Well, I thought nobody requires a tutorial for
that program - but one Newbie ask for one (perhaps he hasn't even "tried" to
crack it), because he got lost in the program (??). So here it is:
Step 1
Well, let's run the target and see what we can find out. A NAG-Screen appears saying
"SimulBrowse 1.5 is shareware ...". This looks like a standard messagebox. So
now press OK. Go to the Help-Menu and choose Register. Now a dialog "Validation"
asks for our User Name and Registration Number. So enter "Cracking Tutorial" and
"999999999". Press Ok. Now you get "Your registration user name and
password could not be validated". So press OK and exit the application. The
NAG-Screen pops up once again and then the application exits. So we know enough to take
our Disassembler and have a look at the program in
Step 2
Now choose String Reference and look for interesting strings. I found the following
interesting:
" - UNREGISTERED
VERSION"
"SimulBrowse 1.5 is shareware. "
"Software\SeaglassSoftware\SimulBrowse"
"Software\SeaglassSoftware\SimulBrowse\"
"Software\SeaglassSoftware\SimulBrowse\CurrentV"
"Thank you for registering SimulBrowse."
"Validation"
"Your registration user name and " |
Step 3
We want to go to the Validation-Function, so double click on
"Validation". You'll get this:
| * Possible
StringData Ref from Code Obj ->"User" |
| |
| |
| :00457B17 |
mov ecx, 00457B6C |
| |
| * Possible
StringData Ref from Code Obj ->"Validation" |
We want to be there, where this location was called, so scroll up a few lines,
until you find
| * Referenced by a CALL at
Address: |
| |:00457DE1 |
So let's go to 457DE1. You'll get
| :00457D56 |
call 0042F470 |
|
| :00457D5B |
mov eax, dword ptr [ebp-0C] |
|
| :00457D5E |
cmp dword ptr [eax+00000150],
00000001 |
|
| :00457D65 |
jne 00457DF3 |
; jump out of the function |
| ... |
... |
... |
| :00457DB8 |
call 0045767C |
|
| :00457DBD |
cmp dword ptr [ebp-08],
00000000 |
; have we entered
something? |
| :00457DC1 |
je 00457DE8 |
; if not, jump to invalid code
message |
| :00457DC3 |
mov eax, dword ptr [ebp-08] |
; the right serial# is in now
hold in EAX |
| :00457DC6 |
mov edx, dword ptr [ebp-04] |
|
| :00457DC9 |
mov edx, dword ptr [edx+3C] |
; our serial# is now hold in
EDX |
| :00457DCC |
call 00403CF8 |
; compare right
serial # with that what we entered |
| :00457DD1 |
jne 00457DE8 |
; if they're not
equal, jump to invalid code message |
| :00457DD3 |
mov edx, dword ptr [ebp-04] |
|
| :00457DD6 |
mov eax, dword ptr [ebp-04] |
|
| :00457DD9 |
call 00457A94 |
|
| :00457DDE |
mov eax, dword ptr [ebp-04] |
|
| :00457DE1 |
call 00457AE4 |
; we land here |
| :00457DE6 |
jmp 00457DF3 |
; jump out of the function |
Have you recognized those jumps to 457DF3 and 457DE8? 457DF3 simply jumps out of
the function. 457DE8 jumps to the invalid code message.
Step 4
We can get the serial # we entered if we do a D EDX at just before that CALL
00403CF8 ... guess what's in EAX. Or we can trace through that call. So our registration
code for "Cracking Tutorial" is "574368372017". BTW, it's not
important if you write a capital letter or not. |
This tutorial was written by
TORN@DO. I hope you enjoyed reading it as I enjoyed writing it - I'm always trying to
improve my writing skills.
I'd like to greet the following people (no specific order):
+ORC, Fravia, nIabI, JosephCo, Razzia, MisterE, Krazy_N, Vizion, YOSHi, Qapla, Odin
everyone in #Cracking and in #Cracking4Newbies ... and everyone else I forgot. |