Cracking "CheckPOP Standard v 1.53" Date: July 7, 1999 Author : +ViPeR+ [E]bola [V]irus [C]rew Program Name : CheckPOP Standard v 1.53 Location : http://www.n-systems.com/download.html Method: ECHO <> ------------------------------------------------------------------------------- Let's get down to business right away. You all knew the drill. After enter your registeration code, in Soft-Ice, set a breakpoint by typing 'bpx hmemcpy' and out of Soft-Ice. press 'OK' and you will back to Soft-Ice. F11 one time and F12 9 times then F10 until you reach at 0040B3CC. (i.e. After the call to GetDlgItemInt. hey, we set the breakpoint using hmemcpy.) F10 a few times until the line at 0040B3D7 is highlighted. * Reference To: USER32.GetDlgItemInt, Ord:00F4h | :0040B3C6 FF1504354200 Call dword ptr [00423504] :0040B3CC 50 push eax :0040B3CD B9300C4200 mov ecx, 00420C30 :0040B3D2 E893BBFFFF call 00406F6A :0040B3D7 E823010000 call 0040B4FF ; <-- PLEASE WAIT HERE :0040B3DC 83F801 cmp eax, 00000001 :0040B3DF 7521 jne 0040B402 :0040B3E1 6A40 push 00000040 Some explaination here: After the call at 0040B3D7, if eax not equals to 1, you are bad cracker. Otherwise, the program is registered. You can see this by checking the code after it (I list it below). I don't like to patch program. I want to find the correct registration code. So, let's move on. Let's trace inside the call at 0040B3D7 (are you still waiting?) F8 into the call at 0040B3D7. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> If eax=1, you are registered. * Possible StringData Ref from Data Obj ->"CheckPOP" | :0040B3E3 6818C94100 push 0041C918 * Possible StringData Ref from Data Obj ->"Software registered. Thank you " ->"for registering!" | :0040B3E8 68A0D14100 push 0041D1A0 :0040B3ED 56 push esi <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Let's hit the HOT spot ^_~ --------------------------- Ok, now, we are inside. F10 until you reach at 0040B5A7. :0040B4FF B8D69F4100 mov eax, 00419FD6 :0040B504 E8A7300000 call 0040E5B0 :0040B509 B820120000 mov eax, 00001220 :0040B50E E82D440000 call 0040F940 :0040B513 56 push esi :0040B514 6A06 push 00000006 :0040B516 6A0C push 0000000C :0040B518 8D8DDCFEFFFF lea ecx, dword ptr [ebp+FFFFFEDC] :0040B51E 33F6 xor esi, esi :0040B520 E8A20C0000 call 0040C1C7 :0040B525 2175FC and dword ptr [ebp-04], esi :0040B528 6A10 push 00000010 :0040B52A 8D8DDCFEFFFF lea ecx, dword ptr [ebp+FFFFFEDC] :0040B530 E8AB0C0000 call 0040C1E0 :0040B535 83F801 cmp eax, 00000001 :0040B538 0F8584000000 jne 0040B5C2 :0040B53E 8065E400 and byte ptr [ebp-1C], 00 :0040B542 B9300C4200 mov ecx, 00420C30 :0040B547 E828B7FFFF call 00406C74 :0040B54C 50 push eax :0040B54D 8D45E4 lea eax, dword ptr [ebp-1C] * Possible StringData Ref from Data Obj ->"%u" | :0040B550 68E0C34100 push 0041C3E0 :0040B555 50 push eax :0040B556 E8C5340000 call 0040EA20 :0040B55B 83C40C add esp, 0000000C :0040B55E 8D8DDCFEFFFF lea ecx, dword ptr [ebp+FFFFFEDC] :0040B564 E82F0E0000 call 0040C398 :0040B569 50 push eax :0040B56A 8D85D8FDFFFF lea eax, dword ptr [ebp+FFFFFDD8] :0040B570 50 push eax :0040B571 E8FA2A0000 call 0040E070 :0040B576 59 pop ecx :0040B577 59 pop ecx :0040B578 8D8DD4EDFFFF lea ecx, dword ptr [ebp+FFFFEDD4] :0040B57E E8A066FFFF call 00401C23 :0040B583 8D85D8FDFFFF lea eax, dword ptr [ebp+FFFFFDD8] :0040B589 8D8DD4EDFFFF lea ecx, dword ptr [ebp+FFFFEDD4] :0040B58F 50 push eax :0040B590 6A0C push 0000000C :0040B592 C645FC01 mov [ebp-04], 01 :0040B596 E8BE68FFFF call 00401E59 :0040B59B 8D45E4 lea eax, dword ptr [ebp-1C] :0040B59E 8D8DD4EDFFFF lea ecx, dword ptr [ebp+FFFFEDD4] :0040B5A4 50 push eax :0040B5A5 6A03 push 00000003 :0040B5A7 E85869FFFF call 00401F04 ; <--- WAIT HERE, PLEASE. :0040B5AC 83F801 cmp eax, 00000001 :0040B5AF 7502 jne 0040B5B3 You see a lot of function calls in the above code listing. But, the only one we are interested in is the one at 0040B5A7. (Do you know why? Yes, smart kid) Ok, trace in by F8 on the line at 0040B5A7. :00401F04 FF742404 push [esp+04] :00401F08 E8F8FEFFFF call 00401E05 :00401F0D 50 push eax :00401F0E FF74240C push [esp+0C] :00401F12 E879CC0000 call 0040EB90 ; <--- STOP HERE, PLEASE. :00401F17 F7D8 neg eax :00401F19 59 pop ecx :00401F1A 1BC0 sbb eax, eax :00401F1C 59 pop ecx :00401F1D 40 inc eax :00401F1E C20800 ret 0008 Do you see that 'neg eax' instruction? Well, I have a bad feel seeing it, so F8 into the call at 00401F12 which brings us to 0040EB90. * Referenced by a CALL at Addresses: |:00401F12 , :00403288 , :0040329F , :00405458 , :0040792B |:00407EDE , :00408D8D , :00409197 , :004091DC , :004092FB |:004094E5 , :0040AF37 , :0040C5EC , :0040CD5F | :0040EB90 8B542404 mov edx, dword ptr [esp+04] :0040EB94 8B4C2408 mov ecx, dword ptr [esp+08] :0040EB98 F7C203000000 test edx, 00000003 :0040EB9E 753C jne 0040EBDC : : WOW, a lot of code come here. Anyway, type 'd edx', you will see your fake registration code and type 'd ecx' you will see the correct registration code. In my case, it shows, in the data window, '268184'. Get out of Soft-Ice and enter 268184 and you are registered. Final Note: IMPORTANT: This program uses the so-call Installation Serial Number(ISN) to generate the correct registration code. In my case, my ISN is '0-2832-803-3577-1-116'. If yours is not the same as mine, you better not using 268184 as the registration code. It won't work I guess. But anyway, following the tutorial to find your own code (or better yet , write a key generator for me. Thanks) Ob Duh Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems. +ViPeR+ [E]bola [V]irus [C]rew July 7, 1999