| |
The Crack:
Disassemble the .SCR file and look
at the top references in about the dialog boxes and strings.
There are references to 'Deluxe registration' codes etc.
Look at the following lines in particular:
:0040D47D 833D5020420003 cmp dword ptr [00422050],
00000003
:0040D484 751B jne 0040D4A1
*
Possible StringData Ref from Data Obj ->"DELUXE registration
OK"
:0040D486 681C064200 push 0042061C
:0040D48B 6892000000 push 00000092
:0040D490 8B5508 mov edx, dword ptr [ebp+08]
:0040D493 52 push edx
and
the next segment:
:0040D5E4 833D5020420003
cmp dword ptr [00422050], 00000003
:0040D5EB 7545 jne 0040D632
* Possible StringData Ref from Data
Obj ->"DELUXE registration OK"
:0040D5ED 6870064200 push 00420670
:0040D5F2 6892000000 push 00000092
:0040D5F7 8B5508 mov edx, dword ptr [ebp+08]
:0040D5FA 52 push edx
* Reference To: USER32.SetDlgItemTextA,
Ord:022Ch
:0040D5FB FF15C4B14100 Call dword ptr [0041B1C4]
:0040D601 C605C9FD410001 mov byte ptr [0041FDC9], 01
:0040D608 C605CAFD410001 mov byte ptr [0041FDCA], 01
:0040D60F C605CBFD410001 mov byte ptr [0041FDCB], 01
:0040D616 C605CCFD410001 mov byte ptr [0041FDCC], 01
:0040D61D C605CDFD410001 mov byte ptr [0041FDCD], 01
:0040D624 C605CEFD410001 mov byte ptr [0041FDCE], 01
:0040D62B 33C0 xor eax, eax
:0040D62D E994000000 jmp 0040D6C6
Something very interesting appears here. In particular 2 references
to cmp dword ptr [00422050], 00000003.
There are also 6 references to areas of memory being set to 1. Could
this be the flag for the fish with 0=inative, 1=active??
First of all we want to set a breakpoint on the memory address 422050.
Do this by loading the fish.scr into softice and
typing 'bpm 422050' followed by enter, then run the by pressing F5.
The program will halt execution after a short while and you will be
placed back into Softice here:
:004042FB E8A0D40000 call 004117A0
:00404300 83C408 add esp, 00000008
:00404303 C7055020420000000000 mov dword ptr [00422050],
00000000--> needs to be 3
So for our first crack we can place the value 3 into the line above
rather then 0.
Open up the fish.scr into your hex-editor and
change the value at offset 4309h to 03 instead of 00.
Now search for other occurences of 422050
in Wdasm and you will find very useful one here, because looking further
down the code all 7 fish are made active and the value 3 is placed into
the 'Deluxe registration code' flag.
:00404491 833D5020420000 cmp dword ptr [00422050],
00000000 ---> 3 = registered 0 = unregistered
:00404498 740E je 004044A8
:0040449A C605C9FD410001 mov byte ptr [0041FDC9], 01
:004044A1 C605CAFD410001 mov byte ptr [0041FDCA], 01
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
:00404498(C)
:004044A8 6A03 push 00000003
:004044AA E861F3FFFF call 00403810
:004044AF 83C404 add esp, 00000004
:004044B2 85C0 test eax, eax
:004044B4 7434 je 004044EA
:004044B6 C7055020420003000000 mov dword ptr [00422050],
00000003 --> 3=registered
:004044C0 C605C9FD410001 mov byte ptr [0041FDC9], 01
:004044C7 C605CAFD410001 mov byte ptr [0041FDCA], 01
:004044CE C605CBFD410001 mov byte ptr [0041FDCB], 01
:004044D5 C605CCFD410001 mov byte ptr [0041FDCC], 01
:004044DC C605CDFD410001 mov byte ptr [0041FDCD], 01
:004044E3 C605CEFD410001 mov byte ptr [0041FDCE], 01
So
we need the force the program to 4044B6
by simply increasing the
value of EAX after the test at 4044B2. We could also NOP out the test
but this way is neater.
Enter the value 4090 at offset 44B2h for our second
crack.
That's it - very straight forward.
And another one bites the dust....
|