Vanor - Tutorial: Registration of JPEG Wizard v1.11


Program: 		JPEG Wizard v1.11
Description: 	Jpeg Image Manipulation Tool
Author: 		(c)1998-1999 Pegasus Imaging Corporation
Size: 		2.485.248 Bytes (Jwizard.exe)


Used Tools: - W32DSM89


1. First, we must find out which kind of protection use this program. 
   To this we start "JPEG Wizard" and go into the menu "Help", an option 
   "Registration" already can be seen there, too. Well, we click on 
   "Registration" and a window opens where we can enter Name and Serial. 
   

   Well, "JPEG Wizard" uses a Serial-Number as protection !

   To get a clue about our Serial now, write down any data on the Registrations Menu now.
   e.g. Name: DOOM 1999 Serial: 112233445566778899
  
   Noticing the appearing error message absolutely !!!

2. Leave the program and Load W32DASM89

3. Now, you should disassemble the Jwizard.EXE  (to be on the safe side, save 
   the code) and run the program via the Debugger [Debug/Load
   Process].

4. Look for the error message "Invalid Registration Information!" via
   [Refs/String Data References]. The corresponding lines are shown on the 
   listing by double clicks. 
   We find the reference(s) at the address(es) :004BAEAF.
   
   
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:004BACFC(C)

:004BAE9D 6A00                    push 00000000

* Reference To: user32.MessageBeep, Ord:0000h
                                  |
:004BAE9F E824C3F4FF              Call 004071C8
:004BAEA4 6A00                    push 00000000
:004BAEA6 668B0D98AF4B00          mov cx, word ptr [004BAF98]
:004BAEAD B202                    mov dl, 02

* Possible StringData Ref from Code Obj ->"Invalid Registration Information!"
                                  |
:004BAEAF B8F0AF4B00              mov eax, 004BAFF0
:004BAEB4 E8BB66F8FF              call 00441574

SNIP


Yeah! Now, we scroll upwards and take a look where the error message is called or where it is gone round.
That's at 004BACFC. Well, we search upwards for 004BACFC. Now, we are in the following area:

SNIP

:004BACF1 8B55F4                  mov edx, dword ptr [ebp-0C]
:004BACF4 8B45F8                  mov eax, dword ptr [ebp-08]
:004BACF7 E81893F4FF              call 00404014				; Checkroutine for Serial-Num
:004BACFC 0F859B010000            jne 004BAE9D					; Call ErrorMessage - Wrong Serial
:004BAD02 C605CCD0520001          mov byte ptr [0052D0CC], 01
:004BAD09 BAF4FFFFFF              mov edx, FFFFFFF4
:004BAD0E 8B8324020000            mov eax, dword ptr [ebx+00000224]
:004BAD14 E8F77DF6FF              call 00422B10

SNIP

 
 To see, if we are right with our assumption, we go over to point 5.
 
 
5. We put a breakpoint in front of the corresponding line and start "JPEG Wizard".
   As Name we take "DOOM 1999" and as Serial "112233445566778899". Now, we 
   click on [Register Now]. Wow !!! The program stops.
   We take a look at the contents of the register addresses [eax] and [edx] ,
   this one being filled with data from the register [ebx].

 Contents of edx : 11223344556677889900 -> Our Wrong Serial 
 Contents of eax : 129521882 -> Right Serial ?
      
6. To test, if JPEG Wizard can be registered with the Serial we have found,
   we deactivate all breakpoints and run the program once again.
   Now, we enter following data:


        Name  :  DOOM 1999
        Serial:  129521882


   Yes, we are a "registered user" of JPEG Wizard .
   
7. Note :

   After the successful registration, JPEG Wizard writes down our datas
   into the registry. The datas can be found under the 
   following key.
	
	HKEY_CURRENT_USER/Software/PegasusImaging/Apps/The JPEG Wizard/


I hope you have fun with cracking!
Vanor [DOOM]
13.04.1999