MixMeister Pro by grotesmurf

Making a crack

Level: Easy

Tools:
W32Dasm
Hiew

My package of MixMeister had no serial included.  I had downloaded 16MB for nothing!  Luckily I found a way to patch it, so it doesn't prompt for a serial every time!

1) Watching the program in action

- It shows a dialog box to enter a registration key
- When we enter something, it tells that it was unable to validate our key and it exits.

2) Taking a closer look

Fire up W32Dasm and disassemble the file 'MixMeister.exe'.  Find the dialog box that asks us to enter the key. (search for 'product registration')  It's DialogID_00EB.  Now click the 'DLG ref' button and select DialogID_00EB.

CODE SNIPPET 1

...
* Referenced by a CALL at Address:  
|:0041D60A                                 <= the function to display the dialog is called here
|
:0046EE30 6AFF push FFFFFFFF
:0046EE32 688E664C00 push 004C668E
:0046EE37 64A100000000 mov eax, dword ptr fs:[00000000]
:0046EE3D 50 push eax
:0046EE3E 64892500000000 mov dword ptr fs:[00000000], esp
:0046EE45 51 push ecx
:0046EE46 8B442414 mov eax, dword ptr [esp+14]
:0046EE4A 56 push esi
:0046EE4B 57 push edi
:0046EE4C 8BF1 mov esi, ecx
:0046EE4E 50 push eax

* Possible Reference to Dialog: DialogID_00EB         <= you land here
|
:0046EE4F 68EB000000 push 000000EB
:0046EE54 89742410 mov dword ptr [esp+10], esi
:0046EE58 E86E1B0300 call 004A09CB
...

You can see it's called from address 0041D60A.  Doubleclick with the right mouse button to go to the caller address.

CODE SNIPPET 2

...
* Possible StringData Ref from Data Obj ->"Settings"
|
:0041D5D7 6820914F00 push 004F9120
:0041D5DC 50 push eax
:0041D5DD B930F14F00 mov ecx, 004FF130
:0041D5E2 E821A50900 call 004B7B08
:0041D5E7 8B4C2414 mov ecx, dword ptr [esp+14]
:0041D5EB 89AC244C010000 mov dword ptr [esp+0000014C], ebp
:0041D5F2 51 push ecx
:0041D5F3 E8C8E7FFFF call 0041BDC0        <== same suspicious call as at address 0041D62D
                                          ; check if it has to display the serial dialog box
:0041D5F8 8BF8 mov edi, eax
:0041D5FA 83C404 add esp, 00000004
:0041D5FD 3BFD cmp edi, ebp
:0041D5FF 0F85E2000000 jne 0041D6E7        ; if not equal , jump away
:0041D605 55 push ebp
:0041D606 8D4C2470 lea ecx, dword ptr [esp+70]
:0041D60A E821180500 call 0046EE30                        <== you land here
:0041D60F 8D4C246C lea ecx, dword ptr [esp+6C]
:0041D613 C684244C01000001 mov byte ptr [esp+0000014C], 01
:0041D61B E860340800 call 004A0A80
:0041D620 83F801 cmp eax, 00000001
:0041D623 7575 jne 0041D69A
:0041D625 8B9424C8000000 mov edx, dword ptr [esp+000000C8]
:0041D62C 52 push edx
:0041D62D E88EE7FFFF call 0041BDC0        <== suspicious call
                                          ; check if it has to display the error message
:0041D632 83C404 add esp, 00000004
:0041D635 85C0 test eax, eax                ; check eax
:0041D637 7423 je 0041D65C                  ; if eax was not 1 then jump to (THERE) to display the error message (see below)
:0041D639 8B8424C8000000 mov eax, dword ptr [esp+000000C8]
:0041D640 B930F14F00 mov ecx, 004FF130
:0041D645 50 push eax

* Possible StringData Ref from Data Obj ->"Registration Key"
|
:0041D646 682C914F00 push 004F912C

* Possible StringData Ref from Data Obj ->"Settings"
|
:0041D64B 6820914F00 push 004F9120
:0041D650 E8D7E10800 call 004AB82C
:0041D655 BF01000000 mov edi, 00000001
:0041D65A EB3E jmp 0041D69A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:            (THERE)
|:0041D637(C)
|
:0041D65C 8B0D20AF4F00 mov ecx, dword ptr [004FAF20]
:0041D662 894C2410 mov dword ptr [esp+10], ecx

* Possible Reference to String Resource ID=57679: "MixMeister was unable to validate your key. Please ensure th"
|
:0041D666 684FE10000 push 0000E14F
:0041D66B 8D4C2414 lea ecx, dword ptr [esp+14]
:0041D66F C684245001000002 mov byte ptr [esp+00000150], 02
...

If you look around you'll find the error message too. It's at address 0041D65C. (we're lucky, don't have to search a second time :o)  It will be displayed if eax is not 1 after calling 0041BDC0.  Most likely that will be the serial check routine.  We find the proof at address 0041D5F3, because the same call is made there to decide whether the serial dialog box has to be displayed or not.  We can begin patching right now.

3) Patching

I'm gonna use the same method I patched Virtual Turntables with, so I'm not going to give the full explanation.  What we're doing is patching the check routine so it always returns 1 in eax.

THE PATCH

:0041BDC0 mov eax, 1    ; move 1 into the eax register
:0041BDC5 ret           ; return to the caller (= exit the function)

Open Hiew, switch to decode mode (F4, F3), goto '.0041BDC0' and add (F3,F2) the instructions 'mov eax,1' and 'ret'.  Update the file (F9) and exit Hiew.

4) Testing

Run MixMeister and you'll see it doesn't ask anymore for a serial.  Job done.
(note: When you now go to the about box you'll find there a registration key!  I tried it, but unfortunately it doesn't work.  I reported that bug to the MixMeister team but I didn't get a reply... ;o)

Thanks to Krobar and his website were I learned how to do all this stuff...

Watch out for new tut's from me and others at 'tHe Krobar Collection'!

©2002 grotesmurf
email: grotesmurf@skynet.be
homepage: grotesmurf.cjb.net

easy :o)  Now we're going to patch the file.