*************************************************************************************************TITLE:
Cracking tutorial for WatchDog Version 8.0.0.5
*************************************************************************************************
BEST VIEWED:
Notepad with word wrap enabled, and in restored window mode
*************************************************************************************************
TOOLS USED:
Ollydbg v1.09d
*************************************************************************************************TARGET:
watchdog.exe
*************************************************************************************************LOCATION OF TOOLS AND PROGRAM:
Ollydbg v1.09d http://www.grinders.withernsea.com/tools/Ollydbg/odbg109d.rar
WatchDog Version 8.0.0.5 http://www.grinders.withernsea.com/tools/wdcurrent.rar
*************************************************************************************************
CONTACT INFORMATION:
vinceandjane@hotmail.com
*************************************************************************************************
TUTORIAL WRITTEN:
13/04/2004
*************************************************************************************************
AUTHOR:
Pompeyfan
*************************************************************************************************

Okay,lets attack our target, open Olly, and if you haven't done so already, to make things easier for yourself, right click, select appearance/highlighting/jumps'n'calls, makes things so much easier to follow.

Okay, lets open the program in Olly, and you land here:

0041A9D0 > $ 68 2CB54100    PUSH watchdog.0041B52C

Press F9 (Run), and the evaluation screen opens, so let us click on "enter registration codes", and enter a User Name and Reg Key, I used Pompeyfan and filled the other box with 7's, and hit okay.

And you get the message "Invalid Registration Key Detected!!!Going Unregistered...., don't hit okay to this yet.

Press F12(Pause), then enter Alt & K to bring up the call stack, and you get the following:

Call stack of main thread
Address    Stack      Procedure                             Called from                   Frame
0012ECD0   77D43C53   Includes 7FFE0304                     USER32.77D43C51               0012ED04
0012ECD4   77D4B3F2   USER32.WaitMessage                    USER32.77D4B3ED               0012ED04
0012ED08   77D4D9A0   USER32.77D4B265                       USER32.77D4D99B               0012ED04
0012ED30   77D6AE8E   USER32.77D4D8EC                       USER32.77D6AE89               0012ED2C
0012EFE8   77D6A911   ? USER32.SoftModalMessageBox          USER32.77D6A90C               0012EF70
0012F130   77D6C9E9   ? USER32.77D6A7D7                     USER32.77D6C9E4               0012F0B8
0012F19C   734A613F   Includes USER32.77D6C9E9              MSVBVM60.734A613D             0012F198
0012F1DC   734A5FBB   Includes MSVBVM60.734A613F            MSVBVM60.734A5FB8             0012F1D8
0012F204   734A62B6   MSVBVM60.734A5EA1                     MSVBVM60.734A62B1             0012F200
0012F234   7349E1AB   MSVBVM60.734A6225                     MSVBVM60.7349E1A6             0012F230
0012F298   73502192   MSVBVM60.7349DF1F                     MSVBVM60.7350218D             0012F294
0012F310   0051AD4B   ? MSVBVM60.rtcMsgBox                  watchdog.0051AD45             0012F30C
0012F4F4   006BBD7E   ? watchdog.0051A070                   watchdog.006BBD79             0012F4F0

You hit okay to that message, and then you get the message "Invalid Registration codes!", so again you hit F12(pause), then Alt & K to bring up the call stack, and you get:

Call stack of main thread
Address    Stack      Procedure                             Called from                   Frame
0012EF1C   77D43C53   Includes 7FFE0304                     USER32.77D43C51               0012EF50
0012EF20   77D4B3F2   USER32.WaitMessage                    USER32.77D4B3ED               0012EF50
0012EF54   77D4D9A0   USER32.77D4B265                       USER32.77D4D99B               0012EF50
0012EF7C   77D6AE8E   USER32.77D4D8EC                       USER32.77D6AE89               0012EF78
0012F234   77D6A911   ? USER32.SoftModalMessageBox          USER32.77D6A90C               0012F1BC
0012F37C   77D6C9E9   ? USER32.77D6A7D7                     USER32.77D6C9E4               0012F304
0012F3E8   734A613F   Includes USER32.77D6C9E9              MSVBVM60.734A613D             0012F3E4
0012F428   734A5FBB   Includes MSVBVM60.734A613F            MSVBVM60.734A5FB8             0012F424
0012F450   734A62B6   MSVBVM60.734A5EA1                     MSVBVM60.734A62B1             0012F44C
0012F480   7349E1AB   MSVBVM60.734A6225                     MSVBVM60.7349E1A6             0012F47C
0012F4E4   73502192   MSVBVM60.7349DF1F                     MSVBVM60.7350218D             0012F4E0
0012F55C   006BB750   ? MSVBVM60.rtcMsgBox                  watchdog.006BB74A             0012F558

OKay, Ctrl & F2 to restart the program in Olly, then F9(Run) to bring up the evaluation screen again.

Okay Right click/Go to/EXpression and enter 006BB74A, and you land here:

006BB6C3     85C0           TEST EAX,EAX
006BB6C5   . 7D 12          JGE SHORT watchdog.006BB6D9
006BB6C7   . 68 FC060000    PUSH 6FC
006BB6CC   . 68 B8DA4500    PUSH watchdog.0045DAB8
006BB6D1   . 56             PUSH ESI
006BB6D2   . 50             PUSH EAX
006BB6D3   . FF15 C8104000  CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>;  MSVBVM60.__vbaHresultCheckObj
006BB6D9   > 8B06           MOV EAX,DWORD PTR DS:[ESI]
006BB6DB   . 56             PUSH ESI
006BB6DC   . FF90 F8060000  CALL DWORD PTR DS:[EAX+6F8]
006BB6E2     85C0           TEST EAX,EAX
006BB6E4   . 7D 12          JGE SHORT watchdog.006BB6F8
006BB6E6   . 68 F8060000    PUSH 6F8
006BB6EB   . 68 B8DA4500    PUSH watchdog.0045DAB8
006BB6F0   . 56             PUSH ESI
006BB6F1   . 50             PUSH EAX
006BB6F2   . FF15 C8104000  CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>;  MSVBVM60.__vbaHresultCheckObj
006BB6F8   > 66:833D 50206D>CMP WORD PTR DS:[6D2050],0
006BB700   . B9 04000280    MOV ECX,80020004
006BB705   . B8 0A000000    MOV EAX,0A
006BB70A   . 894D A8        MOV DWORD PTR SS:[EBP-58],ECX
006BB70D   . 8945 A0        MOV DWORD PTR SS:[EBP-60],EAX
006BB710   . 894D B8        MOV DWORD PTR SS:[EBP-48],ECX
006BB713   . 8945 B0        MOV DWORD PTR SS:[EBP-50],EAX
006BB716   . 75 54          JNZ SHORT watchdog.006BB76C
006BB718   . 894D C8        MOV DWORD PTR SS:[EBP-38],ECX
006BB71B   . 8D55 90        LEA EDX,DWORD PTR SS:[EBP-70]
006BB71E   . 8D4D D0        LEA ECX,DWORD PTR SS:[EBP-30]
006BB721   . 8945 C0        MOV DWORD PTR SS:[EBP-40],EAX
006BB724   . C745 98 2C2C47>MOV DWORD PTR SS:[EBP-68],watchdog.00472>;  UNICODE "Invalid registration codes!"
006BB72B   . C745 90 080000>MOV DWORD PTR SS:[EBP-70],8
006BB732   . FF15 98134000  CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDu>;  MSVBVM60.__vbaVarDup
006BB738   . 8D4D A0        LEA ECX,DWORD PTR SS:[EBP-60]
006BB73B   . 51             PUSH ECX
006BB73C   . 8D55 B0        LEA EDX,DWORD PTR SS:[EBP-50]
006BB73F   . 52             PUSH EDX
006BB740   . 8D45 C0        LEA EAX,DWORD PTR SS:[EBP-40]
006BB743   . 50             PUSH EAX
006BB744   . 6A 30          PUSH 30
006BB746   . 8D4D D0        LEA ECX,DWORD PTR SS:[EBP-30]
006BB749   . 51             PUSH ECX
006BB74A   . FF15 2C114000  CALL DWORD PTR DS:[<&MSVBVM60.#595>]     ;  MSVBVM60.rtcMsgBox
006BB750   . 8D55 A0        LEA EDX,DWORD PTR SS:[EBP-60]
006BB753   . 52             PUSH EDX
006BB754   . 8D45 B0        LEA EAX,DWORD PTR SS:[EBP-50]
006BB757   . 50             PUSH EAX
006BB758   . 8D4D C0        LEA ECX,DWORD PTR SS:[EBP-40]
006BB75B   . 51             PUSH ECX
006BB75C   . 8D55 D0        LEA EDX,DWORD PTR SS:[EBP-30]
006BB75F   . 52             PUSH EDX
006BB760   . 6A 04          PUSH 4
006BB762   . FFD3           CALL EBX
006BB764   . 83C4 14        ADD ESP,14
006BB767   . E9 6E010000    JMP watchdog.006BB8DA
006BB76C   > 8D55 90        LEA EDX,DWORD PTR SS:[EBP-70]
006BB76F   . 8D4D C0        LEA ECX,DWORD PTR SS:[EBP-40]
006BB772   . C745 98 302D47>MOV DWORD PTR SS:[EBP-68],watchdog.00472>;  UNICODE "Thank you for registering"

Okay, we can see some good boy and bad boy messages here, and 3 tests and conditional jumps, let us set a breakpoint futher up:

006BB6C3     85C0           TEST EAX,EAX

So left click on this line once, then Right click/Breakpoint/Toggle

Notice also, the last conditional jump, leads beyond the bad boy message, by that I mean this one:

006BB716   . 75 54          JNZ SHORT watchdog.006BB76C

Now, enter your fake details again, and we break at our breakpoint, now let us F8 to step over the code, and take note of the values at the tests:

006BB6C3     85C0           TEST EAX,EAX------------->EAX=0, jump taken

We hit here, and the error message comes up:

006BB6DC   . FF90 F8060000  CALL DWORD PTR DS:[EAX+6F8]

OKay, Ctrl & F2 to restart the program in Olly, then F9(Run) to bring up the evaluation screen again, enter your fake details again, but this time, when you get to 006BB6DC, hit F7 to trace into the call, then F8 to step over the code for a while, then let us trace into the call here:

006BBD79   . E8 F2E2E5FF    CALL watchdog.0051A070

So when you get to this call F7 to step into it, and then F8 to step over the code for a while, it moves your details you entered, and also seems to be comparing you against what I assume is a lot of past crackers, and at 0051AC0F I got excited because I thought I saw the real serial moved, but it was a bum lead, then you get here eventually:

0051ACBC   . 33C0           TEST EAX,EAX------------->EAX=FFFFFFFF
0051ACBE   . 0F84 44010000  JE watchdog.0051AE08
0051ACC4   . C745 FC 2B0000>MOV DWORD PTR SS:[EBP-4],2B
0051ACCB   . C785 58FFFFFF >MOV DWORD PTR SS:[EBP-A8],80020004
0051ACD5   . C785 50FFFFFF >MOV DWORD PTR SS:[EBP-B0],0A
0051ACDF   . C785 68FFFFFF >MOV DWORD PTR SS:[EBP-98],80020004
0051ACE9   . C785 60FFFFFF >MOV DWORD PTR SS:[EBP-A0],0A
0051ACF3   . C785 78FFFFFF >MOV DWORD PTR SS:[EBP-88],80020004
0051ACFD   . C785 70FFFFFF >MOV DWORD PTR SS:[EBP-90],0A
0051AD07   . C785 F8FEFFFF >MOV DWORD PTR SS:[EBP-108],watchdog.0044>;  UNICODE "Invalid Registration Key Detected!!!  Going Unregistered..."

Okay, now if you pass this test, you jump beyond the bad cracker message, so we want EAX to equal zero.

So what if we change:

0051ACBC     33C0          TEST EAX,EAX

To:

0051ACBC     33C0           XOR EAX,EAX

So, Right click on this line/Assemble, make the change, then click on Assemble, then close this box.

NOw press F9(Run), and you get "Thank you for registering Watchdog!"

Okay, make changes permanent, Right click/copy to executable/all modifications/copy all, and then right click on new box that comes up/save file, double click on the file to overwrite and select yes to overwrite.

OKay, Ctrl & F2 to restart the program in Olly, then F9(Run), now the program starts, but is minimized to the tray, so Right click on it, and select Main Menu, now we see that the program wants us to verify the license, let us fill the box with our registration code, and hit okay, and we get the message "Invalid Confirmation Code!", so hit F12(Pause), trhen Alt & K to bring up the call stack, and we get the following:

Call stack of main thread
Address    Stack      Procedure                             Called from                   Frame
0012EE10   77D43C53   Includes 7FFE0304                     USER32.77D43C51               0012EE44
0012EE14   77D4B3F2   USER32.WaitMessage                    USER32.77D4B3ED               0012EE44
0012EE48   77D4D9A0   USER32.77D4B265                       USER32.77D4D99B               0012EE44
0012EE70   77D6AE8E   USER32.77D4D8EC                       USER32.77D6AE89               0012EE6C
0012F128   77D6A911   ? USER32.SoftModalMessageBox          USER32.77D6A90C               0012F0B0
0012F270   77D6C9E9   ? USER32.77D6A7D7                     USER32.77D6C9E4               0012F1F8
0012F2DC   734A613F   Includes USER32.77D6C9E9              MSVBVM60.734A613D             0012F2D8
0012F31C   734A5FBB   Includes MSVBVM60.734A613F            MSVBVM60.734A5FB8             0012F318
0012F344   734A62B6   MSVBVM60.734A5EA1                     MSVBVM60.734A62B1             0012F340
0012F374   7349E1AB   MSVBVM60.734A6225                     MSVBVM60.7349E1A6             0012F370
0012F3D8   73502192   MSVBVM60.7349DF1F                     MSVBVM60.7350218D             0012F3D4
0012F450   006C55CE   ? MSVBVM60.rtcMsgBox                  watchdog.006C55C8             0012F44C

Double click on this line:

0012F450   006C55CE   ? MSVBVM60.rtcMsgBox                  watchdog.006C55C8 

And we are here:

006C55C8   . FF15 2C114000  CALL DWORD PTR DS:[<&MSVBVM60.#595>]     ;  MSVBVM60.rtcMsgBox

Scroll up a bit, and you will see this:

006C559C   > 8D55 90        LEA EDX,DWORD PTR SS:[EBP-70]
006C559F   . 8D4D D0        LEA ECX,DWORD PTR SS:[EBP-30]
006C55A2   . C745 98 BC3C47>MOV DWORD PTR SS:[EBP-68],watchdog.00473>;  UNICODE "Invalid confirmation code!"

If we left click on the start of this routine, we will see that 006C5461 is the conditional jump that leads us here, so let us examine the code here:

006C5442   . 66:3BF7        CMP SI,DI
006C5445   . B9 04000280    MOV ECX,80020004
006C544A   . B8 0A000000    MOV EAX,0A
006C544F   . 894D A8        MOV DWORD PTR SS:[EBP-58],ECX
006C5452   . 8945 A0        MOV DWORD PTR SS:[EBP-60],EAX
006C5455   . 894D B8        MOV DWORD PTR SS:[EBP-48],ECX
006C5458   . 8945 B0        MOV DWORD PTR SS:[EBP-50],EAX
006C545B   . 894D C8        MOV DWORD PTR SS:[EBP-38],ECX
006C545E   . 8945 C0        MOV DWORD PTR SS:[EBP-40],EAX
006C5461   . 0F84 35010000  JE watchdog.006C559C
006C5467   . 8B35 90104000  MOV ESI,DWORD PTR DS:[<&MSVBVM60.__vbaSt>;  MSVBVM60.__vbaStrCat
006C546D   . 68 003C4700    PUSH watchdog.00473C00                   ;  UNICODE "Thank you for verifying you registration information."

HOw about we set a breakpoint higher up, and the step over the code, set it here:

006C5380   > 55             PUSH EBP

So try entering our info again, and we break at the point we set, then we F8 to step over the code:

006C5418   > 8B45 E8        MOV EAX,DWORD PTR SS:[EBP-18]------->Moves our fake serial into EAX
006C541B   . 50             PUSH EAX---------------------------->Pushed to the stack
006C5427   . 8BF0           MOV ESI,EAX------------------------->EAX=FFFFFFFF
006C544A   . B8 0A000000    MOV EAX,0A-------------------------->EAX=0000000A
006C545E     8945 C0        MOV DWORD PTR SS:[EBP-40],EAX------->EAX=0000000A
006C5461     0F84 35010000  JE watchdog.006C559C---------------->Jump taken

So how about we change:

006C545E     8945 C0        MOV DWORD PTR SS:[EBP-40],EAX

To:

006C545E     33C0           XOR EAX,EAX
006C5460     40             INC EAX

So, Right click on this line/Assemble, make the change, then click on Assemble, then close this box, it will take 2 goes to make the changes, after the first change to "XOR EAX,EAX" 006C5460 will show "nop".

Now F9(Run), and we get the message, "Thank you for verifying your registration information. You will not see this screen again".

Okay, make changes permanent, Right click/copy to executable/all modifications/copy all, and then right click on new box that comes up/save file, double click on the file to overwrite and select yes to overwrite.

Now for the big test, close Olly, open Watchdog, it minimizes to the tray, Right click on the Icon and select Main Menu, program opens without any evaluation or verification screens, we also try putting our system clock forward a year and program still functions, we check Help/About and Voila!, it shows our registration details, well done cracker!!!

And remember, if you use the program, buy it ,software developers rely on the income from sales to keep going, if nobody buys, no new software would be developed.

*************************************************************************************************
SHOUTZ AND GREETZ:

To the AR Cracking team, exetools forum, tsrh forum, Ollydbg forum, Ricardo Narvaja, Kruger, Britedream, Satyric0n, R@dier, LaBBa, Nilrem & Ferarri whoose tuts have helped me more than any others , Ollydbg, and the authors of Watchdog .
*************************************************************************************************