Cracking "CDValet v 3.31"
Date: July 13, 1999
Author : +ViPeR+
[E]bola [V]irus [C]rew

Program Name : CDValet v 3.31
Location     : http://www.ghlsoftware.com/

Method: Use Registration code to generate the User name and do the compare.

<<Note : this document is only for educational purpose ONLY>>
-------------------------------------------------------------------------------

In order to save some paragraph, I suggest you enter the following info in the
registration window.

Name : evc_viper
Code : dbdbd-dbdbd-dbdbd-dbdbd

<<Note: the format of the registration code is : XXXXX-XXXXX-XXXXX-XXXXX
        and it can NOT contain the letter 'a'. You can find out this by
	tracing step by step. But, I don't want to list the code segment
	here because that part is not hard to understand if you trace 
	in Soft-Ice.
>>

Set 'bpx getdlgitemtexta' in Soft-Ice.
'x' one time
'F11' one time
and you will land at 00411063.

:00411063 B220                    mov dl, 20 ; <-- 20 is the hex code for space
:00411065 3854240C                cmp byte ptr [esp+0C], dl
:00411069 0F8EF1000000            jle 00411160
:0041106F 8D7C240C                lea edi, dword ptr [esp+0C]
:00411073 83C9FF                  or ecx, FFFFFFFF
:00411076 33C0                    xor eax, eax
:00411078 F2                      repnz
:00411079 AE                      scasb
:0041107A F7D1                    not ecx
:0041107C 49                      dec ecx
:0041107D 38540C0B                cmp byte ptr [esp+ecx+0B], dl
:00411081 0F8ED9000000            jle 00411160
:00411087 3894240C010000          cmp byte ptr [esp+0000010C], dl
:0041108E 0F8ECC000000            jle 00411160
:00411094 8DBC240C010000          lea edi, dword ptr [esp+0000010C]
:0041109B 83C9FF                  or ecx, FFFFFFFF
:0041109E 33C0                    xor eax, eax
:004110A0 F2                      repnz
:004110A1 AE                      scasb
:004110A2 F7D1                    not ecx
:004110A4 49                      dec ecx
:004110A5 38940C0B010000          cmp byte ptr [esp+ecx+0000010B], dl
:004110AC 0F8EAE000000            jle 00411160
:004110B2 8D84240C010000          lea eax, dword ptr [esp+0000010C]
:004110B9 8D4C240C                lea ecx, dword ptr [esp+0C]
:004110BD 50                      push eax ; <-- fake reg. code
:004110BE 51                      push ecx ; <-- user name.
:004110BF E8CC000000              call 00411190 <-- need to trace in
:004110C4 83C408                  add esp, 00000008
:004110C7 A3E4AF4200              mov dword ptr [0042AFE4], eax
:004110CC 85C0                    test eax, eax ; 
:004110CE 747F                    je 0041114F ; <-- if eax==0, display the
                                              ; bad cracker messagebox.
Basically, the above call just check to see if the name or registration code 
contains space and delete it if yes. If you 'F10' the call at 004110BF, you 
will see the bad cracker message box coz EAX=00000000. So, let's trace 
inside 'call 00411190'.


:00411190 81EC18010000            sub esp, 00000118
:00411196 83C9FF                  or ecx, FFFFFFFF
:00411199 33C0                    xor eax, eax
:0041119B 8D542418                lea edx, dword ptr [esp+18]
:0041119F 56                      push esi
:004111A0 57                      push edi
:004111A1 8BBC2424010000          mov edi, dword ptr [esp+00000124]; <-- name
:004111A8 F2                      repnz
:004111A9 AE                      scasb
:004111AA F7D1                    not ecx
:004111AC 2BF9                    sub edi, ecx
:004111AE 8BC1                    mov eax, ecx
:004111B0 8BF7                    mov esi, edi
:004111B2 8BFA                    mov edi, edx
:004111B4 C1E902                  shr ecx, 02
:004111B7 F3                      repz
:004111B8 A5                      movsd
:004111B9 8BC8                    mov ecx, eax
:004111BB 33C0                    xor eax, eax
:004111BD 83E103                  and ecx, 00000003
:004111C0 F3                      repz
:004111C1 A4                      movsb
:004111C2 8D7C2420                lea edi, dword ptr [esp+20] ; <-- name
:004111C6 83C9FF                  or ecx, FFFFFFFF
:004111C9 F2                      repnz
:004111CA AE                      scasb
:004111CB F7D1                    not ecx
:004111CD 49                      dec ecx ; <-- ECX=length of name
:004111CE 33F6                    xor esi, esi
:004111D0 8BF9                    mov edi, ecx
:004111D2 85FF                    test edi, edi
:004111D4 7E17                    jle 004111ED

Keep 'F10'. The following block of code upper-cases your name.

:004111D6 0FBE4C3420              movsx ecx, byte ptr [esp+esi+20] 
:004111DB 51                      push ecx
:004111DC E87F3F0000              call 00415160
:004111E1 83C404                  add esp, 00000004
:004111E4 88443420                mov byte ptr [esp+esi+20], al
:004111E8 46                      inc esi
:004111E9 3BF7                    cmp esi, edi
:004111EB 7CE9                    jl 004111D6

Now, your name is upper-cased. Keep going (F10).

:004111ED 8B842428010000          mov eax, dword ptr [esp+00000128]                                    
:004111F4 8D542408                lea edx, dword ptr [esp+08]                                    
:004111F8 52                      push edx ; <-- EDX points to some memory 
                                           ; address. Type 'd edx' 
					   ; RIGHT NOW

:004111F9 50                      push eax ; <-- EAX points to your fake
                                           ; registration code.
					   ; Stop right here.

Do you type 'd edx' as I said? If not, repeat all the above steps from the
beginning.

Let me repeat it again. type 'd edx' right now. You won't see anything
meaningful in your data window at this moment. 'F10' the following line.

:004111FA E861040000              call 00411660

Now, the (kind of) registration code SHOWS UP in data window. BUT, don't feel
too happy right now. Why??? you might ask. Well, do you remember that your name 
has been UPPER-CASED? Sure, ViPer. So what??? Ok, let me tell you something 
about the protection scheme of this program.

->> THIS PROGRAM USES THE REGISTRATION CODE YOU ENTERER TO GENERATE THE USER NAME.

Hey, this is the first time that I see a protection scheme like that. I'll say
: Cool, dude. Wait a minute, ViPeR. You still haven't told us why we can not
use the generated name and enter it to registered!!! Read on, kid.

'F10' still.

:004111FF 83C408                  add esp, 00000008
:00411202 85C0                    test eax, eax ; EAX=00000001, so we jump
                                                ; to 41120F
:00411204 7509                    jne 0041120F
:00411206 5F                      pop edi
:00411207 5E                      pop esi
:00411208 81C418010000            add esp, 00000118
:0041120E C3                      ret

We are here now.

:0041120F 8D7C2408                lea edi, dword ptr [esp+08] ; EDI points to
                                                              ; the (kind of) 
							      ; real reg. code
:00411213 83C9FF                  or ecx, FFFFFFFF
:00411216 33C0                    xor eax, eax
:00411218 8D742420                lea esi, dword ptr [esp+20] ; ESI points to
                                                              ; the name you 
							      ; entered, 
							      ; upper-cased.
:0041121C F2                      repnz
:0041121D AE                      scasb
:0041121E F7D1                    not ecx
:00411220 49                      dec ecx
:00411221 8D7C2408                lea edi, dword ptr [esp+08]
:00411225 33D2                    xor edx, edx
:00411227 F3                      repz ; <-- compare the upper-cased name with
                                       ; the generated name.
:00411228 A6                      cmpsb
:00411229 8BC2                    mov eax, edx
:0041122B 5F                      pop edi
:0041122C 0F94C0                  sete al ; set AL=01 if they are the same
:0041122F 5E                      pop esi
:00411230 81C418010000            add esp, 00000118
:00411236 C3                      ret


Ok, it's time to think. By using dbdbd-dbdbd-dbdbd-dbdbd as the registration 
code, it generates 'AGSKcAGSKcAGSKcAGS' as the name and compare it with
'EVC_VIPER'. COMPARE IT WITH 'EVC_VIPER'??? But, the generated name contains
lower case letter, so, even though you enter 'AGSKcAGSKcAGSKcAGS' as the name,
this name will eventually be converted to 'AGSKCAGSKCAGSKCAGS' and compare it
with 'AGSKcAGSKcAGSKcAGS' coz 'AGSKcAGSKcAGSKcAGS' is generated by the 
registration code and you have no way to modify it. You got what I am saying?
Good.

So, in order to register this program, we need to obtain an 'All' upper-cased
name. How? I played around a litter bit and use the following as the
registration code : 'dbdbD-bdBDB-bdbdb-bdbdb' and get 'AGEAAELEK' as the name.
After I enter them, the 'Successful Registration' messagebox shows up. 

What a cool way to protect program, I'll say.

Final Note:
   none.


Ob Duh
   Do I really have to remind you all that by buying and NOT stealing the 
   software you use will ensure that these software houses will continue to
   produce even *better* software for us to use and more importantly, to
   continue offering even more challenges to breaking their often weak
   protection systems.


+ViPeR+
[E]bola [V]irus [C]rew
July 13, 1999