Cracking Tutorial for fileWATCH 3.30 |
||||||||||||||||||
|
||||||||||||||||||
| Well in my last tutorial I
taught you how to make a keygen. This time I'll teach you how to use W32DASM and SoftICE
to quickly find a registration code - without 'entering' the registration details in a
dialog box. BTW, fileWATCH is a really useful program for Reverse Engineering - although I
prefer FileMon, fileWATCH is really good. Now well, let's start our Cracking Session: After you've started fileWATCH, you'll see a NAG with some text and "Shareware | Please register after 30 days. 0". Now let's click on "Help - Registering" to display the registration dialog. But damn, what's that? *No* registration dialog - the fileWATCH help file get's opend and the topic "Registering fileWATCH" is displayed. This is the text: If you find this program useful then you are obligated to support shareware and send me a $10.00 (US currency) registration fee. In return, you will receive a registration code via electronic (fast!) or snail mail applicable for any future revisions of version 3. Click the link to fileWATCH's homepage in Help|About if you wish to register over the web with credit card. Thanks! So the author of fileWATCH gave us the 'hint' with the registration code. As you might already have guessed, there is a registration dialog (just click on "Kg '98" and you can enter your registration details) but I told you that we're gonna use an approach of combing W32DASM and SoftICE to quickly find a registration code. I've used the technique I'll describe here if I can't find the registration dialog for a program or if there isn't any. Now to the technique: It's logical that the registration details we enter must be stored somewhere. Now there were two posibilities where the registration code can be stored: a) In a file like FILEWATCH.KEY, FILEWATCH.INI, ... nearly always encrypted (KeyFILE-Protection) b) In the system registry. Windows 95 programs mostly use the registry to store the registration details (there were exceptions like CuteFTP, ... of course). So we could set a BPX to RegQueryValueA to find the code we're interested in - but RegQueryValueA is quite often used - and we don't want to *waste* our time by finding the code we're looking for. So let's use the "Dead Listing Approach"; start W32DASM and disassemble FILEWATCH.EXE. Now click on "String Reference" and look for interesting strings. I found a few interesting string references like "Code", "Software\Kg\filewatch\licence", "User", "Your support is Appreciated!", ... Now click on "Software\Kg\filewatch\licence" (we want to get to the location where the registration details stored in the registry are read out and where it 'decides' if they are correct or not). You'll be at 454241 in W32DASM. So you know what we can BPX in SoftICE, didn't you? But before we can start with the real cracking, we need to change the keys in our system registry. So start your favourite registry editor and go to "HKEY_CURRENT_USER\Software\Kg\filewatch\licence". Now change the User-Key from "Unregistered" to "Cracking Tutorial". You can also change the Code-Key - but that's not important. Exit your registry editor, start Symbol Loader and load the target. As SoftICE pops up, set a BPX to 454241. Then leave SoftICE. It will now pop up right at the code we're interested in:
So we can just sniff out the
real serial at 45429F. The real code for "Cracking Tutorial" will be
"1275-57L5-3030-3". |
||||||||||||||||||
|
||||||||||||||||||
Copyright © 1999 by TORN@DO and The Immortal Descendants. All Rights Reserved. |