 00405CFF
:00405CFA 1BC0 SBB EAX,EAX
:00405CFC 83D8FF SBB EAX,-01
:00405CFF 85C0 TEST EAX,EAX
:00405D01 750D JNZ 00405D10
:00405D03 6A01 PUSH 01
:00405D05 8BCF MOV ECX,EDI
:00405D07 E8CAE20800 CALL 00493FD6
:00405D0C 5F POP EDI
:00405D0D 5E POP ESI
:00405D0E 5B POP EBX
:00405D0F C3 RET |
At 405CD2, DL will be
assigned the first character which is contained in EAX; at 405CD4, BL will be assigned the
first character contained in ESI. Then at 405CD8 DL and BL are compared. So what's
contained in EAX and ESI?
After a quick dump of EAX (D EAX) and ESI (D ESI), you'll recognize that EAX
contains "4YGHK-NDZFV-D6H9S", a 17 character long Registration Code. Just check
ESI and you'll see the fake Registration Code, "1234567890-ABCDEF". BTW, the
Registration Code is calculated of your User Name AND InstallationD (a value, which was
calculated during the installation and stored in your registry). All registration details
are stored at "HKEY_LOCAL_MACHINE/SOFTWARE/Futuremark Corporation/3DMark Registration"
in your Windows registry. I've changed my InstallD of course. My InstallD for this
tutorial was "1234567890".
Another target has been Reverse Engineerd. Do you have any questions? |