HOW TO CRACK:
Bookmark Converter v2.7

i

Introduction

Bookmark convertor is a shareware program for converting bookmraks from Netscape to IE and vice versa. Get it from

http://www.abc.se/~m9761/bm_conv

Tools needed: Softice & WDASM

The Protection:

This involved entering your name and a valid registration code. Registering the program enables the Command line interface for converting bookmarks. Very handy for companies with lots of users.

The Crack:

Try entering your name and any number to see what happens. You get a warning telling you to enter the number correctly. OK, load up WDASM and open the bm_conv.exe into it. Normally when you have entered a correct registration code we you would get a 'Thank you for registering....' message, so lets search for the words 'thank you', and you will find the following reference to it:

* Possible StringData Ref from Code Obj ->"Thank you for registering Bookmark "
                                        ->"Converter!"
:0043E1F8 B8E4E24300     mov eax, 0043E2E4
:0043E1FD E8326CFFFF     call 00434E34 ----------> Show dialog box
:0043E202 EB15           jmp 0043E219 

If we then look at where this routine is being called from we need to scroll up the screen (page up twice) until you see:

:0043DF85 33C0          xor eax, eax
:0043DF87 5A            pop edx
:0043DF88 59            pop ecx
:0043DF89 59            pop ecx
:0043DF8A 648910        mov dword ptr fs:[eax], edx
:0043DF8D 68AFDF4300    push 0043DFAF         ----------> Our information 
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043DFAD(U)
|
:0043DF92 8D45D4        lea eax, dword ptr [ebp-2C]  ---> Our information 
:0043DF95 E86E59FCFF    call 00403908 ------------------> Calculate real reg code
:0043DF9A 8D45F4        lea eax, dword ptr [ebp-0C] ----> Address of real reg code
:0043DF9D BA03000000    mov edx, 00000003
:0043DFA2 E88559FCFF    call 0040392C
:0043DFA7 C3            ret

This looks like an interesting call so lets run the bm_conv.exe and try to register it again. Enter your name and a fake code, try 44444444444 for example, you can only enter 10 digits so we know that the registration code must consist of 10 digits. DO NOT click on register yet. Instead, press CTRL-D to bring up softice. Set a breakpoint at the above mentioned address. Type bpx 43DF92, this will stop the program when it gets to this point. Now type x then press return to go back to the program. Now click on register and you will looking at your breakpoint you have just set in softice at address 43DF92. We want to know what value is at EAX so press F10 once to advance one instruction and the register at EAX will change. OK, now type d eax followed by return. This will show you the data at EAX. You will see your fake code and above it you will see a series of letters and numbers.

Hmm, what could they be. If you count them you will see that there are 10 of them. That's the length of the registration code!, well, would you believe it?. WRITE DOWN THIS 10 DIGIT NUMBER NOW. Now press x and return to go back to the program. You have entered a bad number. Now try again entering the same name as before and then enter the code number you wrote down then try to register it, you will be taken back to the breakpoint again, so just press x and return to exit back to the program. Look, we've got a 'Thank you for registering...' message now. You've just cracked Bookmark Convertor 2.7. This code should work for all versions 2.x although I haven't tried it yet...............perhaps you could try it and see what happens.

That's it........hope you learned something.