#7 21.06.1999
 
by  alpine
and  the immortal descendants
 
 
 

target: submit wolf
url: http://tucows.fiber.net/adnload/dlswolf.html
tools used: softice
level: intermediate

the essay
 
this program show's another,not very hard to crack,protection scheme.We gonna fish the serial,
because it is the easiest way to crack this program.Although it isn't that hard to crack you can learn a lot on how serials can be built.
First i placed a breakpoint on the messagebox,which told me i have entered a wrong serial.
I not gonna mention how i came to the following code-snippet (i used a bmsg breakpoint on wm_destroy,but you can also breakpoint when your data  is read:hmemcpy, and you should find your way till here):
 
 
004177B6 E845840100                 call 0042FC00 <--our real serial is compared to our serial in this call 
:004177BB 83C410                          add esp, 00000010 
:004177BE 85C0                               test eax, eax 
:004177C0 0F8596000000          jne 0041785C <--jump if the serial is right 
:004177C6 8D442408                    lea eax, dword ptr [esp+08] 
:004177CA 8D8C2488000000   lea ecx, dword ptr [esp+00000088] 
:004177D1 50                                     push eax 
:004177D2 51                                     push ecx 
:004177D3 E808860100               call 0042FDE0 <--this  call checks if the serial is wrong,or it belongs to a older version 
:004177D8 83C408                         add esp, 00000008 
:004177DB 85C0                              test eax, eax 
:004177DD 7433                              je 00417812 
 
So we have to trace into the call at 004177B6,where the two serials are compared and the real one is generated.
You will find yourself here (sometimes i cut unimportant lines out):
 
 
:0042FC06 8B7C2444                                     mov edi, dword ptr [esp+44]<-- our fake serial is moved to edi 
:0042FC0A 85FF                                                test edi, edi<--test the lenght of our serial 
:0042FC0C 0F84BA010000                          je 0042FDCC <--if lenght=0 then jump to badboy 
:0042FC12 8B6C2440                                    mov ebp, dword ptr [esp+40]<-- our name is moved to ebp 
:0042FC16 85ED                                               test ebp, ebp <--the same as above 
:0042FC18 0F84AE010000                          je 0042FDCC 
:0042FC1E 8A07                                               mov al, byte ptr [edi]<-- the first char of our serial is moved to al 
:0042FC20 3C50                                               cmp al, 50 <--first char is compared to P  
:0042FC22 0F859A010000                          jne 0042FDC2 <--if don't match jump to bad boy 
:0042FC28 807F0134                                     cmp byte ptr [edi+01], 34 <--our second char of the fake serial is compared to 4 
:0042FC2C 750C                                              jne 0042FC3A <--jump to bad boy if they don't match 
:0042FC2E C7053C1B440000000000    mov dword ptr [00441B3C], 00000000 
:0042FC38 EB1C                                              jmp 0042FC56
 
As you can see, the first two characters of our (entered) serial are compared two to ascii codes (50 and 34 = P and 4)
So overwrite the first two chars of your serial.I changed my one from 1234565 into P434565.After you traced over these code-snippets all over again,you should bypass these first comparisions.After you jumped to 0042fc56 trace further one till you  get to the following call:
 
 
:0042FC59 E8B2300000                   call 00432D10 
:0042FC5E 83C408                             add esp, 00000008 
:0042FC61 85C0                                   test eax, eax 
:0042FC63 0F8463010000              je 0042FDCC <--not a good idea to jump
 

There is no need to trace into this call,because i'm will tell you what it does: it is similar two the comparisions,where the first char is compared to P,but the difference is,that the program uses a loop to reach the third char.When it reached the third char,it compares it two the -  (=2d in hex) char.So we have to change our serial once more form P434565 into P4-1234565.So you should also bypass this compare routine and we should still be on the winner way.
Tracing further on till:
 
0042FCA3 C60700                  mov byte ptr [edi], 00 
 
 
brief explaination: move byte ptr[edi],00 only deletes our -.Before this instruction our Pand aour 4 have also been deleted.So our serial looks like 1234565 now.Trace on,it is a long way baby.
 
 
:0042FD6C E85B300000              call 00432DCC <--reads the chars after the -
:0042FD71 83C410                         add esp, 00000010
:0042FD74 8D7701                         lea esi, dword ptr [edi+01]<-- our chars : 1234565
:0042FD77 8D442428                   lea eax, dword ptr [esp+28]<-- the real chars after the - 
:0042FD7B 8A10                              mov dl, byte ptr [eax]
:0042FD7D 8ACA                            mov cl, dl
:0042FD7F 3A16                              cmp dl, byte ptr [esi]

That is the final compare.the call reads the chars (1234565),and generates the real serial based on our name .Type d esi at 0042FD74 and you should get the serial you entered and at the next line type d eax and you should get the real chars.Now your serial should look like P4-*****.Where the ****** are the numbers you get after typing d esi.

That's it......
alpine
alpine@gmx.at

BTW i hope that i get some response from you.