Hi,

i disassembled the prog "CycleTimer", available on h__p://w_w.cycle-trader.com/program/download.htm
direct link is
direct link removed
file size about 17 MB

I logged the installation with "InstallWatch" to find the differences in three snapshots: on installation, on first run, on expired.
I found nothing, absoluteley nothing to make a refresh of the 14-day-trial.
Hereafter i searched for the safeserial-functions in prog and found two:
"SafeSerial1_OnNotRegistered" and "SafeSerial1_OnTerminate"
but i cannot find the code where the check is made, IF the prog is already registered or not. I disassembled with W32dsm, i traced with Ollydbg, i found nothing...
I unpacked sase.ocx with AspackDie 1.4 and cann't find these two functions...
With ResourceHacker i found, it's version 2.3.9 of SafeSerial.
Need help, please, i want to understand this ****ing safeserial-protection.

Best Regards

Jan

JanDebug@gmx.net

JanDebug:

Here you come with your first post and want so badly for someone to take your hand and guide you through the solution to your cracking needs. It appears that you have failed to read the posting guidelines or the Frequently Asked Questions. Had you done so your would already know that this is not the place to come when you have done very little to help yourself and simply want someone else to solve a non-specific problem that you are having because you really don't know how to unpack any program if one of the ready made tools won't solve the immediate problem for you.

My function here is to tell you that the FIRST thing you should have done on your own was some research on the safeserial protection system on the internet to discover, on your own, what others may have already done with this protection. Had you done this you would have already discovered that they claim that their software has never been cracked, given up, and tried something else.

For example: are you aware that several versions of this software are available on the net to download and examine??? I'm not talking about the software you want to crack, I talking about the protection program. Have you studied it?

I would guess not because you have apparently identified that you don't have more than the basic skills at analysing programs.
Don't get me wrong. There is NOTHING wrong with not having expert unpacking skills. The problem is that you haven't demonstrated that YOU have made ANY attempt to help yourself in understanding the task at hand.

For example, do you know if this is a delphi program, as the protection company states on their site that it works with delphi, C++, VC++ and others. If your program is delphi, do you know what tools are available to disassemble it?? If it's VC++ do you know what tools?

If you had searched, you would have discovered that someone named votan claims that he has unpacked and patched the demo version of the safecast program itself and that should give a good indication of how to approach your problem. Yes, I know if you actually look you will find that votan's article is in a language other than English, but you should know that there are ways to get rough translations of other languages on the net and the portions of his article which address the code give very good clues on how to attack this system.

In short, you haven't done enough work to really warrant help and have just given the appearance that you want someone to crack this program for you and we don't do that here. You need to do some more homework on your own and come back with a focused question that demonstrates you have done some actual work and have a question more focused than "please help." Also READ the posting guidelines.

Regards.

Hi JMI,

>...have just given the appearance that you want someone to crack this program for you...
- no, i want no one to crack this prog: " i want to understand safeserial-protection" was my last sentence.

>...If you had searched, you would have discovered that someone named votan...
- Surely, i have read votan's tutorial (i found no other), surely i have translated the technical content from turkish language, but it's not the same way, the other prog is checked, if it's registered or not.

>...because you have apparently identified that you don't have more than the basic skills at analysing programs.
- YES, YES, YES, i know, and i hoped to find here someone who can give me additional information, because a search in forum-database find only two info-requests about SafeSerial. These both requests about information was none answered, and for my question you find only many words to tell me, i should first search and learn ...

If it's on interest for anyone: meantime i know, sase.ocx check the reg-tree [HKEY_CURRENT_USER\Software\Microsoft\File Manager] (created during installation) and the files bootlog.txt and detlog.txt in c:\
If the trial expires, the files lf.ssf, Error.log, rf32sa.dll, sase.ssm, tk.ssf where changed.
I don't know, how SS change the original Bootlog/detlog, i found only change of file-attributes, but additions can be found in these files, if both files are NOT present and SS created they on start.
If i delete or move all seven files and this reg-tree, trial starts again.

Regards

Jan

Jan:

There were several points to my post and you seem not to have grasped them. The first was that there is a way we do things here which you didn't follow. That being the doing of your own work, showing what you have done and asking a pointed question about the process with an indication showing that effort.

NOW you say you have done some searching and read votan's article, but did you understand what it was about?? It's about cracking the program safeserial itself. Has it occurred to you yet that if you download safeserial itself, crack it the way votan did and study its workings in Dede, you might have some clues to how the program performs the file modifications you are describing???

Second, you may have, but have not stated that you have done any other research on safeserial. For example, have you reviewed the information that is available on the company site, including the two screenshots of the information that is used to register the program and their information on how the program checks the identity of the machine on which it is running.

Third, you have not stated that you have made any observations about the operation of the software in the debugger, although you mentioned you "traced in OllyDebug" looking for two forms which you did not find. Did you, perhaps search for any of the forms mentioned in the votan article or "trace" the code as it accessed the register or the files you describe?

Again with no disrespect intended, you have not shown that you have any basic understanding of the API's which might be relevant for your study of these issues. You may, indeed, be very knowledgeable, but YOU HAVE NOT SHOWN YOUR WORK. You have simply stated that it modifies certain files, but you don't seem to have a clue about how that might happen. Have you examined the API calls for modifying files, have you looked into these issues at all. If you have, again you have not stated enough information to make it clear that you are trying to help yourself solve this problem.

"Understanding the software" means studying how it works as it unwraps the "protected" software it is protecting. This starts from the moment that you click on the install. You watched it with InstallWatch at three points. Perhaps regmon would have given you a fuller picture of its access to the registers and shown you "when" it accessed the other files. Again, I suggest that you download the demo of safeserial and study how it works.

Since you know it changes certain files on your C: drive, you might even have to do a clean install of windows and save a copy of those files somewhere and then install you target and do a compare of the files after the changes. One thing you should know as a basic. If it has written files on your C: drive that seem to be part of the protection, the program HAS to go read the information in those files, or at least check for their existence at some point in the start up process. There are specific API's used to do this checking which you have not suggested you are aware of or have used. Did you, by any chance try deleting those created files and the register entries and trace the code to see if you missed any?? You said that if they are deleted that the timelimit is reset. Did you check the functions which read the time and date??

So the point, again, is that while you might be very knowledgable, you have not given any good indication that you understand the basic processess used to do the things that you have observed. If that is the case, you still need to do more homework. You could go to the anticrack link on the bottom of the page and start reading "the art of dissassembly." If you do understand more than you have shown, then you still need to make your question more clear than "I don't know how they do that."

Regards.

By the way the url of the "art of disassembly" is hxxp://aod.anticrack.de

@jandebug

Read your email and think bigger.
Not patch generate :-)

Hello

I have the some problem. My Safeserial 2.3.9 protected programm is written at VB6. I have read votan`s manuel, but it doesn`t works.

I used softice with icedump (i am a Softice newbie:-( and there aren`t the area of idata and aspack.

My questions how can i find the Oep or has someboy a solution for this problem.

Regards Taz

Hi Mueller5321,

Nice to see you are alive again
I have keygened all S@feserial protected Im@geCr@ft C compiler
and some other goodies...
Once again, thanks for your help
Kind regards

Fuji

As mueller5321 said;
"Think Bigger"

SafeSerial is a lame protection so aspack is protects it. This is lame :P

I can imagine mueller5321's mail (to jandebug)
So easiest method for keygening safeserial is hooking its own key calculation procedure.

I can give a tip. Key is generated in Cod*serv.ocx So if you able to find the routine you can call it outside
note:

1- Fix stack.
2- Analyze well that what is WideString
3- Find the arguments to pass the routine
bla bla

And use an unpacker for aspack this can be easier if you don't know manual unpacking.

regards

@Taz,
i am still looking for some "nice" safeserial protected targets to verify my knowledge. What is your target ?

@ Fuji
Yes the year after the Y2K was a nice year for professionals :-)
Can you send me a target list?


@RVAzero
Why make so much work. Use their own tools, which they delivery to you without any further costs. All you need is a little bit zen and 4 bytes of information entered on the right point of code. It allways a good idea to select the own useful values instead of to let the random do his work ;-)
Aspack is really lame.

@All the wotan tutorial readers.
There is a bug in his tutortial. The license typ information he selected is not the best choice :-) Take a better look to the dead code than wotan. Maybe there should be a updated version somewhere in the web :-)

[mueller5321]
I wrote letters above for coding keygens. Not more.



Yes using SafeSerial tools is right way
Its simple to calc good keys from [uncrackable (author of safeserial said this)] random numbers bla bla


I think i cant told very well. my english not good :/
This examples can be good for all.


[-------SafeSerial OCX Keys and License Types-----]

[License Types]

ENTERPRISE EDITION 83h="131"
PROFESSIONAL EDITION 82h="130"
STANDART EDITION <82="-129"

[Application Keys]

Num1 Num2 Num3 Num4
SAMPLE = 066 077 088 099 >"066077088099"
SAFESERIAL = 188 193 240 217 >"188193240217"



[-------ImageCraft Keys and License Types-----]

[License Types]

PROFESSIONAL 07D1h="2001"
SPECIAL EDITION 0BB9h="3001"
STANDART EDITION XXXXh="1001" or Any other number but "1001" is good

[Application Keys]

Num1 Num2 Num3 Num4
ICCTINY = 183 010 237 249 >"183010237249"
ICC430 = 111 028 062 027 >"111028062027"
ICCAVR = 069 115 184 041 >"069115184041"
ICC08 = 152 147 037 043 >"152147037043"
ICC11 = 058 143 102 180 >"058143102180"
ICC12 = 008 180 198 019 >"008180198019"
ICC16 = 230 207 169 176 >"230207169176"



[GenerateUnlockCode Procedure Arguments]
Push RegisterUser [0/1]
Push offset CustomerID ['XX XX XX XX XX XX']
Push offset MaxExecutions ['0'-'255']
Push offset DaysAllowed ['0'-'255']
Push offset LicenseType ['0'-'9999']
Push offset Counter ['0'-'255']
Push offset ApplicationKey ['XXXXXXXXXXXX']
Push offset lpUnlockCode DWORD
Push offset lpConfirmationID DWORD
mov cl,UninstallApplication [0/1]
mov dl,ResetExecution [0/1]
mov al,ResetInstallDate [0/1]

call GenerateUnlockCode

Return:
lpUnlockCode=Offset of UnlockCode String
lpConfirmationID=Offset of ConfirmationID String



And yes Votan's tutorial is buggy.
i told this him. He is my friend.


Regards.