tARGET pROGRAM: JPEG Optimizer 3.07
pROTECTION: Registration Code
that is hard-coded
cure: Registration
Code
uRL: http://www.xat.com/
pROGRAM sIZE : 385
KB
tOOLS uSED: - W32Dasm 8.93
- SoftICE 4.01 (Optional)
dESCRIPTION: JPEG Optimizer is
designed to create the smallest possible JPEG image files savings of up to 50 %
in the file size are possible
which can considerably decrease Web Page download times and save
on disc space.
cOMPILED bY: Borland C++
rEGISTRATION fEE: $29
Hi Again! I hope you will enjoy my second
TuT and helps you learn more!
This cracking tutorial it's for beginner,
I'll show you here how to find a serial using W32Dasm
¶¦¬| Register The Program
`¯¯¯'¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯'¯¯¯¯´
Install the program.
Live Approach:
Run it ! at the main window caption we see
the #1 magic word "UNREGISTERED" . Now, Go Help/Register and put
a fake registration code. I entred:
11223344, DO NOT PRESS ANYTHING YET, Press CTRL-D, Type bpx GetDlgItemTextA to break when that function is called .
CTRL-D again or F5 to return in JO. Click on " Register ". and we
get the message "Icorrect
registration code", Hmmm! Nothing's happened, ok anyway So CTRL-D again,
this time type bpx GetWindowTextA. F5,
Click on "Register!" Nothing's happened too, seems like the program
doesn't use those API's Call, Hmmmm
Let's think a little bit, so if we break at HMemCpy, it goes to take a lot of
time to crack it, about 19 times pressing F12 and several F10 hits, so do BC*
under SoftICE to clear all breakpoints then X.
Dead Listing Approach:
So let's change our approch to dead listing.
Launch W32Dasm, and disassemble the program , and search for the message
"Icorrect registration code",we didn't find it :( so do another
search for all the strings linked to the registration, and we found ...
" - Unregistered"
one reference, so Dblclick on it:
* Possible StringData Ref from Data Obj ->" -
Unregistered" <--- We land here.
|
:00404759 BABF864700 mov
edx, 004786BF
:0040475E 8D8568FFFFFF lea
eax, dword ptr [ebp+FFFFFF68]
:00404764 E8DB460400 call
00448E44
:00404769 FF8548FFFFFF inc
dword ptr [ebp+FFFFFF48]
:0040476F 33C0 xor
eax, eax
:00404771 898564FFFFFF mov
dword ptr [ebp+FFFFFF64], eax
:00404777 8D9568FFFFFF lea
edx, dword ptr [ebp+FFFFFF68]
:0040477D FF8548FFFFFF inc
dword ptr [ebp+FFFFFF48]
:00404783 8D8D64FFFFFF lea
ecx, dword ptr [ebp+FFFFFF64]
:00404789 58 pop
eax
:0040478A E86C490400 call
004490FB
As
always, we must look before that Ref for CCJ (Call+Compare+Jump) , so scroll up
a little bit, to understand what is done before, and…
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:<-- we are here
|:00404712(U)
|
:00404719 51 push ecx
:0040471A E8C5570200 call 00429EE4 C <-- Call
:0040471F 59 pop ecx
:00404720 84C0 test al, al C <-- Test
:00404722 0F85E8010000 jne 00404910 J <-- Jump if not
equal jump
:00404728 66C7853CFFFFFFA001 mov word ptr [ebp+FFFFFF3C], 01A0
:00404731 33C0 xor eax, eax
:00404733 89856CFFFFFF mov dword ptr [ebp+FFFFFF6C], eax
:00404739 8D956CFFFFFF lea edx, dword ptr [ebp+FFFFFF6C]
:0040473F FF8548FFFFFF inc dword ptr [ebp+FFFFFF48]
:00404745 8B3D98434800 mov edi, dword ptr [00484398]
:0040474B 8BC7 mov eax, edi
:0040474D E85ADC0300 call 004423AC
:00404752 8D956CFFFFFF
lea edx, dword ptr
[ebp+FFFFFF6C]
:00404758 52 push edx
As crackers, we draw the conclusion that the
call in 40471A is the one we after, let's verify that by executing it
* Referenced by a CALL at Addresses:
|:0040471A , :00429355 <-- This
procedure is called twice
|
:00429EE4 55 push ebp <-- We land here
:00429EE5 8BEC mov ebp, esp
:00429EE7 83C4F8 add esp, FFFFFFF8
:00429EEA 53 push ebx
:00429EEB 8B4508 mov eax, dword ptr [ebp+08] <-- Put serial
in EAX
:00429EEE 8D5DF8 lea ebx, dword ptr [ebp-08] <-- Prepare the
place for Duplication
:00429EF1 8A10 mov dl, byte ptr [eax] --\
:00429EF3 8813 mov byte ptr [ebx], dl \
:00429EF5 8A4801 mov cl, byte ptr [eax+01] \
:00429EF8 884B01 mov byte ptr [ebx+01], cl \
:00429EFB 8A5002 mov dl, byte ptr [eax+02] \
:00429EFE 885302 mov byte ptr [ebx+02], dl \ Duplicates our
:00429F01 8A4803 mov cl, byte ptr [eax+03] / serial into EBX
:00429F04 884B03 mov byte ptr [ebx+03], cl /
:00429F07 8A5004
mov dl, byte ptr
[eax+04] /
:00429F0A 885304 mov byte ptr [ebx+04], dl /
:00429F0D 8A4005 mov al, byte ptr [eax+05] /
:00429F10 884305 mov byte ptr [ebx+05], al --/
:00429F13 0FBE0B movsx ecx, byte ptr [ebx] <-- Put our 1st
char in ECX
:00429F16 51 push ecx <-- Save our 1st char
:00429F17 E86C590400 call 0046F888 <-- Upcasing our 1st char (Seems like to be a Letter)
:00429F1C 59 pop ecx <-- Restore our
1st Letter
:00429F1D 83F841 cmp eax, 00000041 (1) <-- Compare it with 1st Lettre of the real serial
:00429F20 7547 jne 00429F69 <-- If not equal then jump to Unregistered
:00429F22 0FBE4301 movsx eax, byte ptr [ebx+01] <-- Put our 2nd char in EAX
:00429F26 50 push eax <-- Save our 2nd char
:00429F27 E85C590400 call 0046F888 <-- Upcasing our 2nd char (Seems like to be a Letter)
:00429F2C 59 pop ecx <-- Restore our 2nd Letter
:00429F2D 83F859 cmp eax, 00000059 (2) <-- Compare it with 2nd lettre of the real serial
:00429F30 7537 jne 00429F69 <-- If not equal then jump to Unregistered
:00429F32 0FBE5302 movsx edx, byte ptr [ebx+02] <-- Put our 3rd char in EDX
:00429F36 83FA38 cmp edx, 00000038 (3) <-- Compare it with 3rd char of the real serial (Seems like
to be a number)
:00429F39 752E jne 00429F69 <-- If not equal then jump to Unregistered
:00429F3B 0FBE4B03 movsx ecx, byte ptr [ebx+03] <-- Put our 4th char in ECX
:00429F3F 83F931 cmp ecx, 00000031 (4) <-- Compare it
with 4th char of the real serial (Seems like to be a number)
:00429F42 7525 jne 00429F69 <-- If not equal then jump to Unregistered
:00429F44 0FBE4304 movsx eax, byte ptr [ebx+04] <-- Put our 5th char in EAX
:00429F48 83F832 cmp eax, 00000032 (5) <-- Compare it with 5th char of the real serial (Seems like
to be a number)
:00429F4B 751C jne 00429F69 <-- If not equal then jump to Unregistered
:00429F4D 0FBE5305 movsx edx, byte ptr [ebx+05] <-- Put our 6th char in EDX
:00429F51 83FA34 cmp edx, 00000034 (6) <-- Compare it with 6th char of the real serial (Seems like
to be an number)
:00429F54 7513
jne 00429F69 <-- If not equal then jump to Unregistered
:00429F56 C705284B48001443FC69 mov dword ptr [00484B28], 69FC4314
:00429F60 E8B7AAFDFF call 00404A1C
:00429F65 B001 mov al, 01
:00429F67 EB1B
jmp 00429F84
Kewl! so :
1st : the serial must be six chars
2nd : the 1st and the 2nd char must be
letters, and the others numbers. so here it:
(1) (2) (3) (4) (5) (6)
Hex 41 59 38 31 32 34
Dec A Y 8 1 2 4
Look like there is one universal serial,If
we enter it and go to About, it says the #2 magic word "REGISTERED".
I'll let you to do a keygen! ok ! and if you do so, please send it to me! J. For the final touch! here is a freeware
called Ascii Table it can help you a
lot, Download it.
¶¦¬| Ending:
`¯¯¯¯¯¯¯¯¯¯¯´
Well, that's that. I hope you could follow
it all, For any comments or if there's anything that I didn't explain too well
then don't hesitate to mail me at: tBS@iquebec.com.
Greetingz to:
tKC , Northpole , Styx2000 , WaVeR`, DyNoBrEmO , Ivanopulo , rEd , schUmU , DaVinci , Nitallica , LagPRO , Socko , Fli7e , DnNuke, TDVFR ,
MonoMeow.