| How to crack JPEG Optimizer 3.01 |
Hallo my newbies friends, here I am with tut No 5, I think. We have an easy target, JPEG Optimizer which you can found at http://www.xat.com and is shareware.
Run the program, go to About->Register and enter a code more than 5 numbers, I put the old classic 123456, press Ctrl+D for SoftIce to pop up and set a bpx hmemcpy. Press Ctrl+D again to get out and press the OK button. SoftIce will pop up and you shall press F12 12 times till you reach the following code:
:00428BDD 66C746100800 mov [esi+10], 0008
:00428BE3 66C746102C00 mov [esi+10], 002C
:00428BE9 33C9
xor ecx, ecx
:00428BEB 894DF4
mov dword ptr [ebp-0C], ecx
:00428BEE 8D55F4
lea edx, dword ptr [ebp-0C]
:00428BF1 FF461C
inc [esi+1C]
:00428BF4 8B83C8010000 mov eax, dword ptr [ebx+000001C8]
:00428BFA E8D98A0100 call 004416D8
:00428BFF 8D45F4
lea eax, dword ptr [ebp-0C]
:00428C02 E823FA0100 call 0044862A
:00428C07 83F806
cmp eax, 00000006 <= Compares the length or our code
with 6
:00428C0A 751B
jne 00428C27
<= If not 6,then jump to bad code
:00428C0C 837DF800 cmp dword ptr [ebp-08], 00000000
:00428C10 7405
je 00428C17
:00428C12 8B55F8
mov edx, dword ptr [ebp-08]
:00428C15 EB05
jmp 00428C1C
:00428C17 BAFFDF4700 mov edx, 0047DFFF
:00428C1C 52
push edx
:00428C1D E8A60C0000 call 004298C8
<= The procedure which checks the validity of our serial. Stop here
:00428C22 59
pop ecx
:00428C23 84C0
test al, al
:00428C25 7504
jne 00428C2B
<= If wrong code, then jump to bad code
:00428C27 33C0
xor eax, eax
:00428C29 EB05
jmp 00428C30
So, you stopped at 00428C1D. Press F8 to step into and F10 till you see
:0042994E E84D1F0000 call 0042B8A0
<= Checks the validity of our code. Stop again here
:00429953 59
pop ecx
:00429954 84C0
test al, al
:00429956 7404
je 0042995C
<= Jump if bad
:00429958 B001
mov al, 01
<= That's good!
:0042995A EB0C
jmp 00429968
Stopped again at 0042994E and trace into by F8 till you see
:0042B8CF 0FBE0B movsx ecx, byte ptr [ebx]
:0042B8D2 83F93A
cmp ecx, 0000003A
:0042B8D5 7548
jne 0042B91F
<= Offset 2AED5
:0042B8D7 0FBE4301 movsx eax, byte ptr [ebx+01]
:0042B8DB 83F83D
cmp eax, 0000003D
:0042B8DE 753F
jne 0042B91F
<= Offset 2AEDE
:0042B8E0 0FBE5302 movsx edx, byte ptr [ebx+02]
:0042B8E4 83FA55
cmp edx, 00000055
:0042B8E7 7536
jne 0042B91F
<= Offset 2AEE7
:0042B8E9 0FBE4B03 movsx ecx, byte ptr [ebx+03]
:0042B8ED 83F959 cmp ecx, 00000059
:0042B8F0 752D
jne 0042B91F
<= Offset 2AEF0
:0042B8F2 0FBE4304 movsx eax, byte ptr [ebx+04]
:0042B8F6 83F859
cmp eax, 00000059
:0042B8F9 7524
jne 0042B91F
<= Offset 2AEF9
:0042B8FB 0FBE5305 movsx edx, byte ptr [ebx+05]
:0042B8FF 83FA5F
cmp edx, 0000005F
:0042B902 751B
jne 0042B91F
<= Offset 2AF02
:0042B904 C705584348001443FC69 mov dword ptr [00484358], 69FC4314
:0042B90E C605C442480001
mov byte ptr [004842C4], 01
:0042B915 E86688FDFF call 00404180
:0042B91A B001
mov al, 01
<= We want the program to execute this line.
:0042B91C 5B
pop ebx
:0042B91D 5D
pop ebp
:0042B91E C3
ret
OK, now we are almost done. Open the jpegopt.exe file with HIEW and go in decode/asm mode. Press F5 and enter 2AED5. If the offsets are different in your computer, then disasm a copy of the exe file in W32Dasm and look for the same code and write down the first offset. When in Hiew, change the 75xx to 9090 for all the jne 0042B91F and press F9 for changes to be saved. Press <ESC> to exit, run the program and ...Registered.
Thanks for reading this tut.
For any questions you can reach me on EF-Net #cracking and #cracking4newbies, or on GR-NET in #cracking (that’s mine,hehe) with the nick iNFRA .
My e-mail is dmitspan@usa.net
Goodbye my friends.
Written by: Mitsaras Nuker®