Cracking Tutorial [Dictionary for Windows 4.2]

Cracking Tutorial for Dictionary for Windows 4.2
Defeating a common serial scheme

Target Program:	Dictionary for Windows 4.2
Description:	Dictionary is a small and handy program to translate a words. You can add new words to the dictionary.
Location:	http://members.xoom.com/LapotSoft
Protection:	Name/Company/Serial
Tools needed:	- SoftICE 3.24
Ob duh:	Do I really have to remind you all that by BUYING and NOT stealing the software you use will ensure that these software houses will continue to produce even better software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems. BTW, It's illegal to use cracked Software! If you're looking for cracks or serial numbers from these pages then your wasting your time, try to search elsewhere on the Web under Warez, Cracks, etc.
Info:	Brand and product names are trademarks or registered trademarks of their respective holders.
Level:	(X)Beginner ( )Intermediate ( )Advanced ( )Expert

Someone had real problems cracking this program and as the file size of the program was OK, I decided to have a quick look at it. I didn't think getting the serial number should be a big problem. Coding a KeyGEN for this should also be no problem. This *isn't* a KeyGEN tutorial, since I'm very VERY BUSY at the moment.

Well, first of all we need to enter some fake registration details. The program was soo good and filled my WINDOWS REGISTRATION information in automatically. Now we only have to fill in a Product Number. The product number already filled in looks like WDx.x-xxxxx-xxxxx. So the author gave us the information how the good code must look like. Well I also noticed the information Product Number is valid for any future versions of this program!

Well the version is 4.2 so I assumed the Product Number should be WD4.2-xxxxx-xxxxx ... and as you can find out on your own this is true. If it isn't 4.2, then you're just registered for a LIMITED TIME and the NAG at startup still pops up. However the good code is still the same - you just have to replace the number and version (x.x) with 4.2!

I enterd WD4.2-12345-67890 as fake registration code and set a BPX to HMEMCPY. Then I pressed OK. SoftICE popped up. Since there were 3 input fields, I skipped the first two pop ups. Then I pressed F12 until I reached the following code snippet:

:0040797E LEA EDX,[EBP-10] :00407981 MOV EAX,0045E40C :00407986 CALL 00450B94 :0040798B DEC DWORD PTR [ESI+1C] :0040798E LEA EAX,[EBP-10] :00407991 MOV EDX,00000002 :00407996 CALL 00450B64 :0040799B CALL 00407608 :004079A0 TEST EAX,EAX ; is serial ok? :004079A2 JNZ 00407AE0 ; if not => JMP

A scheme like this is very common. Some CALLs and then a JZ/JNZ instruction. To find the good serial you normally just have to trace into the CALL before the JZ/JNZ instruction - and that was it. And in this program that's also the case. Tracing in the CALL, you'll get the following code snippet:

:00407608 PUSH EBX ... :00407618 CALL 00450CE8 ; get length of serial :0040761D CMP EAX,06 ; serial 6 chars long :00407620 JLE 00407665 ... :0040666A CALL 00450CE8 ; get length of name :0040766F CMP EAX,02 ; name 2 chars long :00407672 JLE 004076B2 ... :004076BC MOVSX EAX,BYTE PTR [ESI] ; move char[counter] in EAX ... :004076CB MOVSX EDX,BYTE PTR [ESI] ; move char[counter] in EDX :004076CE PUSH EDX :004076CF CALL 004499C4 ; convert to lower case :004076D4 POP ECX :004076D5 MOVZX ECX,DI :004076D8 IMUL ECX,[004551D4] ; DI * 15h :004076DF MOVZX EDX,DI :004076E2 IMUL ECX,EDX ; ECX * EDX :004076E5 ADD AX,CX ; add result to AX :004076E8 ADD DI,AX ; add result of this loop to DI :004076EB INC EBX ; chars done + 1 :004076EC INC ESI ; counter + 1 :004076ED PUSH ESP :004076EE CALL 00444C00 :004076F3 POP ECX :004076F4 CMP EBX,EAX ; did all chars? :004076F6 JB 004077BC ; if not => JMP :004076F8 MOV EAX,0045E408 :004076FD CALL 00450CE8 ; get length of company :00407702 TEST EAX,EAX ; no company enterd? :00407704 JZ 00407744 ; if so => JMP ... :0040774E MOVSX EAX,BYTE PTR [ESI] ; move char[counter] in EAX ... :0040775D MOVSX EDX,BYTE PTR [ESI] ; move char[counter] in EDX :00407760 PUSH EDX :00407761 CALL 004499C4 :00407766 POP ECX :00407767 MOVZX ECX,BP :0040776A IMUL ECX,[004551D4] ; ECX * 15h :00407771 MOVZX EDX,BP :00407774 IMUL ECX,EDX ; ECX * EDX :00407777 SUB AX,CX ; substract result from AX :0040777A ADD BP,AX ; add result of this loop to BP :0040777D INC EBX ; chars done + 1 :0040777E INC ESI ; counter + 1 :0040777F PUSH ESP :00407780 CALL 00444C00 :00407785 POP ECX :00407786 CMP EBX,EAX ; did all chars? :00407788 JB 0040784E ; if not => JMP :0040778A MOVZX EAX,BP ; get result for company in EAX (NR) :0040778D MOVZX ECX,DI ; get result for name in ECX (CR) :00407790 PUSH EAX :00407791 PUSH ECX :00407792 PUSH 00455288 :00407797 LEA EAX,[ESP+0C] :0040779B PUSH EAX :0040779C CALL 0044809C ; format serial: NR-CR :004077A1 ADD ESP,10 :004077A4 LEA EAX,[ESP+40] ; get enterd serial :004077A8 MOV EDX,ESP ; get real serial :004077AA MOV CL,[EAX] ; get part of fake serial :004077AC CMP CL,[EDX] ; part of serial correct? :004077AE JNZ 004077C6 ; if not => JMP :004077B0 TEST CL,CL :004077B2 JZ 004077C6 :004077B4 MOV CL,[EAX+01] ; get part of fake serial :004077B7 CMP CL,[EDX+01] ; part of serial correct? :004077BA JNZ 004077C6 ; if not => JMP :004077BC ADD EAX,02 :004077BF ADD EDX,02 :004077C2 TEST CL,CL ; checked complete serial? :004077C4 JNZ 004078AA ; if not => JMP :004077C6 SETNZ DL ; set flag

With the help of the comments in the code snippet you can understand the calculations for your serial. You can use this knowledge to code a KeyGEN if you have enough free time. The serial for the name PIRATED COPY and the company name CR@CKING TUTORI@L is WD4.2-16337-50000 - just for you to check your KeyGEN!

Another target has been Reverse Engineerd. Any questions (no crack requests)?

If you're USING Dictionary for Windows BEYOND it's FREE TRIAL PERIOD, then please BUY IT.