Promax - Tutorial: Registration of Irfan View Program: Irfan View v2.90 Description: Picture Viewer Author: (c)Skiljan Irfan Size: 781.824 Bytes (I_View32.exe) Used Tool(s): - W32DSM89 1. First, we must find out which kind of protection use this program. To this we start "Irfan View" and go into the menu "Über", an option "Registrierung" already can be seen there, too. Well, we click on "Registrierung" and a window opens where we can enter Name and Serial. Well, "Irfan View" uses a Serial-Number as protection ! To get a clue about our Serial now, write down any data on the Registrations Menu now. e.g. Name: Promax Serial: 112233445566 Noticing the appearing error message absolutely !!! 2. Leave the program and Load W32DASM89 3. Now, you should disassemble the I_View32.EXE (to be on the safe side, save the code) and run the program via the Debugger [Debug/Load Process]. 4. Look for the error message "Ungültige Registrierung" via [Refs/String Data References]. The corresponding lines are shown on the listing by double clicks. We find the too many reference(s) and therefore we look for "Registrierung erfolgreich !". This reference is only available at the address : 0043711F :) * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004370B9(C) | * Reference To: KERNEL32.WritePrivateProfileStringA, Ord:027Fh | :004370E7 8B358C264C00 mov esi, dword ptr [004C268C] :004370ED 8D8C2438060000 lea ecx, dword ptr [esp+00000638] * Possible StringData Ref from Data Obj ->"I_VIEW32.INI" ; keep in mind | :004370F4 68F0DB4900 push 0049DBF0 :004370F9 51 push ecx * Possible StringData Ref from Data Obj ->"Name" | :004370FA 68E8DB4900 push 0049DBE8 * Possible StringData Ref from Data Obj ->"Registration" | :004370FF 68D8DB4900 push 0049DBD8 :00437104 FFD6 call esi :00437106 8D942438070000 lea edx, dword ptr [esp+00000738] * Possible StringData Ref from Data Obj ->"I_VIEW32.INI" | :0043710D 68F0DB4900 push 0049DBF0 :00437112 52 push edx * Possible StringData Ref from Data Obj ->"Code" | :00437113 68D0DB4900 push 0049DBD0 * Possible StringData Ref from Data Obj ->"Registration" | :00437118 68D8DB4900 push 0049DBD8 :0043711D FFD6 call esi * Possible StringData Ref from Data Obj ->"Registrierung erfolgreich !" | :0043711F A1C0084A00 mov eax, dword ptr [004A08C0] :00437124 8B0D305A4B00 mov ecx, dword ptr [004B5A30] :0043712A 6A40 push 00000040 :0043712C 68606B4B00 push 004B6B60 :00437131 50 push eax :00437132 51 push ecx * Reference To: USER32.MessageBoxA, Ord:0195h | :00437133 FF152C284C00 Call dword ptr [004C282C] :00437139 33C0 xor eax, eax :0043713B 5F pop edi :0043713C 5E pop esi :0043713D 5D pop ebp :0043713E 5B pop ebx :0043713F 81C434090000 add esp, 00000934 :00437145 C21000 ret 0010 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00437029(C), :00437041(C) | * Possible StringData Ref from Data Obj ->"Falscher Name !" | :00437148 8B15B4084A00 mov edx, dword ptr [004A08B4] :0043714E A1305A4B00 mov eax, dword ptr [004B5A30] :00437153 6830200000 push 00002030 :00437158 68606B4B00 push 004B6B60 :0043715D 52 push edx :0043715E 50 push eax * Reference To: USER32.MessageBoxA, Ord:0195h | :0043715F FF152C284C00 Call dword ptr [004C282C] :00437165 33C0 xor eax, eax :00437167 5F pop edi :00437168 5E pop esi :00437169 5D pop ebp :0043716A 5B pop ebx :0043716B 81C434090000 add esp, 00000934 :00437171 C21000 ret 0010 We can see that the registration datas will be stored in an INI-File. 5. Now we must find the Jump to the successfull registration message. We choose the menu [Goto] and the menu option [Goto Code Location] and enter the address 004370B9. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00437088(C) | :0043709F 8D842438070000 lea eax, dword ptr [esp+00000738] :004370A6 8D8C2438060000 lea ecx, dword ptr [esp+00000638] :004370AD 50 push eax ; store wrong serial :004370AE 51 push ecx ; our name :004370AF E8DC2FFEFF call 0041A090 ; Calculate good serial :004370B4 83C408 add esp, 00000008 :004370B7 85C0 test eax, eax :004370B9 752C jne 004370E7 ; Jump to Successfull Registration message * Possible StringData Ref from Data Obj ->"Ung" | :004370BB 8B15BC084A00 mov edx, dword ptr [004A08BC] :004370C1 A1305A4B00 mov eax, dword ptr [004B5A30] :004370C6 6830200000 push 00002030 :004370CB 68606B4B00 push 004B6B60 :004370D0 52 push edx :004370D1 50 push eax * Reference To: USER32.MessageBoxA, Ord:0195h | :004370D2 FF152C284C00 Call dword ptr [004C282C] :004370D8 33C0 xor eax, eax :004370DA 5F pop edi :004370DB 5E pop esi :004370DC 5D pop ebp :004370DD 5B pop ebx :004370DE 81C434090000 add esp, 00000934 :004370E4 C21000 ret 0010. Now we set a breakpoint at address 004370AF. Shit NOTHING :( Ok, we jump into the calculation. * Referenced by a CALL at Addresses: |:0041ABDC , :00436FCB , :004370AF | :0041A090 8B442408 mov eax, dword ptr [esp+08] :0041A094 83EC14 sub esp, 00000014 :0041A097 53 push ebx :0041A098 55 push ebp :0041A099 56 push esi :0041A09A 57 push edi :0041A09B 50 push eax :0041A09C 33DB xor ebx, ebx :0041A09E E89D770600 call 00481840 :0041A0A3 8B74242C mov esi, dword ptr [esp+2C] :0041A0A7 8BE8 mov ebp, eax :0041A0A9 8BFE mov edi, esi :0041A0AB 83C9FF or ecx, FFFFFFFF :0041A0AE 33C0 xor eax, eax :0041A0B0 83C404 add esp, 00000004 :0041A0B3 33D2 xor edx, edx :0041A0B5 F2 repnz :0041A0B6 AE scasb :0041A0B7 F7D1 not ecx :0041A0B9 49 dec ecx :0041A0BA 85C9 test ecx, ecx :0041A0BC 7E17 jle 0041A0D5 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041A0D3(C) | :0041A0BE 0FBE0C32 movsx ecx, byte ptr [edx+esi] :0041A0C2 03D9 add ebx, ecx :0041A0C4 8BFE mov edi, esi :0041A0C6 83C9FF or ecx, FFFFFFFF :0041A0C9 33C0 xor eax, eax :0041A0CB 42 inc edx :0041A0CC F2 repnz :0041A0CD AE scasb :0041A0CE F7D1 not ecx :0041A0D0 49 dec ecx :0041A0D1 3BD1 cmp edx, ecx :0041A0D3 7CE9 jl 0041A0BE * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041A0BC(C) | :0041A0D5 B804010000 mov eax, 00000104 :0041A0DA 6A0A push 0000000A :0041A0DC 2BC3 sub eax, ebx :0041A0DE 99 cdq :0041A0DF 33C2 xor eax, edx :0041A0E1 2BC2 sub eax, edx :0041A0E3 054C010000 add eax, 0000014C :0041A0E8 8BD0 mov edx, eax :0041A0EA C1E203 shl edx, 03 :0041A0ED 2BD0 sub edx, eax :0041A0EF 8D0C90 lea ecx, dword ptr [eax+4*edx] :0041A0F2 8D542414 lea edx, dword ptr [esp+14] :0041A0F6 52 push edx :0041A0F7 8D3448 lea esi, dword ptr [eax+2*ecx] :0041A0FA C1E603 shl esi, 03 :0041A0FD 56 push esi :0041A0FE E89D360700 call 0048D7A0 :0041A103 83C40C add esp, 0000000C :0041A106 81FE3F420F00 cmp esi, 000F423F :0041A10C 0F87ED000000 ja 0041A1FF :0041A112 8A4C2414 mov cl, byte ptr [esp+14] :0041A116 8A442415 mov al, byte ptr [esp+15] :0041A11A 8A542413 mov dl, byte ptr [esp+13] :0041A11E 884C2416 mov byte ptr [esp+16], cl :0041A122 8A4C2411 mov cl, byte ptr [esp+11] :0041A126 88442418 mov byte ptr [esp+18], al :0041A12A 8A442412 mov al, byte ptr [esp+12] :0041A12E 88542415 mov byte ptr [esp+15], dl :0041A132 884C2412 mov byte ptr [esp+12], cl :0041A136 8B4C2414 mov ecx, dword ptr [esp+14] :0041A13A 81E1FF000000 and ecx, 000000FF :0041A140 88442413 mov byte ptr [esp+13], al :0041A144 8BC1 mov eax, ecx :0041A146 C1E005 shl eax, 05 :0041A149 2BC1 sub eax, ecx :0041A14B 8B4C2418 mov ecx, dword ptr [esp+18] :0041A14F 81E1FF000000 and ecx, 000000FF :0041A155 8D1440 lea edx, dword ptr [eax+2*eax] :0041A158 8D0489 lea eax, dword ptr [ecx+4*ecx] :0041A15B C1E003 shl eax, 03 :0041A15E 2BC1 sub eax, ecx :0041A160 2BC2 sub eax, edx :0041A162 99 cdq :0041A163 8BC8 mov ecx, eax :0041A165 33CA xor ecx, edx :0041A167 2BCA sub ecx, edx :0041A169 8D0489 lea eax, dword ptr [ecx+4*ecx] :0041A16C C1E003 shl eax, 03 :0041A16F 2BC1 sub eax, ecx :0041A171 B909000000 mov ecx, 00000009 :0041A176 99 cdq :0041A177 F7F9 idiv ecx :0041A179 83C230 add edx, 00000030 :0041A17C 88542417 mov byte ptr [esp+17], dl :0041A180 8B442415 mov eax, dword ptr [esp+15] :0041A184 25FF000000 and eax, 000000FF :0041A189 8D14C0 lea edx, dword ptr [eax+8*eax] :0041A18C 8D0C90 lea ecx, dword ptr [eax+4*edx] :0041A18F 8B442413 mov eax, dword ptr [esp+13] :0041A193 25FF000000 and eax, 000000FF :0041A198 8D1440 lea edx, dword ptr [eax+2*eax] :0041A19B C1E204 shl edx, 04 :0041A19E 2BD0 sub edx, eax :0041A1A0 8D044A lea eax, dword ptr [edx+2*ecx] :0041A1A3 99 cdq :0041A1A4 33C2 xor eax, edx :0041A1A6 2BC2 sub eax, edx :0041A1A8 8D0CC0 lea ecx, dword ptr [eax+8*eax] :0041A1AB 8D0488 lea eax, dword ptr [eax+4*ecx] :0041A1AE B909000000 mov ecx, 00000009 :0041A1B3 D1E0 shl eax, 1 :0041A1B5 99 cdq :0041A1B6 F7F9 idiv ecx :0041A1B8 83C230 add edx, 00000030 :0041A1BB 88542414 mov byte ptr [esp+14], dl :0041A1BF 8B4C2411 mov ecx, dword ptr [esp+11] :0041A1C3 81E1FF000000 and ecx, 000000FF :0041A1C9 8BC1 mov eax, ecx :0041A1CB C1E003 shl eax, 03 :0041A1CE 2BC1 sub eax, ecx :0041A1D0 8B4C2410 mov ecx, dword ptr [esp+10] :0041A1D4 81E1FF000000 and ecx, 000000FF :0041A1DA 8D1480 lea edx, dword ptr [eax+4*eax] :0041A1DD 8D0449 lea eax, dword ptr [ecx+2*ecx] :0041A1E0 8D04C0 lea eax, dword ptr [eax+8*eax] :0041A1E3 D1E0 shl eax, 1 :0041A1E5 2BC1 sub eax, ecx :0041A1E7 2BC2 sub eax, edx :0041A1E9 99 cdq :0041A1EA 8BC8 mov ecx, eax :0041A1EC 33CA xor ecx, edx :0041A1EE 2BCA sub ecx, edx :0041A1F0 8D0449 lea eax, dword ptr [ecx+2*ecx] :0041A1F3 8D04C0 lea eax, dword ptr [eax+8*eax] :0041A1F6 D1E0 shl eax, 1 :0041A1F8 2BC1 sub eax, ecx :0041A1FA E9ED000000 jmp 0041A2EC * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041A10C(C) | :0041A1FF 8A442415 mov al, byte ptr [esp+15] :0041A203 8A542416 mov dl, byte ptr [esp+16] :0041A207 8A4C2414 mov cl, byte ptr [esp+14] :0041A20B 88442416 mov byte ptr [esp+16], al :0041A20F 8A442411 mov al, byte ptr [esp+11] :0041A213 88542418 mov byte ptr [esp+18], dl :0041A217 8A542412 mov dl, byte ptr [esp+12] :0041A21B 88442412 mov byte ptr [esp+12], al :0041A21F 8B442416 mov eax, dword ptr [esp+16] :0041A223 884C2415 mov byte ptr [esp+15], cl :0041A227 25FF000000 and eax, 000000FF :0041A22C 88542413 mov byte ptr [esp+13], dl :0041A230 8BC8 mov ecx, eax :0041A232 C1E106 shl ecx, 06 :0041A235 2BC8 sub ecx, eax :0041A237 8B442418 mov eax, dword ptr [esp+18] :0041A23B 25FF000000 and eax, 000000FF :0041A240 8D04C0 lea eax, dword ptr [eax+8*eax] :0041A243 C1E002 shl eax, 02 :0041A246 2BC1 sub eax, ecx :0041A248 B909000000 mov ecx, 00000009 :0041A24D 99 cdq :0041A24E 33C2 xor eax, edx :0041A250 2BC2 sub eax, edx :0041A252 8D04C0 lea eax, dword ptr [eax+8*eax] :0041A255 C1E002 shl eax, 02 :0041A258 99 cdq :0041A259 F7F9 idiv ecx :0041A25B 83C230 add edx, 00000030 :0041A25E 88542417 mov byte ptr [esp+17], dl :0041A262 8B442414 mov eax, dword ptr [esp+14] :0041A266 25FF000000 and eax, 000000FF :0041A26B 83C020 add eax, 00000020 :0041A26E 8BD0 mov edx, eax :0041A270 C1E203 shl edx, 03 :0041A273 2BD0 sub edx, eax :0041A275 8D0490 lea eax, dword ptr [eax+4*edx] :0041A278 8D0C40 lea ecx, dword ptr [eax+2*eax] :0041A27B 8B442413 mov eax, dword ptr [esp+13] :0041A27F 25FF000000 and eax, 000000FF :0041A284 8D1480 lea edx, dword ptr [eax+4*eax] :0041A287 C1E203 shl edx, 03 :0041A28A 2BD0 sub edx, eax :0041A28C 8D0451 lea eax, dword ptr [ecx+2*edx] :0041A28F 99 cdq :0041A290 33C2 xor eax, edx :0041A292 2BC2 sub eax, edx :0041A294 8BC8 mov ecx, eax :0041A296 C1E103 shl ecx, 03 :0041A299 2BC8 sub ecx, eax :0041A29B 8D0488 lea eax, dword ptr [eax+4*ecx] :0041A29E B909000000 mov ecx, 00000009 :0041A2A3 8D0440 lea eax, dword ptr [eax+2*eax] :0041A2A6 99 cdq :0041A2A7 F7F9 idiv ecx :0041A2A9 80C230 add dl, 30 :0041A2AC 88542414 mov byte ptr [esp+14], dl :0041A2B0 8B4C2411 mov ecx, dword ptr [esp+11] :0041A2B4 81E1FF000000 and ecx, 000000FF :0041A2BA 8BC1 mov eax, ecx :0041A2BC C1E004 shl eax, 04 :0041A2BF 03C1 add eax, ecx :0041A2C1 8D1480 lea edx, dword ptr [eax+4*eax] :0041A2C4 8B442410 mov eax, dword ptr [esp+10] :0041A2C8 25FF000000 and eax, 000000FF :0041A2CD 8BC8 mov ecx, eax :0041A2CF C1E103 shl ecx, 03 :0041A2D2 2BC8 sub ecx, eax :0041A2D4 8D0488 lea eax, dword ptr [eax+4*ecx] :0041A2D7 D1E0 shl eax, 1 :0041A2D9 2BC2 sub eax, edx :0041A2DB 99 cdq :0041A2DC 33C2 xor eax, edx :0041A2DE 2BC2 sub eax, edx :0041A2E0 8BD0 mov edx, eax :0041A2E2 C1E203 shl edx, 03 :0041A2E5 2BD0 sub edx, eax :0041A2E7 8D0490 lea eax, dword ptr [eax+4*edx] :0041A2EA D1E0 shl eax, 1 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041A1FA(U) | :0041A2EC 99 cdq :0041A2ED B909000000 mov ecx, 00000009 :0041A2F2 C644241900 mov [esp+19], 00 :0041A2F7 F7F9 idiv ecx :0041A2F9 83C230 add edx, 00000030 :0041A2FC 88542411 mov byte ptr [esp+11], dl :0041A300 8D542410 lea edx, dword ptr [esp+10] :0041A304 52 push edx :0041A305 E836750600 call 00481840 :0041A30A 83C404 add esp, 00000004 :0041A30D 33C9 xor ecx, ecx :0041A30F 3BE8 cmp ebp, eax ; here we set a Breakpoint :0041A311 5F pop edi :0041A312 5E pop esi :0041A313 0F94C1 sete cl :0041A316 5D pop ebp :0041A317 8BC1 mov eax, ecx :0041A319 5B pop ebx :0041A31A 83C414 add esp, 00000014 :0041A31D C3 ret Here is the end of the calculation. 6. At address 0041A30F we must set our first breakpoint via [F2]. Then we change to "Irfan View" and enter our name and our dummy code : e.g. Email Adress : Promax Register Code: 112233445566 7. After entering our datas WDASM will break at our Breakpoint.Now we can take a look at the contents of the register addresses [eax] and [ebp]. ebp : 21A278BE (h) -> Wrong Serial ? eax : 1121FA6A (h) = esp+10 = 303168106 (d) -> Good Serial ? Let us testing.We disable all breakpoints (not erase !!!). Wow.Good Work !!! 8. Now we can register "Irfan View" with the serial we have found. As result we will get the message "Registrierung erfolgreich!". e.g. Name : Promax Serial : 303168106 Name : Dark Heaven Serial : 541440008 9. Note : After the successful registration, "Irfan View" writes down our datas into the file "I_View32.ini" in the "Windows"- directory ! I hope you have fun with cracking! Promax [DOOM] 02.02.1999