How To Register Deep Pockets 1.0 -------------------------------- A password tutorial by Mister Legend introduction: HI everybody. this is my *very first* cracking tutorial, please respect that :) That's for the introduction. now on to the real stuff: lets twist! target: Deep Pockets 1.0 (rocketdownload.com/prgs/deepp.exe) tools: W32DASM (i used 8.9 for the job) part 1: Examine the target Run deepp.exe. In the title bar you will see that unpleasant message saying "EVALUATION COPY". It wont keep you from playing the game, but only the idea using UNREGISTERED shareware gets on yer nerves, doesn't it. Lets register it! Goto Help|Register and you will see a *Good Old Register Dialog* that lets you enter Name and Registration code. Type in some crap and hit [ENTER]. =boom= "Invalid serial number". Keep that message in mind... part 2: Find the code Load deepp.exe in w32dasm (file|open file..) Remember what happened when we tried to register: Deep Pockets presented you a MessageBox saying: "Invalid serial number". Lets go and find it! Goto Refs|String data Refs. Double click on the string "Invalid serial number". Then close the Reference window. You'll see the following code: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004016C0(C), :004016CF(C), :004016E4(C) | :00401758 6A30 push 00000030 * Possible StringData Ref from Data Obj ->"Deep Pockets" | :0040175A 687C004100 push 0041007C * Possible StringData Ref from Data Obj ->"Invalid serial number" | :0040175F 68CC004100 push 004100CC :00401764 56 push esi * Reference To: USER32.MessageBoxA, Ord:0188h | :00401765 FF156C544100 Call dword ptr [0041546C] :0040176B EB04 jmp 00401771 That's our MessageBox: we have found it! OK lets see.... three calls from the addresses: 004016C0, 004016CF, and 004016E4 Looks like three successive BAD jumps, scroll up to address 004016C0 this is what you should see: :004016B5 8B3D5C534100 mov edi, dword ptr [0041535C] <- get imported function's address: :004016BB 50 push eax won't be OUR call :004016BC FFD7 call edi <- call import function 1st time :004016BE 85C0 test eax, eax :004016C0 0F8492000000 je 00401758 <- bad jump nr.1 :004016C6 8D442408 lea eax, dword ptr [esp+08] :004016CA 50 push eax :004016CB FFD7 call edi <- call import function 2nd time :004016CD 85C0 test eax, eax :004016CF 0F8483000000 je 00401758 <- bad jump nr.2 :004016D5 8D442408 lea eax, dword ptr [esp+08] :004016D9 50 push eax :004016DA E871FDFFFF call 00401450 <- then this must do the :004016DF 83C404 add esp, 00000004 comparing stuff :004016E2 85C0 test eax, eax :004016E4 7472 je 00401758 <- bad jump nr.3: wrong serial! :004016E6 8D442408 lea eax, dword ptr [esp+08] :004016EA 8D4C2418 lea ecx, dword ptr [esp+18] :004016EE 50 push eax :004016EF 51 push ecx :004016F0 E84BFEFFFF call 00401540 <- edit deepp.ini file (useless, in :004016F5 83C408 add esp, 00000008 this case, though interesting: :004016F8 85C0 test eax, eax don't go there before you've finished) :004016FA 7447 je 00401743 <- some registration error jump :004016FC 6A40 push 00000040 * Possible StringData Ref from Data Obj ->"Deep Pockets" <- this is where we should get when no | bad jumps are executed. :004016FE 687C004100 push 0041007C * Possible StringData Ref from Data Obj ->"Successfull registration, thank " <- looks nice! ->"you!" | :00401703 68FC004100 push 004100FC :00401708 56 push esi * Reference To: USER32.MessageBoxA, Ord:0188h | :00401709 FF156C544100 Call dword ptr [0041546C] part 3: "Decypher" the password Look at the comments i added for you in part 2: now you should know what to do next: goto 00401450! you will see this: :00401450 83EC18 sub esp, 00000018 :00401453 8D442400 lea eax, dword ptr [esp] :00401457 56 push esi :00401458 57 push edi :00401459 50 push eax ..... looks a bit puzzling, doesn't it? IGNORE it, just scroll down a few lines untill you see this: you will see a lot of cmp's and jne's; An eight-bytes range, starting with [esi] and ending with [esi + 07] will be read from memory and compared with what -let me tell you- it should be: the real code! I will call them byte 0 to 8, follow me: (use the ascii charactes table at the bottom) :004014B5 8A06 mov al, byte ptr [esi] <- get byte 0 :004014B7 3C30 cmp al, 30 byte 0 = 30h ="0" :004014B9 7573 jne 0040152E :004014BB 0FBED0 movsx edx, al <- al should be 30h -> edx = 30h :004014BE 0FBE4E01 movsx ecx, byte ptr [esi+01] <- get byte 1 in ecx :004014C2 8BFA mov edi, edx <- edi = 30h :004014C4 2BF9 sub edi, ecx <- 30h minus byte1 = -4h, :004014C6 83FFFC cmp edi, FFFFFFFC=-4 <- so byte1 =34h = "4" :004014C9 7563 jne 0040152E :004014CB 8B7C241C mov edi, dword ptr [esp+1C] < :004014CF 81E7FFFFFF7F and edi, 7FFFFFFF < :004014D5 0B7C2418 or edi, dword ptr [esp+18] < IGNORE :004014D9 7453 je 0040152E < :004014DB 384602 cmp byte ptr [esi+02], al <- byte 2 = al = 30h = "0" :004014DE 754E jne 0040152E :004014E0 0FBE7E03 movsx edi, byte ptr [esi+03] <- get byte 3 in edi :004014E4 8BC1 mov eax, ecx <- eax=byte 1 = 34h :004014E6 2BC7 sub eax, edi <- 34h minus byte3 = -5h, :004014E8 83F8FB cmp eax, FFFFFFFB=-5h <- so byte3 = 39h = "9" :004014EB 7541 jne 0040152E :004014ED 807E0457 cmp byte ptr [esi+04], 57 <- byte 4 = 57h = "W" :004014F1 753B jne 0040152E :004014F3 807E0547 cmp byte ptr [esi+05], 47 <- byte 5 = 47h = "G" :004014F7 7535 jne 0040152E :004014F9 8B44240C mov eax, dword ptr [esp+0C] < :004014FD 25FFFFFF7F and eax, 7FFFFFFF < :00401502 0B442408 or eax, dword ptr [esp+08] < IGNORE :00401506 7426 je 0040152E < :00401508 0FBE4606 movsx eax, byte ptr [esi+06] <- get byte 6 in eax :0040150C 2BF8 sub edi, eax <- 39h minus byte 6 :0040150E 2BF9 sub edi, ecx <- minus 34h(byte 1) :00401510 03FA add edi, edx <- plus 30h :00401512 83FF03 cmp edi, 00000003 <- = 3h, so byte 6= 32h = "2" :00401515 7517 jne 0040152E :00401517 807E0750 cmp byte ptr [esi+07], 50 <- byte 7 = 50h = "P" :0040151B 7511 jne 0040152E :0040151D 807E0800 cmp byte ptr [esi+08], 00 <- byte 8 must be 00h(end string) :00401521 750B jne 0040152E * Possible Reference to Menu: MenuID_0001 | :00401523 B801000000 mov eax, 00000001 <- eax is tested at :004016E2 :00401528 5F pop edi :00401529 5E pop esi :0040152A 83C418 add esp, 00000018 :0040152D C3 ret OK lets put together byte 0 to byte 7 (byte 8 = 00h, meaning "nothing") and get the magic key: 0 4 0 9 W G 2 P WOW! we did it! Now let's see if this works... part 4: Register! (the kick ;) Run deepp.exe goto Help|Register, with good feelings, this time. Enter the key..... =boom= "Succesfull registration, thank you" Congratulations: you have just cracked Deep Pockets! Greetingz to all the crackers at c4n Special thanx go out to: elmopio, for the nice little target (heh) Mister Legend/iNSiDE - '98 (contact me at #cracking4newbies or #iNSiDE) ASCII CODES Graphic Characters 20(32) 30(48) 0 40(64) @ 50(80) P 60(96) ` * 70(112) p 21(33) ! 31(49) 1 41(65) A 51(81) Q 61(97) a 71(113) q 22(34) " 32(50) 2 42(66) B 52(82) R 62(98) b 72(114) r 23(35) # 33(51) 3 43(67) C 53(83) S 63(99) c 73(115) s 24(36) $ 34(52) 4 44(68) D 54(84) T 64(100) d 74(116) t 25(37) % 35(53) 5 45(69) E 55(85) U 65(101) e 75(117) u 26(38) & 36(54) 6 46(70) F 56(86) V 66(102) f 76(118) v 27(39) ' 37(55) 7 47(71) G 57(87) W 67(103) g 77(119) w 28(40) ( 38(56) 8 48(72) H 58(88) X 68(104) h 78(120) x 29(41) ) 39(57) 9 49(73) I 59(89) Y 69(105) i 79(121) y 2A(42) * 3A(58) : 4A(74) J 5A(90) Z 6A(106) j 7A(122) z 2B(43) + 3B(59) ; 4B(75) K 5B(91) [ 6B(107) k 7B(123) { * 2C(44) , 3C(60) < 4C(76) L 5C(92) \ * 6C(108) l 7C(124) | * 2D(45) - 3D(61) = 4D(77) M 5D(93) ] 6D(109) m 7D(125) } * 2E(46) . 3E(62) > 4E(78) N 5E(94) ^ * 6E(110) n 7E(126) ~ * 2F(47) / 3F(63) ? 4F(79) O 5F(95) _ 6F(111) o 7F(127) DEL delete