Software Reverse Engineering - DocMan v2.1 - Hardcoded Registration Keys! Copyright (c) 1998 Volatility Document Courtesy of The Immortal Descendants - http://pages.prodigy.net/volatility This protection is so pathetic, I shouldn't be wasting my time writing this essay. The author might as well GIVE the program away for FREE! Since This protection is so simple, I decided to show another way to crack it, so it wouldn't be a complete waste of time, even though this method is about equally as simple. --------------------------------------------------------------------------------------------- Target: DocMan v2.1 - (docman21.zip) 116,334 bytes. Download this at: ftp://ftp.eurobretagne.fr/pub/pc/win95/sysutil/docman21.zip Tools Needed: WDASM - recommended (or disassembler of your choice) SOFT-ICE (any version) --------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------- METHOD 1: HARDCODED REGISTRATION KEYS --------------------------------------------------------------------------------------------- Prepare To Crack: After running the install program, I ran DocMan, and checked for a registration screen. I found it at "Help", "About DocMan". Only one place to enter a key, and the key can only be 6 characters. I entered a dummy code (272727) to see what the error message would say. I wrote down the error message, and Fired up Wdasm "Disassembler", "Open file to disassemble". Making The Crack: I always check the String References under "Refs", "String Data References", because more often than not, you can find such strings as "Registered", "Registered To", "Registration", etc. I looked through the strings, and saw "IFNRUX", "IUIOOP" and "KNJRUT". This looked rather curious to me, so I double-clicked on one of them. Would you believe it, this popped me right smack dab into the registration routine. I thought to myself "no, this can't be... the registration keys?". I tried one out... I'll be damned! They all work! Stupid, Stupid, Stupid lazy programmers. Here are the hardcoded keys: --------------------------------------------------------------------------------------------- Valid Registration Keys --------------------------------------------------------------------------------------------- IFNRUX AHPUQW IUIOOP KNJRUT --------------------------------------------------------------------------------------------- METHOD 2: FISHING FOR VALID KEYS IN SOFT-ICE --------------------------------------------------------------------------------------------- NOTE: If you don't know how to use Soft-Ice, I'd suggest getting some tutorials from the web, there's MANY good ones out there. Prepare To Crack: Since we disassembled the program once already, we can look at the Imports ("Functions, "Imports") in Wdasm to see what we need to breakpoint on in Soft-Ice. To save you time, the two most common imports are "GetDlgItemTextA" and "GetWindowTextA" for 32 bit programs. To save you even more time, the one we need is "GetDlgItemTextA". Run DocMan, and open up the registration screen. Enter in some test data, then press Cntrl+D to pop into Soft-Ice. Set a breakpoint on GetDlgItemTextA (BPX GETDLGITEMTEXTA). Press Cntrl+D to exit back to DocMan and click the "Unlock" button. Soft-Ice will pop up on the breakpoint. Press F-11 once to get into the routine, and you'll land in the following code: --------------------------------------------------------------------------------------------- 0137:00402B3B CALL [USER32!GetDlgItemTextA]