Useful for beginners, who haven't discovered the ease of "fishing" serials with
SoftIce yet. I'll also show how to crack "creative": Turning a *NAG*
in to a key-gen!
Introduction |
Greetings, all! Today, I'll crack several nice little programs, all made by the shareware programmer Firas El-Hasan. His programs are all nice Window$-utilities, that are pretty useful. But unfortunately they all have a *NAG* at launch, which is really annoying, considering that the programs are probably all made within a couple of hours... The programs are: SysDate - A program which shows you the day of the month in the system tray. StartClean - Cleans shortcuts, that points to nonexisting files. SysLaunch - A "lite" version of the start menu, for fast access of your favorite apps. QuickDesk - Minimizes all the windows with ALT+TAB, or by a click on the tray icon. HotCorners - Starts your screensaver, when you leave the mouse-pointer in one of the desktop corners (nice!). DirectNet - Automatically dials your ISP, and launches an Internet-app. of your choice (useful?). AddLink - Allows you to right-click on a program, and add it to the start-menu. Also: DOS-Explore and DialMSN (MSN??? Yucchh!!!), but they are freeware, so no cracking is needed :-) I'll use two different approaches to cracking the protection-schemes: 1. Using SoftIce to "Hear the echo". 2. Using SoftIce/HIEW to turn the program in to a key-gen. As a template, I'll use AddLink, which is one of the most useful of them. Actually, StartClean is the most useful, but a dude named Qapla has already made a tutorial for that program (good work, BTW). I'll describe the crack in a way, that'll make it easy apply the same approach on the other programs. And I'll also describe, if there's something that you should take note of, when using the same approach on the other programs...
Tools required |
SoftIce 3.22 for Win95/NT (any version is useful, though).
HIEW 5.66 (or whatever hex-editor you prefer).
Target's URL/FTP |
You can fetch the apps. at the authors homepage:
Program History |
None that I know of (I stumbled over the apps. by coincidence)... Check out the authors homepage, for more info.
Essay |
So let's begin! Start by installing AddLink (or one of the apps., that you wish to crack). Start AddLink by right-clicking on any file, select Send To --> Start Menu. A nasty *NAG* will show, and remind you to "pay" for the program. Go in to SoftIce (CTRL+D) and BPX Lstrcmp Press F5 to get out of SoftIce... Select Register... Enter your name (in my case): -=[JON!]=- And a fake serial: 1212121212 (Copyright © +ORC) Hit ENTER... Now, SoftIce BREAKS at Lstrcmp! Type: BC * To clear the breakpoint. Press F11 to go back, where it was CALLed from, scroll up a little, and you see this: CALL 00401BB0 ;Calculate valid code. LEA EAX,[ESP+18] ;Copy your code to EAX. ADD ESP,08 PUSH EAX ;PUSH your code. PUSH 004051C8 ;PUSH valid code. CALL [Kernel32!lstrcmp] ;Compare strings. TEST EAX,EAX ;Are you registered? JNZ 00401BA5 ;If not, JMP to *NAG*! Now, to retrieve the valid code, you'll need to set a breakpoint on the line where your code is PUSHed. To do this, simply double-click on that line. (If you have mouse disabled, do a BPX XXXX:YYYYYYYY, where XXXX:YYYYYYYY is the memory location). Now, go out of SoftIce and enter the name and a bogus code again. Press OK, and SoftIce breaks again. Type: BD * to temporarily disable the breakpoint (it will be used later). Type: D 004051C8 And you discover that the valid code for the name -=[JON!]=- is: 14621-136061-2316-6752. But why stop here? Why not make a key-gen? To do so, UNREGISTER the program, by deleting its registry-entries (HKEY_CURRENT_USER\SOFTWARE\ADDLINK). Now that it's unregistered, start the program, go in to SoftIce and enable your breakpoint once again: BE * Enter something fake and press OK. SoftIce breaks once again, where the valid code is PUSHed. Clear your breakpoint: BC * Now, write down the HEX-numbers for the PUSH function: 68C8514000
68C8514000 PUSH 004051C8 ;PUSH valid code.
Keep pressing F10, until you see these lines of code: PUSH 00 PUSH 00 PUSH 004051B4 ;PUSH the text "Incorrect code!" PUSH ESI CALL [USER32!MessageBoxA] ;CALL the *NAG* dialog. MOV EAX,00000001 ;Set EAX=1 (unregistered). Now, type: E XXXX:YYYYYYYY Where XXXX:YYYYYYYY is the memory-location of PUSH 004051B4 Enter the hex-digits you've written down (68C851400). Press F5 to get out of SoftIce, and what shows before your eyes?! A *NAG* with the valid code for your name!!! Cool, huh? To make the crack permanent: HIEW ADDLINK.EXE Search, F7: 6A006A0068B451400056 ^^ Replace : 6A006A0068C851400056 Save (F9) and exit (F10), and you've got yourself a working key-generator!
6A006A0068B451400056 ;push incorrect code has been changed into 6A006A0068C851400056 ;push correct code
This can be applied to all the other apps. (some minor differences, of course), with the exception of QuickDesk and SysLaunch. This is because, the memory location in which the valid serial is stored is overwritten before the *NAG* is shown :-( But you can, of course still "fish" a serial, using the same method described above.
Final Notes |
What have we learned? 1.If Lstrcmp is used the compare the codes, it's easy to locate the right one, since it has already been calculated! 2. If the programmer hasn't cleared the valid code before the "Incorrect code!" *NAG*, we can in most cases turn our worst enemy in to a key-gen! 3. The shareware programmers should make the protection-schemes different if they have more that one product! 4. SoftIce is the best debugger! 5. Cracking rulez! Greetings: +ORC, The +HCU, Fravia+, +Gthorne, all (+)crackers, all the cool cracking groups, all those who have killed a spammer, and of course to you, reader of this essay! Have Fun! :-) By Jon, February 9th, 1998.
PS: If you have any comments on this crap (good or bad), don't hesitate to e-mail me at: jon101514(at)cyberjunkie(point)com
Ob Duh |
I wont even bother explaining you that you should BUY these target programs if you intend to use them for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection schemes at all: you'll find it on most Warez sites, complete and already regged, farewell.
You are deep inside fravia's page of reverse engineering, choose your
way out:
students' essays
academy database
reality cracking
how to search
javascript wars
anonymity academy
antismut CGI-scripts
Is reverse engineering legal?