|
The Crack
First of all install and
run the program. You see at the top of the screen 'JPEG Optimizer - Unregistered'.
Now try entering a code by going to Help | Register to see what happens.
You get a warning warning you that you have entered an 'Invalid Registration
Code'. OK then let's put the file into WDASM and wait a while (don't for
get to save the disassembled code). Once disassembled do a search for
the text 'unregistered' (without the quotes obviously). There's only one
at line 5345. This is a reference to the text so we want to jump over
this reference or bypass it somehow so we need to look for a JMP, JNE,
JLE or some other jump that will avoid running into this reference to
'unregistered'.
:00404719 push ecx
:0040471A call 00429ED8 --------------> code check routine?
:0040471F pop ecx
:00404720 test al, al ---------------------> was code valid ?
:00404722 jne 00404910 ---------------> if valid jump to 404910
:00404728 mov word ptr [ebp+FFFFFF3C], 01A0
:00404731 xor eax, eax
:00404733 mov dword ptr [ebp+FFFFFF6C], eax
:00404739 lea edx, dword ptr [ebp+FFFFFF6C]
:0040473F inc dword ptr [ebp+FFFFFF48]
:00404745 mov edi, dword ptr [00484344]
:0040474B mov eax, edi
:0040474Dcall 004423A0
:00404752 lea edx, dword ptr [ebp+FFFFFF6C]
:00404758 push edx
* Possible StringData Ref from Data
Obj ->" - Unregistered" --------> We don't want to get
here.
|
:00404759 mov edx, 004786BF
:0040475E lea eax, dword ptr [ebp+FFFFFF68]
If you scroll up a few
lines you will notice a JNE instruction at 00404722 which jumps over/bypasses
the reference to the 'unregistered' text. Looking above that line there
is a test being made and above that line there is a call to a subroutine
at 00429ED8. I wonder what that does. Well why don't you look at the address
that is being called then, OK then here is the routine at that address,
study it carefully and you will see the whole 'valid code' test here.
I'll point out the relevant parts.
:00429ED8 push ebp
:00429ED9 mov ebp, esp
:00429EDB add esp, FFFFFFF8
:00429EDE push ebx
:00429EDF mov eax, dword ptr [ebp+08]
:00429EE2 lea ebx, dword ptr [ebp-08]
:00429EE5 mov dl, byte ptr [eax]
:00429EE7 mov byte ptr [ebx], dl
:00429EE9 mov cl, byte ptr [eax+01]
:00429EEC mov byte ptr [ebx+01], cl
:00429EEF mov dl, byte ptr [eax+02]
:00429EF2 mov byte ptr [ebx+02], dl
:00429EF5 mov cl, byte ptr [eax+03]
:00429EF8 mov byte ptr [ebx+03], CL
:00429EFB mov dl, byte ptr [eax+04]
:00429EFE mov byte ptr [ebx+04], dl
:00429F01 mov al, byte ptr [eax+05]
:00429F04 mov byte ptr [ebx+05], al
:00429F07 movsx ecx, byte ptr [ebx]
:00429F0A push ecx
:00429F0B call 0046F87C -----------------------> Get the code you entered.
:00429F10 pop ecx
:00429F11 cmp eax, 00000052 ------------------> A comparison made here
on 52
:00429F14 jne 00429F5D
:00429F16 movsx eax, byte ptr [ebx+01]
:00429F1A push eax
:00429F1B E85C590400 call 0046F87C
:00429F20 pop ecx
:00429F21 cmp eax, 00000057 ------------------> here on 57
:00429F24 jne 00429F5D
:00429F26 movsx edx, byte ptr [ebx+02]
:00429F2A cmp edx, 00000033 ----------------> here on 33
:00429F2D jne 00429F5D
:00429F2F movsx ecx, byte ptr [ebx+03]
:00429F33 cmp ecx, 00000034 -----------------> here on 34
:00429F36 jne 00429F5D
:00429F38 movsx eax, byte ptr [ebx+04]
:00429F3C cmp eax, 00000031 ----------------> here on 31
:00429F3F jne 00429F5D
:00429F41 movsx edx, byte ptr [ebx+05]
:00429F45 cmp edx, 00000038 ---------------> and finally here on 38
:00429F48 jne 00429F5D
:00429F4A mov dword ptr [00484AD4], 69FC4314
:00429F54 call 00404A1C
:00429F59 mov al, 01
:00429F5B jmp 00429F78
OK, so what do these comparisons mean. Well if you get you ASCII table
out you will see that the hex value 52 is R, 57 is W, 33 is 3, 34 is 4,
31 is 1 and 38 is 8. So could the 'valid code' be RW3418. Let's try it
and find out. Go back to the Help and Register screen and type in RW3418.
Hey look you've just registered the program, well done boy. This method
goes for the 2 versions that I have tried. v2.02 and this version 3.06.
Try to get hold of version 2.02 and find the code yourself by following
the instructions outlined here. Search for 'unregistered', go back a few
lines and goto the subroutine that is being called and trace it from there.
The code is different but the method is exactly the same.
That's it then, one of the simplest
cracks you'll ever come across. Hope you're learning something boys!
|