Cracking Tutorial #80:
DLSUPERCBT 2.1c 10/28/02
[cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 12/2002
[difficulty:] beginner
[where:]  http://www.dlsuperc.com
[tOOLz:] W32dasm 8.93 & Hiew

KANAL23 Tutorial

http://www.kanal23.net

So today my isp decided not to let me connect because they have a problem as usual, so i dug through some old programs and being lazy today i found a new copy of DLSuperCBT, a great great binary file compare program coded in delphi. Since my old copy was simple to crack and the tutorial sucked (#3 gimme a break) might as well kill some time cracking this gem.

Well apparently this guy will not change his protection scheme. I've even emailed him about packing the program at least and also told him i would code him a protection routine but i think he is still mad at me as he wont reply my emails anymore.

Since we cracked the first one awhile back lets remember that it was a keyfile and yes it still is. Actually it looks about the same to me. So lets make the backup copies and disassemble it in w32dasm.

Click the "Strn Ref" button and look for ".lic" as it is our license file extension. Double click it and you should land around here:



* Possible StringData Ref from Code Obj ->"DLSupCBT" <-license file name

:004784AA 6860894700 push 00478960

* Possible StringData Ref from Code Obj ->".lic" <-license file extension

:004784AF 686C8D4700 push 00478D6C
:004784B4 8D856CFCFFFF lea eax, dword ptr [ebp+FFFFFC6C]
:004784BA BA04000000 mov edx, 00000004
:004784BF E810BBF8FF call 00403FD4
:004784C4 8B856CFCFFFF mov eax, dword ptr [ebp+FFFFFC6C]
:004784CA E86504F9FF call 00408934
:004784CF 84C0 test al, al
:004784D1 0F8451010000 je 00478628 <-jump to FAIL, 30 day eval if DLSupCBT.lic is not found
:004784D7 B201 mov dl, 01
:004784D9 A17CEE4000 mov eax, dword ptr [0040EE7C]
:004784DE E8F9AAF8FF call 00402FDC
:004784E3 8945EC mov dword ptr [ebp-14], eax
:004784E6 8B45FC mov eax, dword ptr [ebp-04]
:004784E9 FFB0A4040000 push dword ptr [eax+000004A4]
:004784EF 6854894700 push 00478954

* Possible StringData Ref from Code Obj ->"DLSupCBT" <-license filename again

:004784F4 6860894700 push 00478960

* Possible StringData Ref from Code Obj ->".lic" <-extension

:004784F9 686C8D4700 push 00478D6C
:004784FE 8D8568FCFFFF lea eax, dword ptr [ebp+FFFFFC68]
:00478504 BA04000000 mov edx, 00000004
:00478509 E8C6BAF8FF call 00403FD4
:0047850E 8B8D68FCFFFF mov ecx, dword ptr [ebp+FFFFFC68]
:00478514 B201 mov dl, 01

* Possible StringData Ref from Code Obj ->"@.E"

:00478516 A178274500 mov eax, dword ptr [00452778]
:0047851B E800A3FDFF call 00452820
:00478520 8945F0 mov dword ptr [ebp-10], eax
:00478523 8B4DEC mov ecx, dword ptr [ebp-14]

* Possible StringData Ref from Code Obj ->"DLSupCBT"

:00478526 BA60894700 mov edx, 00478960
:0047852B 8B45F0 mov eax, dword ptr [ebp-10]
:0047852E 8B18 mov ebx, dword ptr [eax]
:00478530 FF5340 call [ebx+40]
:00478533 8B45E4 mov eax, dword ptr [ebp-1C]
:00478536 50 push eax
:00478537 8D8564FCFFFF lea eax, dword ptr [ebp+FFFFFC64]
:0047853D 50 push eax

* Possible StringData Ref from Code Obj ->"PgmId" <-inside our license file

:0047853E B97C8D4700 mov ecx, 00478D7C

* Possible StringData Ref from Code Obj ->"DLSupCBT" <-license file

:00478543 BA60894700 mov edx, 00478960
:00478548 8B45F0 mov eax, dword ptr [ebp-10]
:0047854B 8B18 mov ebx, dword ptr [eax]
:0047854D FF13 call dword ptr [ebx]
:0047854F 8B9564FCFFFF mov edx, dword ptr [ebp+FFFFFC64]
:00478555 8D45E4 lea eax, dword ptr [ebp-1C]
:00478558 E8CFB7F8FF call 00403D2C
:0047855D 33C0 xor eax, eax
:0047855F 55 push ebp
:00478560 681E864700 push 0047861E
:00478565 64FF30 push dword ptr fs:[eax]
:00478568 648920 mov dword ptr fs:[eax], esp
:0047856B 8B45EC mov eax, dword ptr [ebp-14]
:0047856E 8B10 mov edx, dword ptr [eax]
:00478570 FF5214 call [edx+14]
:00478573 83F802 cmp eax, 00000002
:00478576 0F8598000000 jne 00478614 <-if program ID is wrong then jump to FAIL
:0047857C 8D8560FCFFFF lea eax, dword ptr [ebp+FFFFFC60]
:00478582 BAA0134800 mov edx, 004813A0
:00478587 B907000000 mov ecx, 00000007
:0047858C E833B9F8FF call 00403EC4
:00478591 8B9560FCFFFF mov edx, dword ptr [ebp+FFFFFC60]
:00478597 8B45E4 mov eax, dword ptr [ebp-1C]
:0047859A E885BAF8FF call 00404024
:0047859F 7573 jne 00478614 <-jump to FAIL
:004785A1 8B45E8 mov eax, dword ptr [ebp-18]
:004785A4 50 push eax
:004785A5 8D855CFCFFFF lea eax, dword ptr [ebp+FFFFFC5C]
:004785AB 50 push eax

* Possible StringData Ref from Code Obj ->"UserId" <-inside license file

:004785AC B98C8D4700 mov ecx, 00478D8C

* Possible StringData Ref from Code Obj ->"DLSupCBT" <-license file

:004785B1 BA60894700 mov edx, 00478960
:004785B6 8B45F0 mov eax, dword ptr [ebp-10]
:004785B9 8B18 mov ebx, dword ptr [eax]
:004785BB FF13 call dword ptr [ebx]
:004785BD 8B955CFCFFFF mov edx, dword ptr [ebp+FFFFFC5C]
:004785C3 8D45E8 lea eax, dword ptr [ebp-18]
:004785C6 E861B7F8FF call 00403D2C
:004785CB 8B45FC mov eax, dword ptr [ebp-04]
:004785CE 8B80E0020000 mov eax, dword ptr [eax+000002E0]
:004785D4 8B55E8 mov edx, dword ptr [ebp-18]
:004785D7 E83C61FBFF call 0042E718
:004785DC 8B45FC mov eax, dword ptr [ebp-04]
:004785DF 80B8EE06000000 cmp byte ptr [eax+000006EE], 00
:004785E6 750F jne 004785F7
:004785E8 8D45E0 lea eax, dword ptr [ebp-20]

* Possible StringData Ref from Code Obj ->"(Registered) DLSuperCBT Resynchronizing "
 ->"Byte Compare Program " <-allright!

:004785EB BA9C8D4700 mov edx, 00478D9C
:004785F0 E837B7F8FF call 00403D2C
:004785F5 EB0D jmp 00478604



* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00478576(C), :0047859F(C) <-two of the bad jump land here, good path eventually gets here too
|
:00478614 33C0 xor eax, eax
:00478616 5A pop edx
:00478617 59 pop ecx
:00478618 59 pop ecx
:00478619 648910 mov dword ptr fs:[eax], edx
:0047861C EB0A jmp 00478628 <-jump to below



* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004784D1(C), :0047861C(U) <-from above and from 3rd bad jump
|
:00478628 8B45FC mov eax, dword ptr [ebp-04]
:0047862B 80B8AF06000000 cmp byte ptr [eax+000006AF], 00
:00478632 0F8487000000 je 004786BF<-if all goes will this will jump (you can force this jump and ignore the above but you wont be regged, it will just remove the nag)
:00478638 A1902F5A00 mov eax, dword ptr [005A2F90]
:0047863D 8B80E0020000 mov eax, dword ptr [eax+000002E0]

* Possible StringData Ref from Code Obj ->"DLSuperCBT 30 Day Trial Version" <-bad




So the license file will probably look like the old one:
DLSupCBT
UserID=
PrgID=

Ok, too make this cracked we just need to change the following lines:
Change this:
:004784D1 0F8451010000 je 00478628 (offset 778d1)
To this:
:004784D1 909090909090 nop6X

Change this:
:00478576 0F8598000000 jne 00478614 (offset 77976)
To this:
:00478576 909090909090 nopX6

Change this:
:0047859F 7573 jne 00478614 (offset 7799f)
To this:
:0047859F 9090 nopX2

Ok, program cracked. Now just make a license file and put you name under UserID and leave the PrgID blank. Since it doesnt take the bad jump it will store you UserID as the registered owner. This doesn't have to be done but makes it more authentic. I you dont do it, it will just be regged to nobody.

One day when i have time I will make a more detailed explanation of how his coding system works. Other than that grab this great program from: http://www.dlsuperc.com

To set up what you like against what you dislike -- this is the disease of the mind.
- Seng-T'San.

Laterz!

Groups: FWA, NWA, FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals: MiNioN, GreycZ & his cuppy, KlutCh, KiNgEr, MidNight, Edogg, Neoman, movax4c00int21, Acid_Cool_178, All those tuts I read from everyone who writes them.

CopyLeft:
sLeEpY¿
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy & http://www.bright.net/~testsubject001
Mail sleepy@linuxwaves.com

This Document is copyrighted by kanal23 and it's members. Please mail the author of this document for complaints and those things.
Kanal23 is signing out for now.