February 23, 1999

YOUR FIRST CRACK (A tutorial for beginners)

By:  Phantom_Stranger

Target:  ZoomPlus.exe (www.download.com) or 
(member.tripod.com/~Abject_Darkness/zoomps13.zip)

Tools:  W32DSM89.exe, Hedit.exe (or any decent hex editor), and a base 
coverter (if needed)

I downloaded this program from www.download.com (I've found it to be 
ripe with the fruits of shareware).  The reason I chose this program was 
for none other than that it was small (60K).  Me being lazy today, I 
didn't want thousands of pages of assembly code to wade through.

After I unzipped ZoomPlus, I ran the executable.  Right away it asks for 
the registration key or click on Evaluate to, of course, evaluate the 
program.  I entered a bogus key and clicked on Register.  An error box 
with "Invalid registration number." popped up.  Now I had a definite 
string value to look for.

I then ran W32DSM89.exe and disassembled ZoomPlus.exe.  I clicked on the 
Strn Ref button, located the "Invalid registration number." string and 
double-clicked on it.  Which took me to this code segment:

*Possible Reference to String Resource ID=32795: "Invalid registration 
number."

:0040428D 681B800000     push 0000801B

I worked my way up the code to see what jumps referenced this code 
segment.  About ten lines up, I find the reference:

*Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404243(C), :0040425F(C), :00404266(C)

I move up to these addresses and find:

*Reference To:USER32.GetWindowTextA, Ord:015Eh

:0040423B FF159C924000   Call dword ptr [0040929C]
:00404241 85C0           test eax, eax      ;tests if the text field is 
empty
:00404243 7431           je 00404276        ;if so, jump to error
:00404245 8D450C         lea eax, dword ptr [ebp+0C]
:00404248 6A0A           push 0000000A
:0040424A 50             push eax
:0040424B 8D85E0FEFFFF   lea eax, dword ptr [ebp+FFFFFEE0]
:00404251 50             push eax
:00404252 E83C120000     call 00405493
:00404257 83C40C         add esp, 0000000C
:0040425A 3DA0F69500     cmp eax, 0095F6A0  ;compares your key to lowest 
possible key minus one
:0040425F 7E15           jle 00404276       ;if lower than or equal to, 
jump to error
:00404261 3DE00F9700     cmp eax, 00970FE0  ;compares your key to 
highest possible key plus one
:00404266 7D0E           jge 00404276       ;if greater than or equal 
to, jump to error 
:00404268 A34CBB4000     mov dword ptr [0040BB4C]
:0040426D 56             push esi

So, I fired up my trusty base converter and entered for hex - 0095F6A0.  
This gave me a decimal value of 9828000.  Then I entered 00970FE0.  This 
gave me a decimal value of 9900000.  After scribbling down these values, 
I exited W32DSM89 and started ZoomPlus.  Now I know that any number 
lower than or equal to 9828000 and any number above or equal to 9900000 
will give me an error.  So, I enter 9828001 for my registration number 
and it worked!  ZoomPlus.exe is now registered with no patching.

Now, anyone may download ZoomPlus from www.download.com somewhere under 
the utilities section and follow this tutorial for further insight into 
cracking (especially beginners).  But, trust me, there's no greater 
feeling than cracking your first program without the help of any tutorial.

Well, hopefully, this will be useful to someone out there or at least it 
can be a laugh to more experienced crackers when they see how easy it 
was to pop this program's cherry.  Either way, it really doesn't make 
any difference to me.  Peace out.

Phantom_Stranger