Cracking "Second Copy 97 v 5.31 (build96)" Date: June 27, 1999 Author : +ViPeR+ Program Name : Second Copy 97 ver 5.31 (build 96) Location : http://www.centered.com Cracking method : ECHO ------------------------------------------------------------------------------- Your first job is to find the place to enter the registration key. (try it, it is not hard at all) Ok, you found it, enter the info your like. I enter the following info: Name : evc_viper Reg. Key : 123456789ABCDE <> Fire-up Soft-Ice and set a breakpoint by 'bpx hmemcpy'. Press 'x Enter x Enter'. (you can type x again and still go back to Soft-Ice but you won't see the code below.) Then, F11 one time, F12 6 tims and F10 22 times and you will find yourself land at 00461DC5. : :00461DC0 E863A5FCFF call 0042C328 :00461DC5 8B45F4 mov eax, dword ptr [ebp-0C] ; we land here :00461DC8 5A pop edx :00461DC9 E8D2F3FFFF call 004611A0 : F8 into the above call at 00461DC9. Press F10 until you reach : :004611C8 E86F2AFAFF call 00403C3C : The above call calculates the length of your fake reg. key. And then compare it with E(hex) :004611CD 83F80E cmp eax, 0000000E :004611D0 0F8599000000 jne 0046126F That is why the length of your reg. key should be of length E(hex)=14(dec). Ok, let's keep moving down and see what is going on. :004611D6 8D45F8 lea eax, dword ptr [ebp-08] :004611D9 50 push eax :004611DA B904000000 mov ecx, 00000004 :004611DF BA01000000 mov edx, 00000001 :004611E4 8BC3 mov eax, ebx :004611E6 E8552CFAFF call 00403E40 The above call fetch the first 4 characters out of your reg. key. In our case, it is '1234'. If you want to know where are them, notice that at 004611D6, there is 'lea eax, dword ptr [ebp-08]', when you trace to this line, do a 'd eax' and you will see the following pattern on your data window. 00 00 00 00 ** ** ** ** ... and after the above call (at 004611E6), those 8 zeros with be replaced by some address location and that is where your first 4 characters stored. << Note : the above pattern keeps using in the following paragraphic >> Keep going, :004611EB 8D45F4 lea eax, dword ptr [ebp-0C] :004611EE 50 push eax :004611EF B909000000 mov ecx, 00000009 :004611F4 BA06000000 mov edx, 00000006 :004611F9 8BC3 mov eax, ebx :004611FB E8402CFAFF call 00403E40 The above call takes the last 9 characters of your fake registration key and store them in some memory address. In our case, it is '6789ABCD'. :00461200 8D45FC lea eax, dword ptr [ebp-04] :00461203 8BCE mov ecx, esi :00461205 8B55F8 mov edx, dword ptr [ebp-08] :00461208 E87B2AFAFF call 00403C88 The above call glue the first 4 characters and your name together and store them in memory. (use the above trick to see where are they.) In our case, it is '1234evc_viper'. :0046120D 8D55F0 lea edx, dword ptr [ebp-10] type 'd edx' and you will see 00 00 00 00 ** ** ** ** ..... on your data window. :00461210 8B45FC mov eax, dword ptr [ebp-04] :00461213 E898010000 call 004613B0 After the above call, those 8 zero has been replaced by some memory address. In my case, it is 54 62 C3 00 ** ** ** ** ..... type 'd c36254' and I see 'CAFC-D202' in my data window. Ok, keep going. :00461218 8B55F0 mov edx, dword ptr [ebp-10] :0046121B 8B45F4 mov eax, dword ptr [ebp-0C] If you 'd edx', you will see 'CAFC-D202' and if you 'd eax', it shows '6789ABCD'. Ha, you see what we are getting at. The rest of the code is not really interesting. :0046121E E8292BFAFF call 00403D4C :00461223 7546 jne 0046126B : Our correct registration key should be : '12345CAFC-D202' x out of Soft-Ice and re-enter Name: evc_viper Reg. key : 12345CAFC-D202 You are registered. (by the way, you are registered 4093 user license. What a cool way to beat the program.) +ViPeR+ [E]bola [V]irus [C]rew June 27, 1999