*************************************************************************************************TITLE: Cracking tutorial for AceCapture 1.8.0.0 ************************************************************************************************* BEST VIEWED: Notepad with word wrap enabled, and in restored window mode ************************************************************************************************* TOOLS USED: Ollydbg v1.09d *************************************************************************************************TARGET: AceCapture.exe *************************************************************************************************LOCATION OF TOOLS AND PROGRAM: Ollydbg v1.09d http://www.grinders.withernsea.com/tools/odbg109d.rar AceCapture 1.8.0.0 http://www.grinders.withernsea.com/tools/AceCapture_v1.8.0.0.rar Resource Tuner 1.93 http://www.grinders.withernsea.com/tools/ResTuner_v1.93.rar ************************************************************************************************* CONTACT INFORMATION: vinceandjane@hotmail.com ************************************************************************************************* TUTORIAL WRITTEN: 20/02/2004 ************************************************************************************************* AUTHOR: Pompeyfan ************************************************************************************************* OKay, down to business,lets attack our target, open Olly, and if you haven't done so already, to make things easier for yourself, right click, select appearance/highlighting/jumps'n'calls, makes things so much easier to follow. Open AceCapture.exe in Olly, and you land here: 0041DE1C >/$ 55 PUSH EBP I'll set out the steps I took to try and get a valid serial, even though I couldn't get one, just so that you know what I tried. Press F9 run Up comes the registration box enter your details, you will notice you can only use 5 characters for your name, bloody cheek, so I can't use Pompeyfan, so I used Wally (not my real name) and filled the 2 boxes with 7's for the serial (I'm assuming it wants both boxes filled), and hit go, and get the Message "Registration code is invalid", hit okay to get rid of this box. Funny but now in the boxes it shows 4294967295-4294967295, I'm not sure why that is. Well, I tried breakpoint on point H,and on on lstrcmpA, and on GetWindowTextA, and on the invalid message, and tried tracing through the routine above the error message, but no luck grabbing the valid serial, even though I saw my own fake details tracing after the breakpoint with the point H method, so I'll tried to get it to accept any serial. OKay, back to Olly, Right click/Search for all referenced text strings, then Left click on the first entry once, then Right click/serch for text, put in your error message and ok, double click on the entry you find and you will land here: 0040FD0E |. 68 BCB64600 PUSH AceCaptu.0046B6BC ; ASCII "Registration code is Invalid!" Lets look at this: 0040FD07 |. 397D EC CMP DWORD PTR SS:[EBP-14],EDI 0040FD0A |. 75 09 JNZ SHORT AceCaptu.0040FD15 0040FD0C |. 57 PUSH EDI 0040FD0D |. 57 PUSH EDI 0040FD0E |. 68 BCB64600 PUSH AceCaptu.0046B6BC ; ASCII "Registration code is Invalid!" 0040FD13 |. EB 22 JMP SHORT AceCaptu.0040FD37 0040FD15 |> 837D EC 01 CMP DWORD PTR SS:[EBP-14],1 0040FD19 |. 75 21 JNZ SHORT AceCaptu.0040FD3C 0040FD1B |. 57 PUSH EDI ; /Arg3 0040FD1C |. 57 PUSH EDI ; |Arg2 0040FD1D |. 68 A0B64600 PUSH AceCaptu.0046B6A0 ; |Arg1 = 0046B6A0 ASCII "Thank you for supporting!" What I found was, if you change 0040FD19 to JE & 0040FD0A to JMP, you get the thankyou message, but it doesn't register program, program still shows unregistered, and when you start program next time you still go straight to the evaluation screen. Then, I thought to myself, I remember when I was tracing through the code with the point H method, that I saw mention of RegCI quite a few times, and in the AceCapture folder, their is a RegCI.dll file, so I started to think this was where the real checking took place, funny though, because I restarted Olly, I clicked on Alt & E to show the modules window, and it wasn't shown, so I pressed F9 and ran the program, then when the evaluation screen came up, I again brought up the modules window, and sure enough now it was listed, as below: Executable modules, item 1 Base=01080000 Size=0000A000 (40960.) Entry=01083AF3 RegCI. Name=RegCI File version=1, 0, 0, 1 Path=C:\PROGRA~1\BITSSA~1\ACECAP~1\RegCI.dll Now, double click on this entry, and you are in the code of this .dll, then Right click/search for all referenced text strings, and you find quite a few interesting entries, double click on REGISTED, and here is the key bit of code. 01081574 75 4A JNZ SHORT RegCI.010815C0 01081576 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 01081579 3947 0C CMP DWORD PTR DS:[EDI+C],EAX 0108157C 75 42 JNZ SHORT RegCI.010815C0 0108157E 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C] 01081581 6A 01 PUSH 1 01081583 58 POP EAX 01081584 8901 MOV DWORD PTR DS:[ECX],EAX 01081586 8945 0C MOV DWORD PTR SS:[EBP+C],EAX 01081589 8D45 08 LEA EAX,DWORD PTR SS:[EBP+8] 0108158C 50 PUSH EAX 0108158D 68 28600801 PUSH RegCI.01086028 ; ASCII "TrialEndTest\FULLREG" 01081592 68 00000080 PUSH 80000000 01081597 FF15 1C500801 CALL DWORD PTR DS:[<&ADVAPI32.RegCreateK>; ADVAPI32.RegCreateKeyA 0108159D 8D45 0C LEA EAX,DWORD PTR SS:[EBP+C] 010815A0 6A 04 PUSH 4 010815A2 50 PUSH EAX 010815A3 6A 03 PUSH 3 010815A5 6A 00 PUSH 0 010815A7 68 40600801 PUSH RegCI.01086040 ; ASCII "REGISTED" 010815AC FF75 08 PUSH DWORD PTR SS:[EBP+8] 010815AF FF15 18500801 CALL DWORD PTR DS:[<&ADVAPI32.RegSetValu>; ADVAPI32.RegSetValueExA 010815B5 FF75 08 PUSH DWORD PTR SS:[EBP+8] 010815B8 FF15 24500801 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; ADVAPI32.RegCloseKey 010815BE EB 06 JMP SHORT RegCI.010815C6 010815C0 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] Notice the conditional jumps at 01081574 & 0108157C, they jump beyond the REGISTED message, so what if we change these JNZ entries to JE (75 to 74), so for each entry, left click once on the line to change, then Right click/Assemble, make the changes & hit assemble, then close the box. Now try entering whatever name and serial you like, although I still kept it to a 5 letter user name, and filled both boxes with my fake serial, as their are checks for string length, and voila!, you not only get a "Thank you for supporting!" message, but now it shows you are registered, so make the changes permanant, right click, and select copy to executable/ All modifications, then copy all on new box that pops up, then right click on new box and select save file, then double click on your file to overwrite, and select yes to " do you really want to overwrite it ", and you are done, well done cracker!!!. But wait, I have a bit of a dislike for Splash screens, not sure why, but they just annoy me, so of course once I had a registered copy of the program, I just had to kill the splash screen too, I tried using the Call stack, but had no luck, so I turned to my trusty APIS32 (An API spy program), damn easy to use even for a newcomer to cracking like me, just select the file to run, select any additional modules to load, run it, and let it create a log, you can even clear what you don't want, if you say only want details of the 3rd or 4th step for instance (eg after pushing continue buttons), but still no real luck, so on to Resource Tuner, this is real easy, open the file in Resource tuner, and listed as Bitmap 263 you find the offender, Right click on it/delete resource/file/save file as/AceCapture.exe/yes to replace/update size of Image yes, and you are done. Open program now, no more splash screen, but then maybe it doesn't bother you. And remember, if you use the program, buy it ,software developers rely on the income from sales to keep going, if nobody buys, no new software would be developed. ************************************************************************************************* SHOUTZ AND GREETZ: To exetools forum, tsrh forum, Ollydbg forum, Ricardo Narvaja, Nilrem, Ferarri & Satyric0n whoose tuts have helped me more than any others , Ollydbg, and the authors of AceCapture. *************************************************************************************************