//**cracking tut by alpine**// //*****and******// //**the immortal descendants**// #4 05.1999 greetings and welcome to a new tutorail from alpine.Today we are dealing with a program called powermark.We going to manipulate it,so that you can enter every serial you want.This essay is for intermediate crackers. we need: softice wdasm hex editor of your choice and of course our target.Download it from: www.kaylon.com 495 kb Lets start When you start the program,you will come across a time trial protection.But we won't deal with it today,because it is a very easy one. No goto help/enter license code and you will get a dialogbox to enter name and reg.number.Enter your favourite name and serial,I used alpine and 1234565. Press ok and you will get an error message,telling you wrong serial. Now set a breakpoint on hmemcpy and press okay.Now you will be back to softice.We know there were to fields to enter our strings, therefore we have to press f5 again,to be shure all our information is copied to the memory.Now press f12 till you are back to the main exe file.Now trace with f10 till you reach the following code: :0041298A 8BCB mov ecx, ebx :0041298C 56 push esi :0041298D E810B80100 call 0042E1A2 :00412992 8BCF mov ecx, edi :00412994 E866C60100 call 0042EFFF :00412999 8BCE mov ecx, esi :0041299B E85FC60100 call 0042EFFF <--compare serials :004129A0 8B5608 mov edx, dword ptr [esi+08] :004129A3 8B4F08 mov ecx, dword ptr [edi+08] :004129A6 E878FFFEFF call 00402923 <--- our messagebox :004129AB 85C0 test eax, eax :004129AD 7409 je 004129B8 Now trace into the call at 0041299b and then press f10 till you reach: :00402935 E8D2BC0200 call 0042E60C :0040293A 3D6965C632 cmp eax, 32C66569 :0040293F 7478 je 004029B9 :00402941 3D74788689 cmp eax, 89867874 :00402946 744C je 00402994 :00402948 3D01DC1498 cmp eax, 9814DC01 :0040294D 740C je 0040295B :0040294F 3DBF61A7D9 cmp eax, D9A761BF :00402954 7463 je 004029B9 :00402956 E98B000000 jmp 004029E6 what happens here? At 00402935 our serial is compared to the real one by using a loop and then a number is written to our eax register.This number can be 32c66569 =wrong serial 89867874 =not the right format 9814dc01 =right, registered d9a761bf =something else I know that 9814dc01 is the number for a right serial,because after the cond. jump at 0040294D there is a push (push 0040130) and i did a d 0040130 and i saw in the data window a registered message. So what we wont to do is, that the program doesn't jump at 0040293F and 00402946, but i should jump at 0040294D. I patched it like this: original :0040293A 3D6965C632 cmp eax, 32C66569 :0040293F 7478 je 004029B9 changed to: mov eax, 9814dc01 nop nop you see,instead of jumping to the badboy it puts the number forn the right serail into eax. Ok,you did it? Then start your program and register it to what you want,and the program will say,ok!After registering you will find your name in the about box. But we are not finished yet. Quit the program and rerun it, and you will see it is still unregistered. My thought was: maybe the program checks the 9814dc01 number once again at the beginning and it did: I searched for 9814dc01 and found the following code: :00403EF3 E814A70200 call 0042E60C :00403EF8 3D6965C632 cmp eax, 32C66569 :00403EFD 7437 je 00403F36 :00403EFF 3D74788689 cmp eax, 89867874 :00403F04 7430 je 00403F36 :00403F06 3D01DC1498 cmp eax, 9814DC01 :00403F0B 7409 je 00403F16 :00403F0D 3DBF61A7D9 cmp eax, D9A761BF :00403F12 7422 je 00403F36 :00403F14 EB73 jmp 00403F89 You see, it is the same as above, but the adresses are different. We will do the same as above : change cmp eax, 32c66569 into mov eax, 9814dc01 and nop the cond. jump at 00403efd out. Run your program, and it will say, it is registered to test drive. Goto help/enter license code and put your favourite name and serial into the box.Now quit the program and after starting it again it will say,that it is registered to your name. That's all... alpine alpine@gmx.at thanks to the immortal descendants 4D