Software Reverse Engineering - Date Reminder v1.0 - Hardcoded Serial Numbers Copyright (c) 1998 Volatility Document Courtesy of The Immortal Descendants - http://pages.prodigy.net/volatility Another pathetic protection scheme. You have to have a few brain cells to get the proper sequence of codes, but you don't have to be an Einstein. --------------------------------------------------------------------------------------------- Target: Date Reminder v1.0 - (dater.zip) 104,115 bytes. Download this at: http://members.aol.com/wildcat727/datereminder/dater.zip Tools Needed: WDASM - recommended (or disassembler of your choice) --------------------------------------------------------------------------------------------- Prepare To Crack: Unzip and run the program (editor.exe). You'll notice when you run it for the first time, two files will be created - "Regdata.dar" and "Remind.dar" - obviously configuration files, and Regdata.dar looks pretty obvious. We have a good idea that our registration information will be stored here. Now you'll see the string "Unregistered" and a register button up in the right hand corner. Click on the button. Ok... we need five numbers. Enter anything in, and click ok to get the error message. It's usually helpful to write this down. Let's disassemble to see what we've got. Disassemble with Wdasm - "Disassembler", "Open file to disassemble" then choose "editor.exe". Open up the SDR (String Data Reference) window ("Refs", "String Data References") so you can search for your error message, or any other string of interest. The first thing you'll notice is LOTS of 2 and 4-digit numbers. Do you have a pretty good idea of what these are? Towards the end of the numbers, you'll see a longer string - "56432132156632". Hmm.. let's check that out. Double click on the string, close the SDR window, and you'll land here: --------------------------------------------------------------------------------------------- * Possible StringData Ref from Data Obj ->"56432132156632" | :00402BB3 68D4B24000 push 0040B2D4 :00402BB8 8D4D88 lea ecx, dword ptr [ebp-78] --------------------------------------------------------------------------------------------- Scroll up a bit further, and you'll see the following: --------------------------------------------------------------------------------------------- * Possible StringData Ref from Data Obj ->"Registration code entered correctly. " ->" Thanks for registering!" | :00402B81 6888B24000 push 0040B288 :00402B86 8B4D80 mov ecx, dword ptr [ebp-80] * Reference To: MFC40.Ordinal:0E83, Ord:0E83h | :00402B89 E8D6520000 Call 00407E64 :00402B8E C7458400000000 mov [ebp-7C], 00000000 :00402B95 6A01 push 00000001 :00402B97 A10CD54000 mov eax, dword ptr [0040D50C] :00402B9C 8B00 mov eax, dword ptr [eax] :00402B9E 50 push eax :00402B9F 6A02 push 00000002 * Possible StringData Ref from Data Obj ->"REGDATA.DAR" | :00402BA1 68C8B24000 push 0040B2C8 :00402BA6 8D4D88 lea ecx, dword ptr [ebp-78] --------------------------------------------------------------------------------------------- There's the message we get when we enter the correct codes, and there's that configuration file "Regdata.dar" which we're sure holds our registration information. We now know that the string "56432132156632" is written to this file when we enter the correct codes. I edited "Regdata.dar", and put this string into it. Doesn't work, so we must need more data. Scroll up further until you see the following: --------------------------------------------------------------------------------------------- * Possible StringData Ref from Data Obj ->"4444" | :00402B5D 6880B24000 push 0040B280 :00402B62 8D45E4 lea eax, dword ptr [ebp-1C] :00402B65 50 push eax :00402B66 E8D5020000 call 00402E40 :00402B6B 85C0 test eax, eax :00402B6D 0F84F2000000 je 00402C65 --------------------------------------------------------------------------------------------- This is the end of a LONG list of routines exactly like it. Scroll ALL the way up to the beginning of these routines, which is here: --------------------------------------------------------------------------------------------- * Possible StringData Ref from Data Obj ->"7632" | :00402795 6820B14000 push 0040B120 :0040279A 8D45E0 lea eax, dword ptr [ebp-20] :0040279D 50 push eax :0040279E E89D060000 call 00402E40 :004027A3 85C0 test eax, eax :004027A5 0F85B0000000 jne 0040285B --------------------------------------------------------------------------------------------- Let's write this number down, and follow the jump, which lands at 0040285B, which is another number - "1234". Follow the jump here again, and you'll get another number. If you keep following the jumps, you'll end up with five numbers. Exactly the amount we need for the registration screen. Enter the five numbers you wrote down, and voila! Registered! There are other sequences you can use... I just started with the first number. -Volatility-