I am a newbie and have followed with some success a few tuts.
However I am now stumped on trying to crack my first app. It is APrintDirect by bpsoftware.com, but it features a seemingly complicated keygen protection by rtsoftware.com.
Has anyone come across this b4 and maybe give me a pointer or two.

TIA

Bill

hey I can help you }>
click on the 'go to:' bar below and select
'The Newbies Forum'
and finally press 'Go'

5p14j

SpIAj
Your reply was most unwelcome, I was asking for help not sarcasm.

Hey Bill, I'm sure +SplAj didn't mean to be a dick, he just wanted to point out that as you said you are a newbie and there is a newbies forum that newbie questions (such as this one) should be posted in, just trying to keep the posts in their correct forum.

As for your program, how far did you get in figuring out the protection ? can you post some code that you think might be generating or verifying the serial number or whatever so we could look at and try to help.

goatass

Thanks for some courteousy goatass.
I haven't the time just now to put down the approaches that I made and where I got to but I will in the next coupla days.
Thanks again

Bill

I took a look at the program APrintDir and it actually has pretty good protection considering it is kind of a simpleton program. I was able to crack it in about 20 mins by changing one byte (74->EB), but the user key/reg key seems to use TripleDES encryption. It uses a base key of 43HG4R and product key of APRINTDIR99 and from there on I got lost. I would love to have someone do a tut on the serial gen for this program, but for now it is over my capabilities. I believe it has both the encryption and decryption algorythms in the program so I have not given up yet, but it will be tough going.

Bill times up , show us your work......... if you can :'(

Quiller, DONT give this NEWBIE ? (more like a crack request to me) any more clues until he posts some relevant dis.

SplAj

Ok bill let's start from beginning, and forget all the messages before...
As goatass said, you have first to do some personnal work and locate the code where you think the key is calculated, paste the code here and we'll see if we can help you.

regards,

+Tsehp

Well ok fellas
I have managed to find a bit of time now to put down some of the things I had tried, others which I had scribbled on a piece of paper don't make a lot of sense now !

My first approach was in w32dsm to search for any recognisable strings such as "register", but there were none.
I then looked for "getwindowtexta" and found references to it but when I ran the app in debug this api appeared after the nagbox and register screen came up.

I traced through from the program entry point and found the following code which I thought might have been the test,


|
:00450C3F E8AC66FBFF Call 004072F0
:00450C44 85C0 test eax, eax
:00450C46 7475 je 00450CBD
:00450C48 B301 mov bl, 01
:00450C4A 837F0412 cmp dword ptr [edi+04], 00000012
:00450C4E 7466 je 00450CB6
:00450C50 C6042400 mov byte ptr [esp], 00
:00450C54 6683BEC200000000 cmp word ptr [esi+000000C2], 0000
:00450C5C 7410 je 00450C6E
:00450C5E 8BCC mov ecx, esp
:00450C60 8BD7 mov edx, edi
:00450C62 8B86C4000000 mov eax, dword ptr [esi+000000C4]
:00450C68 FF96C0000000 call dword ptr [esi+000000C0]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00450C5C(C)
|
:00450C6E 8BD7 mov edx, edi
:00450C70 8BC6 mov eax, esi
:00450C72 E819FFFFFF call 00450B90
:00450C77 84C0 test al, al
:00450C79 7542 jne 00450CBD
:00450C7B 803C2400 cmp byte ptr [esp], 00
:00450C7F 753C jne 00450CBD
:00450C81 8BD7 mov edx, edi
:00450C83 8BC6 mov eax, esi
:00450C85 E8FEFDFFFF call 00450A88
:00450C8A 84C0 test al, al
:00450C8C 752F jne 00450CBD
:00450C8E 8BD7 mov edx, edi
:00450C90 8BC6 mov eax, esi
:00450C92 E841FEFFFF call 00450AD8
:00450C97 84C0 test al, al
:00450C99 7522 jne 00450CBD
:00450C9B 8BD7 mov edx, edi
:00450C9D 8BC6 mov eax, esi
:00450C9F E8C0FDFFFF call 00450A64
:00450CA4 84C0 test al, al
:00450CA6 7515 jne 00450CBD
:00450CA8 57 push edi


I noted the offsets, and in hexworkshop, I changed the jumps but then the prog just crashed.

I then tried a few things with softice, but without much luck.

To give you an idea of the things I tried with softice. I set bpx to "getwindowtexta" and tried to trace the calls, but I got lost.
I then thought I was getting somewhere using hwnd aprintdir, and bmsg on wm_buttonup and button but it got so that I couldn't see the wood for the trees.

I am not trying to leech a crack as the verbose splAj might think, but I am beginning to wonder if I am getting too old for these challenges, and maybe just stick to Fortran and HPRMB (really showing my age).

If after this anyone feels inclined to help then I would be grateful, but as quiller pointed out it is a pretty tame program anyway and no huge loss. It would have been useful, but it was the challenge and I would really like to refine my approach.

TIA

Bill

Bill,
It looks like you will need to read a few more tutorials because there are quite a few references in W32Dsm that you missed such as:

"This is an UNREGISTERED version."
"The evaluation period has expired."
"Thank you for registering!" (one of our favorites)
"Wrong registration key" (another favorite)
"The evaluation period expires"

If you double click on "Thank you for registering!" (in W32Dasm) it will take you to the following lines:
===================================================

:0048E884 E8AB46FFFF call 00482F34<- You might want to check
:0048E889 84C0 test al, al this function.
:0048E88B 743B je 0048E8C8 <-jmp if bad boy cracker
:0048E88D 8BC6 mov eax, esi <-Otherwise, welcome
:0048E88F E8E846FFFF call 00482F7C to the promised land
:0048E894 84C0 test al, al
:0048E896 7407 je 0048E89F
:0048E898 8BC6 mov eax, esi
:0048E89A E80547FFFF call 00482FA4

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048E896(C)
|
:0048E89F 8BC6 mov eax, esi
:0048E8A1 E80A47FFFF call 00482FB0
:0048E8A6 84C0 test al, al
:0048E8A8 7407 je 0048E8B1
:0048E8AA 8BC6 mov eax, esi
:0048E8AC E82747FFFF call 00482FD8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048E8A8(C)
|
:0048E8B1 6A00 push 00000000
:0048E8B3 668B0D14E94800 mov cx, word ptr [0048E914]
:0048E8BA B202 mov dl, 02

* Possible StringData Ref from Code Obj ->"Thank You for registering!"
|
:0048E8BC B820E94800 mov eax, 0048E920 <-You land here
:0048E8C1 E8BE9CFCFF call 00458584
:0048E8C6 EB1A jmp 0048E8E2

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048E88B(C)
|
:0048E8C8 6A00 push 00000000
:0048E8CA 668B0D14E94800 mov cx, word ptr [0048E914]
:0048E8D1 33D2 xor edx, edx

* Possible StringData Ref from Code Obj ->"Wrong registration key!"
|
:0048E8D3 B844E94800 mov eax, 0048E944

=======================================

This is an example of the classic scenerio.

Call Bad_Ass_Protection_Function
Return Result (Good or Bad)
Jmp if BAD

If you want to get a thrill, you can NOP (90) the je (at 0048E88B) or in SI do a "r fl z" and view the "Thank you ..." You will NOT really be registered though. This program is deceptive and I would not recommend to a newbie. However, this information should get you started and if you are persistent, who knows. Good luck.

Hey Bill,

Well done, nice try. As quiller says this is a tuffy. Look around and see that ONLY cracks are available NOT serials for this version. So if you make it you are one hell of a reverser...WELCOME to the RCE

Try to reverse the Winzip algo. This is a nice trainer and then move on to making keygens............... There are a few 'templates' available from r!sc and rudeboy.

Also DL the 'ripper-studio ' from TMG . This util helps you 'cut+paste' the algo from dis. to ASM >}

SplAj

PS Tsehp, thanks for moving this thread to it's rightful home.

[QUOTE]quiller (03-25-2001 20:22):
Bill,
It looks like you will need to read a few more tutorials because there are quite a few references in W32Dsm that you missed such as:

"This is an UNREGISTERED version."
"The evaluation period has expired."
"Thank you for registering!" (one of our favorites)
"Wrong registration key" (another favorite)
"The evaluation period expires"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Quiller,
Thanks for the lead .

But I would like you to know that I really aint that much of a dummy (at least I hope not). I think I would have picked up the references to
"This is an UNREGISTERED version.", etc if they had appeared with w32dsam, but they did not show up at all. In fact neither did the
* Possible StringData Ref - pointers as I show in the code below, taken from the same section you posted.


===================================================================

:0048E884 E8AB46FFFF call 00482F34
:0048E889 84C0 test al, al
:0048E88B 743B je 0048E8C8
:0048E88D 8BC6 mov eax, esi
:0048E88F E8E846FFFF call 00482F7C
:0048E894 84C0 test al, al
:0048E896 7407 je 0048E89F
:0048E898 8BC6 mov eax, esi
:0048E89A E80547FFFF call 00482FA4

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048E896(C)
|
:0048E89F 8BC6 mov eax, esi
:0048E8A1 E80A47FFFF call 00482FB0
:0048E8A6 84C0 test al, al
:0048E8A8 7407 je 0048E8B1
:0048E8AA 8BC6 mov eax, esi
:0048E8AC E82747FFFF call 00482FD8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048E8A8(C)
|
:0048E8B1 6A00 push 00000000
:0048E8B3 668B0D14E94800 mov cx, word ptr [0048E914]
:0048E8BA B202 mov dl, 02
:0048E8BC B820E94800 mov eax, 0048E920
:0048E8C1 E8BE9CFCFF call 00458584
:0048E8C6 EB1A jmp 0048E8E2

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048E88B(C)
|
:0048E8C8 6A00 push 00000000
:0048E8CA 668B0D14E94800 mov cx, word ptr [0048E914]
:0048E8D1 33D2 xor edx, edx
:0048E8D3 B844E94800 mov eax, 0048E944
====================================================================

W32Dasm gave only the following list of String Data

==================================================================
String Resource ID=42500: "The %s file does not exist"
String Resource ID=42501: "The %s directory does not exist"
String Resource ID=65519: "Invalid variant type conversion"
String Resource ID=65535: "Range check error"
" "
"%.*d0x@"
"("
"(y@"
"0"
"91)!"
"Error"
"H:H"
"l"
"Runtime error at 00000000"
"x"
"Y"
==================================================================
So am I missing something along the way ? becoz I dont got the same dissasembler output as you.

BTW I'm using W32Dasm v8.93

Thanks & Regards

Bill

Hi Bill,

I checked out the lack of string refs in WDasm and found that too, but only when using the ORIGINAL version of WDasm 8.93. I normally use one that's patched to allow VB string refs to be seen. Apparently it has an effect with this Delphi app as well.

The VB patch is available at the tools sites, and I'm not sure exactly what it does, I've never bothered looking, but I compared my 2 versions and the difference is here:

Original WDasm:

:0041756A 8D8598F4FFFF lea eax, dword ptr [ebp+FFFFF498]

VB String ref patched WDasm:

:0041756A 8D8528F6FFFF lea eax, dword ptr [ebp+FFFFF628]

So try changing bytes 16B6C and 16B6D in a hex editor from
98F4
to
28F6

and see if this brings up the string refs. BTW, you'll probably want to try using the Delphi disassembler DeDe with this app as well.

Regards,
Kayaker

Bill_S,
I was not implying that you were a dummy, only that you appeared inexperienced by missing some obvious things. I used W32Dasm v8.9 to disassemble the proggie (w/o the VB patch that Kayaker was talking about).

quiller