How to crack Teleport Pro by ?ferret
Skill Level: Newbie
Attack Plan: Serial Fishing
Target: Teleport Pro v1.29 build 1107
(Available @ www.tenmax.com\teleport\pro\download.htm)
Tools Needed: Softice
W32Dasm
OK...First things first....Fire up the proggy & go through the reg routine to see what happens.
What? You didn't get lucky and guess a correct serial?
Oh well, I guess we'll have to crack it :-)
Make a note of the bad reg # message. ("We're Sorry! The registration number....")
Notice that when you click "OK", it goes back to the reg screen & your data is still in the text boxes. (A sure sign of a weak protection)
Now, this isn't always the easiest way to do this, but in this case it is very simple to trace back in W32Dasm.
So, fire up W32Dasm and disassemble the pro.exe file. Search for the text from your bad reg message.
You should see...
Make a note of the beginning code location. Just for grins, let's search for "Thank You". There are several....the 3rd occurence says the proggy is now registered...hmm...I guess that's the one we want to try to get to huh?
Now back to the error reference...
hmmm...referenced by a conditional jump @ 004256D7?
Let's see what gets us to the error message. Click on "Goto code location". Enter 4256d7 and hit .
Bummer....nothing suspicious here, but this section is also referenced by a conditional jump, so, once again, let's see how we got here. Goto code location 425691.
Well, here we have a compare statement, BUT, the "Thank You" message is right ABOVE this section of code. So, let's check out the location of the conditional jump that got us here (logically [but not definitely] the reg check will be B4 the "Thank You" message in the code). So, goto code location 42564c.
Eureka! I do believe we've found it! Write down the code location of the line B4 the CMP statement. (i.e. 425643) (which BTW, is PROBABLY the call to the routine that calculates the serial number if you're interested in trying a keygen)
Shut down W32Dasm, load Softice (if you haven't already),fire up Teleport Pro and set a Bpx (Break Point on eXecute) on CS:425643.
NOTE: The number of the Code Segment (CS:) can be found in the register window at the top of sofice. It will usually be the same for all programs you run (but not always), but the # will differ from computer to computer.
(or, break on GetWindowTextA and step thru using F10 [F10 is used to step through the program line by line, stepping over calls, thereby keeping you in the routine that you are currently in] [f8 would step into the calls, allowing you to trace subroutines] until you get to address CS:425643.
Try to reg the program.....Sice breaks.
If you do a ? EAX now you'll see your bogus serial in the command window.
After the serial calculation, it is accessible through a pointer. dword pointer (EBP-18).
F10 to the next line (425648)
Do a d *(EBP-18) or dd *(EBP-18) to show the contents of the address referred to by the pointer. Your bogus #?
What do you suppose it will get compared to? :-)
Do a ? EAX & write down the number shown in the command window.
BC * to clear BP's, CNTRL-D out of Sice and enter the number you wrote down.......VOILA!!! You are now regged! Congratulations!
GREETZ & THANX to all of the people who've helped me @ the Newbies Forum. (I'm too damn lazy to type all the names ;-))