Crack: Crystal Reports pro
Type of protection: #Serial
Tools:
SoftIce (The best jit Debugger I've ever seem)
W32Dasm (Windows Disassembler)
Quick View (Windows utility)
HVIEW.EXE (Use 4.41 version !)
Author: --{[CRK]}--
-+< Intro:
This crack was done to help a desperate/hopeless programmer, old friend. He was developing a prog using .OCX and .DLL files in a VB program but he can't do it with Crystal Reports because his software was unregistered !
I had been distant and it had been a long time since the last time a saw protection schemes such as this where the registration checking is done by a external file. It's enough let's work.
-+< Hands on:
As soon as you start the program it asks us for registration. When you are not succeed registering the program it shows you a message box ("Invalid Serial number"). The Win32 API used for dialog boxes is MessageBoxA, so set a BreakPoint within SoftICE: BPX MessageBoxA, type any fake number in the code field (it must be a number) and click on 'Done'. SoftICE pops up now. Type F11 to return from this API call and you will be back in Windows, click on OK and get back to SI.
We will be just before that Messagbox call:
... ... ...
00FE1172 FF152C250001 CALL [USER32!MessageBoxA]
00FE1178 B801000000 MOV EAX, 00000001 <- You land here (after F11)
... ... ...
Notice that you should read (in SI status) something like "CRW32!.TEXT ..." however you see: C2SUPPRT.DLL. What came about was that the program is executing a function exported by C2SUPPRT.DLL, in other words: the checking routine is not in the program but in a external DLL!
Disable the bps (BD *) in SI and go to the program's directory to search for this file and, within the Quick View, search for the export table; there should be listed the following functions:
Status, Support, Order, VerifyReg, etc ...ops ! *VERIFYREG* does it ...? yes ! off course ;-)
Now we must know how does it works and 4 this task we are got to use our W32Dasm. Disassemble the file C2SUPPRT.DLL and go to the 'StrRef' (String References); you can see a window listing some of the phrases, messages, words used by this prog:
[String References window]:
...
String Resource ID=17012: "Please enter your name and phone number."
String Resource ID=17024: "The Serial number is invalid" <- this is the message we got !
String Resource ID=17025: "Your registration information has been updated"
String Resource ID=17026: "Your software has been successfully registered"
String Resource ID=17027: "Please select or enter a Country"
...
Click on the string we found out before in order to find the related offset (memory address). (Note that there is only one reference, that makes our work easier) the address must be: 00D0D854. Scroll up til you find the reference: User32.GetDlgItemTextA, this is a Windows' API used to read a text field; note the sequence: the code is typed, an API is called to read the text we typed and just below we get an error message, it means that we will find the checking routine along this block; analize :
[got the code below from HVIEW so it's a little confusing ...]
:00D0D839 FF154C25D200 call [000D2254C] <- GetDlgItemTextA (read what you typed).
:00D0D83F 807C241000 cmp d,[esp][00010],00 <- had you type anything ?
:00D0D844 7429 je 0000CC6F <- if it's empty them jump
:00D0D846 8D442410 lea eax,[esp][00010] <- store our code in EAX
:00D0D84A 50 push eax <- save yours
:00D0D84B E810140000 call 0000E060 <- call the checking routine
:00D0D850 85C0 test eax,eax <- verify the value returned in EAX
:00D0D852 751B jne 0000CC6F <- if EAX = 0 then we are unregistered users
:00D0D854 6880420000 push 00004280 <- "The Serial Number is invalid".
:00D0D855 E8823AFFFF call 000006E0 <- call that stupid MessageBox
The call made at 00D0D84B is used to verify if we are registered. The code inside it is not important for the whole DLL, and we want it to return always a non-zero value in EAX so that we will get a registered status ! In to order to be happy people we can modify this function !
Go into this call , put your pointer (line selection) on the line D0D84B and click 'CALL' to execute that. After that we land here:
:00D0EC60 83EC1C sub esp,1C <- begining
:00D0EC63 56 push esi
:00D0EC64 57 push edi
... ... ...
Let's overcode this lines to return always non-zero values in EAX. Run HVIEW and open C2SUPPRT.DLL (you should make a backup ...), set it to 32bit (F4), and to see Assembly code (F2). The address 00D0EC60 is equivalent to 0000E060; GOTO (F5) the offset E060 and press ENTER; Now we are at same place Dasm were. Replace the original code by this one (using the command EDIT(F3) in HVIEW ):
0000E060: 33C0 xor eax,eax <- Clear EAX (EAX = 0)
0000E062: 48 dec eax <- EAX=-1, thus not zero
0000E063: C204008A06 retn 068A0004 <- Returns
^Offsets ^Hexadecimal ^AsM Code
Notice we've overcoded and cut the function then we use the program's 'ret 068A0004' and skip the entire checking code returning what we need in EAX. In case you want to modify the code using hex numbers (recommended) use F3, but if you want to assembly the code manually type F3 then F2 and edit. Press F9 to save the code we've edited and F10 to close exit the program.
Copy the new DLL patched to the Crystal Report's (CRW32.EXE) directory and start it. Wo ! It asks for registration yet ! But this time fill out what you want and create a fake code because this program will accept anything as reg code ! Look at the About box ;-)
All your information will be stored in the file called 'crw.crr' and you can change it anytime you want. Cracked !
website: www.thereverser.cjb.net , E+Mail: infinitecrk@yahoo.com.