Introduction:
Let's talk about Image Optimizer first of all. This small
utility from xat.com will
shrink your images (jpeg, gif, bmp, etc..) even smaller than you could
imagine. However, to enable all the features and stop the program from
timing out we need to register it.
Tools
needed: WDASM & a hex editor.
(No need for Soft-Ice with this one!)
The Crack: OK, this program has
a 30 day time trial limit on it and needs registering. Let's load this
sucker into wdasm and take a peek at it shall we??
OK, since we know that it needs registered with a code we should nearly
always expect a 'Thank you' or a message referring to 'registering' or
'registered'.
So, try searching for the text 'registering' - you find nothing. Try searching
for 'registered' on the other hand and you will find a very interesting
string on line 1492:
-------- ----------- ----------- ----------- ----------- ----------- ------------
------------
:0040142A A1C8244C00 mov eax, dword ptr [004C24C8]
:0040142F 33FF xor edi, edi
:00401431 3DC35A42A3 cmp eax, A3425AC3
:00401436 89BC24A8000000 mov dword ptr [esp+000000A8], edi
:0040143D 0F8409010000 je 0040154C -------------->
See where this jumps to.
:00401443 3DF35E43AB cmp eax, AB435EF3
:00401448 7463 je 004014AD
:0040144A 3D6DE15404 cmp eax, 0454E16D
:0040144F 0F854A010000 jne 0040159F ---------->
We need to get past this address.
:00401455 8D4C2410 lea ecx, dword ptr [esp+10]
* Possible Reference to String Resource ID=41470:
"This is the full registered version of Image
Optimizer."
|
:00401459 68FEA10000 push 0000A1FE
:0040145E 51 push ecx
:0040145F E8901C0700 call 004730F4
----------- ----------- ------------- ------------ ------------ ----------
----------
:0040154C
8D4C2410 lea ecx, dword ptr [esp+10] ----> Previous
check jumps here.
* Possible Reference to String Resource ID=41474:
"This is an evaluation version of Image Optimizer.
"
|
:00401550 6802A20000 push 0000A202
:00401555 51 push ecx
:00401556 E8991B0700 call 004730F4
:0040155B 8B542418 mov edx, dword ptr [esp+18]
:0040155F 83C408 add esp, 00000008
:00401562 8D8ED4000000 lea ecx, dword ptr [esi+000000D4]
------------ ------------
----------- ------------- ------------ ------------ ---------- ----------
SO, you see what is happening now? At 401431 a test is being made on the
value A3425AC3 being present in register eax. If it is present then the
program then jumps to display the message about the software being an
evaluation version. However, if the value is not present then the program
checks for another value of 454E16D and if this one IS present then the
'registered version' is displayed.
Now what then?. Well, go back to the top of your disassembled code and
try searching for the value '45416ED'. We need to find a place in the
code where the value is being MOVed into place rather than being CoMPared.
Keep searching and you will find the instruction on line 48808, this is
the only line where a MOVe is being made on the value:
:0041BE1F 3BC3 cmp eax, ebx
:0041BE21 750F jne 0041BE32
:0041BE23 C705C8244C006DE15404 mov dword ptr [004C24C8],
0454E16D
:0041BE2D E986000000 jmp 0041BEB8
All we need to do now is to force the program to get to this address and
we do that by placing two NOPs at the line above. This will ignore the check
on the previous line and drop the program to the correct line.
So fire uo your hexeditor and goto offset 1BE21 (hexadecimal) and enter
the code 9090, this is the instruction nop,
nop. Two are necessary in order to fill the place of 750F. Now run the program
again and goto Help and about and you will see that it is now fully registered.
You can also download Webspeed Optimizer from
the same site and crack it using exactly the same method. The offset is
different of course bit the same rules apply. Just in case you're wondering....try
looking around the address 40E241 and patching 9090
at offset E241.
Another two bite the dust............
|