iOpus Password Recovery XP

By +Jonathan

6-13-2002

 

*Price: $30

*Protect: Serial Number

 

   This software needs only an “Active Key”; hence, it is wise for us to use Softice. (Since you can use bpx GetWindowTextA or s 30:0 1ffffffff “12345678” Fine it will indeed work, but let’s practice Dead-Listing Method this time (W32Dasm 8.93).

 

  First of all we type “12345678” as our active key, and then press [click to active]. It will pop up a message box like this (press no)

Let’s analysis the code:

We will be able to crack this by means of searching “sorry”, and we soon land in the protection scheme. ^_^

 

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:0040185F(C)

|

:00401915 E856030000              call 00401C70

:0040191A 50                              push eax

:0040191B 51                              push ecx

:0040191C 8BCC                        mov ecx, esp

:0040191E 89642420                  mov dword ptr [esp+20], esp

 

* Possible StringData Ref from Data Obj ->"Sorry, wrong activation code entered! "

                                                                          ->"Please note that the activation "

                                                                          ->"is case sensitive, e. g. "Hello" "

                                                                          ->"is not the same as "HELLO". "

                                  |

:00401922 682C714300              push 0043712C

:00401927 E859040200              call 00421D85

:0040192C 51                              push ecx

:0040192D C744243002000000 mov [esp+30], 00000002

:00401935 8BCC                         mov ecx, esp

:00401937 89642420                   mov dword ptr [esp+20], esp

 

 

Ok, let’s use Back Trace Method: search 0040185F—the caller!! (see reference data on the top)

 

:0040184C E8FF050200            call 00421E50

:00401851 E8DA640000            call 00407D30                              *protection scheme* 

:00401856 84C0                          test al, al                                      *compare the flag*

:00401858 6A44                         push 00000044

:0040185A B954D44300            mov ecx, 0043D454

:0040185F 0F84B0000000         je 00401915                                  *here*

:00401865 E806040000              call 00401C70

:0040186A 50                              push eax

:0040186B 51                              push ecx

:0040186C 8BCC                        mov ecx, esp

:0040186E 8964241C                  mov dword ptr [esp+1C], esp

 

* Possible StringData Ref from Data Obj ->"The software is now activated. "

                                                                      ->"Thank you for using iOpus Software."

                                  |

:00401872 688C724300                push 0043728C

:00401877 E809050200                call 00421D85

:0040187C 51                                push ecx

:0040187D C744243000000000   mov [esp+30], 00000000

:00401885 8BCC                           mov ecx, esp

:00401887 89642424                     mov dword ptr [esp+24], esp

 

Please DO NOT change the jump at 0040185F, for it doesn’t work. (Actually it work only sometimes) Since this time the registered and unregistered use the same check CALL!!!!!

(Call 00421D85)  Inasmuch as it must set an AL flag in order to compare, we should work on the above nearest CALL (00401851) let’s break point on it (press F7 in order to get into CALL) I only show you the “RED TRACK” at the end of the call:

Yes!!! It is very obvious now. It doesn’t move 01 flag to al!!!!

Therefore let’s quickly crack this one:

Search: 5B 75 04 B0 01 59 C3

Modify: ===74============

Want more essays or have any question?

Please E-mail +Jonathan, and I will reply EVERY letter:

aikawa-nanase7511@juno.com