November 1998	"Add and Remove v2.0" (Calculating a Serial Number )	Win '95/'98 PROGRAM Win Code Reversing
	by Punisher
	Cracking 4 Newbies
	Program Details Program Name: AddRemove.exe Program Type: Add / Remove Cleaner Program Location: http://www.4developers.com Program Size: 189 kb
	Tools Used: Softice 3.2 - Debugger
Rating	Easy ( X )  Medium (   )  Hard (    )  Pro (    )	There is a crack, a crack in everything. That's how the light gets in.

 

Add / Remove v2.0

( Calculating A Serial Number )

Written by Punisher

  

Introduction

 
The author(s) of this program can be found at:  http://www.4developers.com
 
The author says:

"How many times have you tried to uninstall a program, using Control Panels’ Add/Remove programs, and found out that you just can get rid of it?

The Add/Remove 4Good utility helps you to remove these stubborn applications. It is intended for Windows users who wish to keep their system clean. Misbehaved shareware can be installed without the fear of having it stuck forever in the Add/Remove list."
 

About this protection system

 
Registration is via a nag screen at program startup, The Register button on the main window or the the nag screen at program close. You will be provided with two edit boxes and a nunmber of buttons, The one we are interested in is the Unlock button.

The fields for our registration are:-

 
User Name    :
Registration Code    :

Part of the Registration Code is hardcoded and part is calculated from your entered user Name.

While looking through Sandman's site I saw a tutorial on Add/Remove and downloded it to help me to crack the version of Add/Remove which I had, I think it was 1.??. I am not to sure what was the version. Any way I had tried a number of ways but failed. I followed the link on Sandman's site and downloaded Add/Remove only to get v2.0 and not v2.01 which Sandman used in his tutorial.

I tried to disassemble Add/Remove with Wdasm32 and failed because Wdasm32 crashed every time I tried. So I decided to use softice and trace through the code looking for a serial number echo as Master +ORC said.

Start Add/Remove v2.0. You are presented with a nasty nag screen asking you to register the program. There is a couple other buttons including a 'Register Later' button. Click on the Register button and we are presented with the main program window. Look in the title bar there you see 'UNREGISTERED VERSION' "not too good eh". Play with the program then exit. We are presented with the same nag screen asking us to register the program.

LET'S GET CRACKING (Ha, ha, ha)

Start Add/Remove again. Enter Your name in the User Name field and enter a fake Serial number in the Registration code field.

Go into Softice by pressing Ctrl-D. Set a breakpoint on GetWindowTextA. eg:-

> bpx GetWindowTextA

Leave Softice by pressing Ctrl-D. We are back in the Nag screen. Press the Unlock button and Softice breaks in at GetWindowTextA. Type x and press {ENTER} to pass the first GetWindowTextA call since we have two calls to get our User Name and Registration Code.

Softice Breaks a second time at GetWindowTextA. Press F11 to step out of the caller then press F12 to get to Addrem code.

You will be in this piece of code:- Address = :004053B6

call  004053B6
push  00408360                     ; you land here
lea   ecx, [ebp-18]
call  00405386
mov   dword ptr[ebp-04], 0000000
mov   eax, [eax]
push  eax
call  [0040A810]
mov   dword ptr[ebp-04], FFFFFFFF
add   esp, 08
cmp   eax, 01
mov   eax, [ebp-14]
sbb   [ebp-14], eax
neg   dword ptr[ebp-14]
call  00401A33
cmp   dword ptr[ebp-14], 00
jz    00401949                     ; jumps to a call at 
                                   ; 00401949 where the 
                                   ; registration code is calculated
 

Do a search for your fake Registration Code. eg:-

s 0 LFFFFFFF '15151515'

You will see your fake Regcode in the data window at the right of sotfice screen.

Hold down the alt key and press PageDown until you see the Text UNREGISTERED USER (in the data window). Just before that you will see a four digit number with a dash "-" after it. This is the first part of the registration code. Write it down. Don't forget the dash.

Trace through this code using F10 key till you come to jz 00401949. Trace this jump and you will land here:- Address = : 00401949

call  00401620            ; this call calculates the second 
test  eax, eax            ; part of the registration code
jz    004019F8            ; <- this is the bad_cracker jump
 

Trace into this call by typing t and pressing {Enter}. Now trace this call using F10 until you get to this piece of code.

mov   eax, [004835C ]
lea   ecx, [ebp-10
mov   al, [edx + eax]    ; this is the first character in the 
                         ; second part of the Reg code

After tracing pass the mov al, [edx + eax] have a look at 'al ' by typing:-

? al

Note whatever al holds, it is the first character in the second part of the reg code. It can be a number or a letter. This character is determined by the lenght of the User name by using a hard coded key with 12 characters. This string is "87ae2401my69" If the length of the user name is less than 12 the it is cycles through this key for that amount of characters and takes the the next character for the first character in the regcode. If the length of the regcodeit is 12 or more then it comes back to the beginning of the key to count the rest of spaces. The next chacracter is used as the first letter of the second part. eg: Count Dracula has 13 characters so after counting the 12 characters in the key it goes back to the first for the thirteenth one, the next character will be used that is the number 7.

So far our Reg code should look like this XXXX-x

Now trace using F10 until you come to this piece of code.

Test  byte ptr[ebp-10] 01
jnz   00401728
mov   eax, [ebp-10]
mov   al, [eax+00408360]   ; put the first letter in our name in al
cmp   al, 7F
jg    00401773
cmp   al, 20
jl    00401784
cbw
mov   cl, 02
idiv  cl
add   al, 20                ; 20 is added to the letter in al
cmp   al, 61
jge   004016FA
add   al, 06
cmp   al, 39
jle   00401704
cmp   al, 41
add   al, 08                  ; ? al and write down the letter
push eax
 

Yes you guessed right, this is the protection scheme. It takes the first character in your name and divide it by 2 then adds 20 to it. If the result is a capital letter it stores that away. If it is not a letter or a number it converts the character to a letter by adding 8 to it.

It then skips the next letter in your name and goes to the third and the same routine is carried out again. This is done until there are no more letters in the name.

After claculating the regcode the call returns and eax is test, if it is zero then you must be a bad cracker and the program jumps to the bad cracker message. If it is not zero then the program goes on to open the registry and enter your regcode and name.

I tried changing the jz 004019F8 jump to jnz. The program went on to store the registry key but the next time I tried to run the program it was still unregistered, so that's no good. nop'ing the jump also failed. This is because the progam has another check for the regcode but I didnot take time to find it since the crack I did was the cleaness.

In order to get the correct Reg Code you must trace through this routine taking a note of the al register at "add al, 08". After completing this call the first part of the regcode is joined to the second part.

The length of the recode depends on the length of the user name:-

you should end up with somthing like this: ####-xXXX

For me I got user name= Punisher, Regcode = 6582-mHWYR

Don't be a lamer and copy my code. Claculate yours.

SUMMARY:

The first part of the regcode is hard coded the second part is calculated from you name.

I will like to say thanks to +Fravia, Sandman, CrackZ, Cruehead, Iczelion and all the others out there who help by providing the knowledge to make this possible.