Software Reverse Engineering - Tech Facts 95 v1.30 - Enter Any Registration
Copyright (c) 1998 Volatility
Document Courtesy of The Immortal Descendants - http://pages.prodigy.net/volatility

	Well, here's my first, of hopefully a long line of software reverse engineering
(cracking) tutorials.  This program was one of the first I cracked, because I was told
that it was VERY simple, and as you'll see, it is.

	I'll be adding essays on the basics, fundamentals, tools needed, etc., for 
reverse engineering as time permits, but I personally think the best way to learn is to
jump right in, and learn "hands on".

	This crack isn't to find a serial number, or a registration code, we'll make the
program "think" we registered it.

---------------------------------------------------------------------------------------------
Target:  Tech Facts 95 v1.30 (tekfct95.zip) - 528,974 bytes.  Download this at:

	   ftp://ftp.zdnet.nis.newscorp.com/pcpro/08_97/tekfct95.zip

Tools Needed:  	WDASM - recommended (or disassembler of your choice)
		HIEW - recommended (or hex editor of your choice)
		PMTK - recommended (or patcher of your choice)
---------------------------------------------------------------------------------------------

Prepare To Crack:

	Unzip Tech Facts 95, and run it.  Pay close attention to what kind of protections(s)
you're dealing with.  Make notes of what the "Nag" and "Registration" screens say (trust me,
you'll need this info later).  If you go to the option "Help" then "About", you'll see that 
this window lists the string "Unregistered Version".  You'll also see a "Use Reg Key" button.
  If you click it, a window will pop up with the caption "Tech Facts 95 Registration", and
three text inputs:  "First Name", "Last Name" and "Registration Key".  Go ahead and enter 
some test data, and click the "Register" button.  A message box will pop up telling you that
your registration key failed.  These little exercises are essential to determining what kind(s)
of protection(s) you're dealing with.  Now we've found some strings to search for (you wrote
them down, right?).

Starting The Crack:

	The first thing you need to do, is get a "Dead Listing" of the program, the term "Dead
Listing" comes from the fact that we want ALL the code disassembled, and on the screen.  We'll
need this to search for our strings.  To do this, run Wdasm (or your favourite disassembler),
and choose "Disassembler" then "File to Disassemble"  then choose tekfct95.exe.  Go out and
have a cigarette, or sip a cold one, because it'll take a bit.

	When Wdasm finishes, search for your strings you wrote down (use the "Refs" option to
simplify your search).  Find the string "unregistered", and double-click on it.  This
will take you to the reference in your listing.  If you don't know much about assembly 
language, I'll try to comment the code parts as best I can... I still have MUCH to learn
myself.  You may also see a few minor differences, but the code, for the most part, will be
the same as mine:

---------------------------------------------------------------------------------------------
:004805F9 803D1AF34C0000          cmp byte ptr [004CF31A], 00      <is there a zero in memory at location F31A?
:00480600 7422                    je 00480624                      <if there is, jump to 624
:00480602 B201                    mov dl, 01                       <otherwise, load 1 into the dl register
:00480604 8B83C4010000            mov eax, dword ptr [ebx+01C4]    <load the address ebx+01C4 into eax
:0048060A E84567F9FF              call 00416D54                    <call the subroutine at 16D54

* Possible StringData Ref from Code Obj ->"<Unregistered Version>"
                                  |
:0048060F BA18074800              mov edx, 00480718                <go to string "<Unregsitered Version>"
:00480614 8B83E0010000            mov eax, dword ptr [ebx+01E0]    <load the address ebx+01E0 into eax
:0048061A E80968F9FF              call 00416E28                    <call the subroutine at 16E28
:0048061F E9C7000000              jmp 004806EB                     <jump without executing the following:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00480600(C)
|
:00480624 33D2                    xor edx, edx                     <load a zero into dx
:00480626 8B83C4010000            mov eax, dword ptr [ebx+01C4]    <load the address ebx+01C4 into eax
:0048062C E82367F9FF              call 00416D54                    <call the subroutine at 16D54

* Possible StringData Ref from Code Obj ->"Licensed Version. Do Not Copy!"
                                  |
:00480631 BA38074800              mov edx, 00480738                <go to string "Licensed Version. Do Not Copy!"
:00480636 8B83E0010000            mov eax, dword ptr [ebx+01E0]    <load the address ebx+01E0 into eax
:0048063C E8E767F9FF              call 00416E28                    <call the subroutine at 16E28
---------------------------------------------------------------------------------------------

	This piece of coding basically tells us everything we need to know.  We now know that
the CMP (compare) instruction is the key to the entire protection.  We know that the code  
either loads a 1, for "Unregistered Version", or a 0 for "Licensed Version".  This is all
dependant on what memory location [004CF31A] holds.

	If you do a search for more instances of location [004CF31A], you'll find it in 
several more locations, all dealing with registration routines.  Stop when you get to the 
following piece of code:

---------------------------------------------------------------------------------------------
:0047BA54 B898BB4700              mov eax, 0047BB98                <your registration is accepted
:0047BA59 E83EBEFBFF		  call 0043789C                    <call functions we don't care about
:0047BA5E C6051AF34C0000          mov byte ptr [004CF31A], 00      <get a zero
:0047BA65 EB11                    jmp 0047BA78                     <go ahead
---------------------------------------------------------------------------------------------

	And if you search some more, you'll find the following:

---------------------------------------------------------------------------------------------
:004CBB67 E834F7FAFF              call 0047B2A0                    <finish the subroutine
:004CBB6C 84C0                    test al, al                      <and check the returned value
:004CBB6E 7509                    jnz 004CBB79                     <proceed if value is zero
:004CBB70 C6051AF34C0001          mov byte ptr [004CF31A],01       <otherwise one for "non-registered"
:004CBB77 EB07                    jmp 004CBB80                     <leave
:004CBB79 C6051AF34C0000          mov byte ptr [004CF31A], 00      <zero for "registered"
---------------------------------------------------------------------------------------------

	You can see that the location is set three different times, two times with zero 
(0047BA5E and 004CBB79), and once with 1 (004CBB70).  Since zero means the program is 
registered, and 1 means not registered, we'll only have to patch the code in one
location: 

---------------------------------------------------------------------------------------------
:004CBB70 C6051AF34C0001          mov byte ptr [004CF31A],01
---------------------------------------------------------------------------------------------

	You'll need to change this to:

:004CBB70 C6051AF34C0000          mov byte ptr [004CF31A],00

---------------------------------------------------------------------------------------------
Making the Crack:
---------------------------------------------------------------------------------------------

Make a copy of tekfct95.exe, and copy it to a different directory
Open tekfct95.exe with HIEW ( c:\whatever\hiew c:\wherever\tekfct95.exe )
Press F4 to go to hex view
Press F7 to search
Enter your search string: C6051AF34C0001
Press enter
Press F3 to edit the code
Change 01 to 00
Press F9 to update
Press F10 to quit
Rename your patched program tekfct95.bak
Move your other copy of tekfct95.exe into the same directory as tekfct95.bak

---------------------------------------------------------------------------------------------
Making a Patcher
---------------------------------------------------------------------------------------------

Make sure your patched program, and your backup are in the same directory
Make the patcher with PMTK (c:\whatever\pmtk tekfct95.exe tekfct95.bak
Save your patch as binary, asm or com file (com file for an executable)
Name your patch file (tekfct95.com for mine)
Insert a logo if you want
You're finished! You now have a patcher for tekfct95.exe


-Volatility-