Reverse Code Engineering - CheckMail 32 v1.65
Patch To Enter Any Registration
Author: Volatility

Please Read The Disclaimer Before Continuing. 

Target  CheckMail 32 v1.65 - (chkml32.zip) - 263,533 bytes 
Location  http://datastod.simplenet.com/CheckMail32/chkml32.zip 
Protection(s)  User Name/Serial Number 
Tools Needed  Wdasm - Recommended 
HIEW - Or Hex Editor Of Your Choice 
Level  (X) Beginner ( ) Intermediate ( ) Advanced ( ) Expert 

Prepare To Crack: 

Run the program (chkml32.exe) and click "yes" on all the message boxes to get to the program. Once there, click "Ok", and on the next screen click on "Close". To get to the registration screen, right click on the icon in your taskbar, and choose "Registration info". Enter some test data, and click ok. You'll get the error message "You have entered an invalid registration number!  

Fire up Wdasm, and disassemble the program - "Disassembler", "Open file to disassemble", then choose "chkml32.exe". Once the program is disassembled, open the SDR (String Data References) window ("Refs", "Sring Data References) to search for our error string. When you find it, double-click on it, and you'll land here: 
  
* Possible StringData Ref from Code Obj ->"You have entered an invalid registration "
                                                                  ->"number!"
                                                     |
:0043A1A4 B820A34300              mov eax, 0043A320
:0043A1A9 E89E46FFFF              call 0042E84C
:0043A1AE 33DB                    xor ebx, ebx

Right above this code, you'll see the following jump: 
  
:0043A1A2 740C                    je 0043A1B0

Making The Crack:  

If you follow the jump, you'll see it lands at a compare, followed by another jump. Let's patch this line to see what happens. Highlight the line and get the offset from below. Should be 000395A2h (395A2). 

1. If you haven't already, create a copy of the program in a different directory. 
2. Open the program with HIEW ( c:\whatever\hiew c:\whatever\chkml32.ex ). 
3. Press F4 to get to hex view. 
4. Press F5 to search. 
5. Enter your search string: 395A2. 
6. Press F2 to get to code view. 
7. Press F3 to edit. 
8. Press F2 to enter the information. 
9. Change "je" to "jne". 
10. Press F9 to save. 
11. Press F10 to exit. 

Now let's run the program and see what happens. It says we're registered, but we know it's just tricking us. Close the program and restart it, and you'll get the error "Your registration code is invalid....". Click "Ok" twice, and the program will close on it's own. Let's search for this new error message. Open the SDR window again, and you'll find the string way at the bottom. Double-click on it, and you'll land here: 
  
* Possible StringData Ref from Code Obj ->"Your registration code is invalid. "
                                           ->"If you haven't received a new "
                                           ->"one already, please contact CheckMail "
                                           ->"support (checkmail@bigfoot.com)."
                                                      |
:0044B798 B870BA4400                       mov eax, 0044BA70

Right above this code is another jump at the following line: 
  
:0044B796 746B                    je 0044B803

Let's patch this line and see what happens. Highlight the line and get the offset from below. Should be 0004AB96h (4AB96). 

1. Open the program with HIEW ( c:\whatever\hiew c:\whatever\chkml32.ex ). 
2. Press F4 to get to hex view. 
3. Press F5 to search. 
4. Enter your search string: 4AB96. 
5. Press F2 to get to code view. 
6. Press F3 to edit. 
7. Press F2 to enter the information. 
8. Change "je" to "jne". 
9. Press F9 to save. 
10. Press F10 to exit. 

Now let's run the program to see what happens. No error message, that's good... but where's the program? It's still shutting itself down. Let's follow the jump from the line we just patched. You should be at the following line: 
  
:0044B803 8D45FC                  lea eax, dword ptr [ebp-04]

Scroll down a little further, and you'll see the following jump (getting sick of 'em yet?): 
  
:0044B836 740C                    je 0044B844

Look just a few lines below, and you'll see an XOR and a MOV. Could this be the final jump we need to patch? Let's find out. Highlight the line and get the offset from the window below. Should be 0004AC36h (4AC36). 

1. Open the program with HIEW ( c:\whatever\hiew c:\whatever\chkml32.exe ). 
2. Press F4 to get to hex view. 
3. Press F5 to search. 
4. Enter your search string: 4AC36. 
5. Press F2 to get to code view. 
6. Press F3 to edit. 
7. Press F2 to enter the information. 
8. Change "je" to "jne". 
9. Press F9 to save. 
10. Press F10 to exit. 

Let's run the program again. Hmm... looks good so far. Right click on the icon in your taskbar. If you didn't notice the bold "Order Now!" before, it's gone now. Excellent! Just for good measure, let's go to "Registration Info" and click ok. Registered! Job done. 

*** Disclaimer ***

This Essay Is For Knowledge Purposes Only. Neither We, Our ISP, Nor Any Persons Mentioned Shall Be Held Liable For Any Damages Improper Usage May Cause To Your Machine. 

If You Successfully Crack A Program, You Must Delete It Immediately. If You Want To Keep The Program, Please BUY It! Support Shareware, This Is Our Learning Tool! 

It Is Illegal To Continue To Use Cracked/Patched Software.

Copyright © 1998 Volatility And The Immortal Descendants. All Rights Reserved.