If anyone's got some time I need some help with this program.

Program - A-book v.2.2.1
Company - Duality Software
Download site - h*tp://www.dualitysoft.com/abook/index.html
Install File - abk221.exe
Size - 1.1 Mb

It's pretty basic cracking but I need somebody else to help get me out of my mental block. The program takes a Name and Reg Code. It also requires a key file called abook.key which they send along with a valid Reg Code. It places the Name and RegCode in the registry at:

HKEY_USERS\.Default\Software\PIM+\A-book\Settings\UserName
HKEY_USERS\.Default\Software\PIM+\A-book\Settings\RegCode

Quiller said "The RegCode appears to be in the format:
WIN-xxxxxxxxxx-xxxxxxxxxxxxxxx with x's being letters (small and capital) and numbers."

I believe this is true. In fact for some strange reason there are 7 UserNames and RegCodes in the exe - see CS:0046A1F8. Don't know what that's all about but I used one of them.

Quiller went on to say "It can be patched in one location by moving a 1 into the memory flag that is used. In that case, the proggie is registered and it does not even look at the file abook.key..."

I just can't find any way that this is so. I can't find any flag test that bypasses checking the key file - especially when you first start the program.

Here's what I did:
[#1]I made a bogus abook.key with the numbers 6666111155552222 and saved it to the same folder as abook.exe.
[#2]I ran the proggie and chose to register it.
[#3]I used a Name and RegCode from the disassembly:
Name: Mark Riddle
RegCode: WIN-e805dR7dhA-t7jFfydjf5j3guS

That got me past the "incorrect user name" and "incorrect code" message boxes. Then I started tracing by loading it with symbol loader and trapping the registry queries. To make a long story short, the code starting at 401355 thru 40143B gets the UserName and RegCode registry info when first starting the program. That gets passed into a call at 40143D (Call 401CC0). The first Call in that function (Call 469DCO) reads abook.key into memory. If there was any error in reading the file or the UserName and RegCode were wrong it returns an error code and the calling function posts the particular message in a message box. Otherwise it gets to 469F05 which calls 4AE8A0. This is the function that tests the key file data that was previously read into memory. The actual algorithm is the code between 4AE8AE and 4AE910. I started to reverse this but I keep thinking about what Quiller said about there being a memory flag check that could bypass all this. Anyway, it appears that this Test Key function should return a valid address - maybe the memory location of the key. It definitely should NOT return 0.

Well - that's as far as I got. If anyone could give me some insights on this I'd appreciate it. I'm probably making an easy crack into a nightmare :-)

zitterb

I guess that I should have a been a little clearer, "the proggie is registered and it does not even look at the file abook.key..." The program does look at the abook.key file, it just does not care what the result is (when patched).

You are in the ball park, you found the important call at 401CDA (CALL 469DC0). If you look a few lines below that you can see eax moved into a memory location. If eax (which is the return value from the above fuction)is 1, the program says that you are a good boy. You will need to go through typing in a username and regcode, but it will now accept anything and store it in the registry.

I'm not sure keyfile is the correct term for abook.key. I believe that file gets written automatically if a good username and regcode is provided, but I haven't checked. You might look into that. The reason I think that is that CALL 469DC0 is called from 2 locations. Anyway keep rolling, you're making headway.

quiller

What a dummy I am!!! In Sice I BP'd at 401CF0 and calculated that EAX should be 1 in order for ECX to be 1 for the required jump to "Registration Completed". I changed EAX to 1 and got the right message box but completly overlooked 401CE7 stuffing that Good Guy 1 to memory. So I changed EAX after a Bad value was put in memory, then got sidetracked on making the Call 469DC0 return 1. Jeeze!


I can't believe I missed that obvious mov at 401CE7 :-O




As for the getting called from two locations, I assumed one was when the program was run each time, the other was at initial registration. Not sure now. Maybe today I'll have time to play a bit more while at "work" :-)

The key file is puzzling. It's contents aren't really checked (in the Call 4AE8A0) against the UserName or RegCode. It's merely checked for self consistancy via the algorithm from 4AE8E1 thru 4AE910. Plus, it is called from 25 different locations??? That's an interesting little manipulation in that Call. Want to drive yourself crazy try reversing it.

One more thing. Why do you suppose there are those 7 UserNames and RegCodes in the exe itself? Seems weird they'd put those strings in there.

Thanx for your help!

zitterbe

probably if you used astalavista and searched for cracks/serials for this target i'll bet you'll find some familiar names

could be a list of 'bad boy's who released their serials ? If you played with CommView anytime you can see a similar thing... a list of bad boys

+SplAj

zitterbe,
U can use:

Patch 1:
U need RegCode and UserName in registry, but don't need .key file.
at 4013FA u have jz 401499
Change to: mov dword ptr [0052A1EC],1 ; it is a good boy flag
jmp 40161D ; start the normal proggi
This1 skips a lot of stuff and the proggi will start faster....

or Patch 2:
U need RegCode and UserName in registry, and .key file.
at 46A0FF u have mov eax, 20
change to: mov eax,1
then u can register with any UserName and RegCode
This1 don't skips the checks and proggi is slower..

bNaza

I already patched it but thanx.

I changed the CMP to a MOV EAX,1 and NOP'd the JA.

Cya,
zitterbe