Cracking Tutorial for DownloadWizard Plus 2.50
What to BPX if HMEMCPY doesn't work
 
 

Well I get more and more mails asking me what breakpoints can be set in case HMEMCPY didn't work. Altough I've included that question to the FAQ part of the cRACKER's n0TES already I still get such mails. I hope that with the help of this tutorial people can also master these without asking me for help.

First of all we need to execute our target - so do this now. A well-designed message box pops up. It informs you how many days and executions are left in your trial period. There's also a nice Register button, which you should press now. Another message box pops up. This message box is asking for your name and registration code. The registration code should look like A-B-C-D.

We know already enough about this program - so we can crack it just now. So enter you're favourite registration details (I've chosen PIRATED COPY as name and 1234-5678-90AB-CDEF as registration code). Now enter SoftICE and set a BPX to HMEMCPY then leave SoftICE and press the OK-Button!

After some tracing through the code you'll get something like the following code snippet: 

Now you could set a BPX to that CALL - anyway it's just generated because of the message box (I think). And what would you do in cases no message box informs you? Well maybe you would be lost ... so better practise now! If you have any Win32 Reference close to you I highly recommend trying to find out what you could also BPX ... I'm sure you will find other useful pieces of informations by studying this Reference. In case you didn't know you may use QuickView, which is included in every Win95/98 version. Look at the IMPORTS of the program. You will find several useful ones. By using your brain a bit you will come accross SendDlgItemMessageA. Well I tell you this is the right thing to BPX on. So do this now ... and press the OK-Button again.

SoftICE pops up and the following code snippet is displayed: 

Well I think you can understand the above code snippet, since it just increases the number of serial fields, read them out and checks if it has read out all 4 fields (1). If so the JLE at (2) won't be executed. Then the name is read out (3). After all the serial is checked (4). If everything is ok, the JNZ (5) will be executed - else a message box telling you that your registration details are invalid is displayed (6). So we need to enter the CALL at 40A069 (4).

As you have enterd the CALL, the following code snippet will be displayed: 

I've cut of a large snippet of code since it's *not* interesting for us. If you feel interested in the code snippet - just trace through it - you will find out several things which might be useful one day (find this out yourself - that way you will learn most).

At 40978A EBX contains our fake serial and at 40978E EAX contains our name. Now you can even guess what's going on. Of course we have to enter this last CALL before the RETurn, which is the deciding check whether the serial is correct or not. As you have enterd it the following code snippet will be displayed: 

Well at 40968D (9) the real serial number is PUSHed and at 40968E (A) it is checked ... The serial for PIRATED COPY is 3123-3095-4085-3303. If you want to produce a KeyGEN for this program you have to trace lots of code ... and I don't have the time to do that at the moment ... maybe I have more time in the future - anyway I think and hope you have learned something from this tutorial. If you have done so, please drop me a mail.

BTW, Your registration details are storen in DW.CFG - as you may know or find out using a monitoring tool like FileMon.


Another target has been Reverse Engineerd. Any questions (no crack requests)?

 
If you're USING DownloadWizard Plus BEYOND it's FREE TRIAL PERIOD, then please BUY IT.

Copyright © 1999 by TORN@DO and The Immortal Descendants. All Rights Reserved.