Password Protected LockUp v2.6
My program got cracked ... and i wonder why ?
Best view 1024 X 768
by FaT[BiT] \ TNT!
Cracking For Beginners
 
Program Info
Program Name : LockUp.exe
Program Type : Sec. Util
Program Location : http://www.softfolder.com
Program Size : 627 KB
 
ToolZ :
Win32Dasm v8.93
SoftIce v4.05


All these toolz can be found at http://w3.to/protools
Easy ( X ) Medium (  ) Hard (  ) Pro (  )


Password Protected LockUp v2.6
Cracked and Written by : FaT[BiT] \ TNT!
Tutorial No. : 23


Dedication

-- Azmo -- [XasX] -- Sir dReAM -- Astaga --

Intoduction & Protection

iNTROdUCTION :

hi there and wellcome to another tutorial ...
U know sometimes u like to go back to the old stuff in ur life and remembering how it used to be , i think it is kool , this is what i felt today when i cracked this program , this probley the first time i use win32dasm after 3 months of not using it .. and after i cracked this program i felt that i should write a tutorial about this prog to show u that no matter how good u r in cracking sometimes u return to ur early beginings ....

pROTEcTION :

o.k this prog needs a registration code to register it, so let's find this code ...

The Essay

o.k install the prog. and before u continue the setup it will run ...( damn !! that is fast !!)... as u can see it needs a registration code to register , so let's enter our dummy code , in my case i wort like this :

Registration Code : 1234567890

now press the o.k button and our error message will apear ... saying "Sorry , blah blah blah ", o.k now let's copy the exe file to the win32dasm dir and dasm it , and look for our error message ... when u find it click on it then scroll up u will see this code :


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004766AA(C) <-- We go to this code

:00476723 6A10                    push 00000010

* Possible StringData Ref from Code Obj ->"Error"

:00476725 B99C674700              mov ecx, 0047679C

* Possible StringData Ref from Code Obj ->"Sorry, this registration code "
                                        ->"is invalid."

:0047672A BAA4674700              mov edx, 004767A4
:0047672F A110B14700              mov eax, dword ptr [0047B110]
:00476734 8B00                    mov eax, dword ptr [eax]


o.k we now go to this address 004766AA , click on serach/find text and enter the address , after win32dasm find the address scroll up and u will see this code :


:004766A1 33C0                    xor eax, eax
:004766A3 E858FEFFFF              call 00476500 <-- our check procedure
:004766A8 84C0                    test al, al <-- return the result in eax
:004766AA 7477                    je 00476723 <-- jump if not equal to error


o.k kool !! i think we took evey thing we need from win32dasm it is now time to change to softice to set a breakpoint on 004766A3 and see what is going on inside the call ...
so run the program and enter any registration code you like , but before you click on the o.k button set a breakpoint like this one :

bpx hmemcpy

now press F5 and then press the o.k button , softice will break so press F11 button then press the F12 button for 11 times then clear all the breakpoints and set a breakpoint like this one :

bpx 004766A3

then press the F5 button to exit softice ... but softice will break again now you are at the call press F8 to get inside the call , once you are in trace with the F10 button until you reach this code :


:004765D5 E86AD8F8FF              call 00403E44 <-- gets the length of our code and out it in eax
:004765DA 83F80C                  cmp eax, 0000000C <-- check the length with 0Ch = 12
:004765DD 7C43                    jl 00476622 <--if less then err.
:004765DF 8B07                    mov eax, dword ptr [edi] <-- eax has our code
:004765E1 803839                  cmp byte ptr [eax], 39 <-- check if 1st char. is 39h = "9"
:004765E4 753C                    jne 00476622 <-- if not then err.
:004765E6 8B07                    mov eax, dword ptr [edi]
:004765E8 80780131                cmp byte ptr [eax+01], 31 <-- check if 2nd char. is 31h = "1"
:004765EC 7534                    jne 00476622 <-- if not then err.
:004765EE 8B07                    mov eax, dword ptr [edi]
:004765F0 80780230                cmp byte ptr [eax+02], 30 <-- check if 3rd char. is 30h = "0"
:004765F4 752C                    jne 00476622 <-- if not then err.
:004765F6 8B07                    mov eax, dword ptr [edi]
:004765F8 80780332                cmp byte ptr [eax+03], 32 <-- check if 4th char. is 32h = "2"
:004765FC 7524                    jne 00476622 <-- if not then err.
:004765FE 8B07                    mov eax, dword ptr [edi]
:00476600 80780437                cmp byte ptr [eax+04], 37 <-- check if 5th char. is 37h = "7"
:00476604 751C                    jne 00476622 <-- if not then err.
:00476606 8B07                    mov eax, dword ptr [edi]
:00476608 80780950                cmp byte ptr [eax+09], 50 <-- check if 10th char. is 50h = "P"
:0047660C 7514                    jne 00476622 <-- if not then err.
:0047660E 8B07                    mov eax, dword ptr [edi]
:00476610 80780A50                cmp byte ptr [eax+0A], 50 <-- check if 11th char. is 50h = "P"
:00476614 750C                    jne 00476622 <-- if not then err.
:00476616 8B07                    mov eax, dword ptr [edi]
:00476618 80780B4C                cmp byte ptr [eax+0B], 4C <-- check if 12th char. is 4Ch = "L"
:0047661C 7504                    jne 00476622 <-- if not then err.
:0047661E B301                    mov bl, 01
:00476620 EB07                    jmp 00476629


o.k !!! here is all the AzM in English !!

first get the length of our registration code and make sure that it is not less than 12 , then it takes the first char and see if it is "9" , then check the 2nd and see if it is "1" , then the 3rd and see if it is "0" , then the 4th and see if it is "2". then the 5th and check if it is "7" , then it gose to the 10th, 11th and 12 and check if they are "PPL" repectivley ... and offcourse what you put in the places of the other char. is up to u .... so here is is again

Our Valid Registration Code must be at this form :

9    1    0    2    7    X    X    X    X    P    P    L    X

now the last thing to do is to use ur imagination to fill anything in the X's to have a valid Registation code or you can leave it like this , so let's try it and ...

Password Protected LockUp is Registered

Final WordZ

i hope u have enjoyed this tut as much as i did writing it
in the end i would like to greet the following ppl !!
FaT[BiT]_FaTz0 greetz the following :

tKC ... (for showing me the light !! )
LW2000 ... ( Thanx alot i now use my brain )
[XasX] ... (a very good founder and a very good friend also!)
AzmO ... (yes!! man we are different !! )
Sir dReAm ... (where the FUCK! r ya ? )
ASTAGA ... (i don't mind if u comment this tutorial)
BoneZ ... (thanx alot for the support !!)
BillGameZ, VaibLitzeR, MezUz , and ShaQ ... (good luck to u all !! )

and to all TNT!CRACK!TEAM! members ... (keep up the good work !!)

any comments mail me : fatzbit@linuxmail.org

See ya in another tut !!! Soon !!!

--= EOF =--