Cracking "CTris 2000"
Date: July 4, 1999
Author : +ViPeR+
[E]bola [V]irus [C]rew

Program Name : CTris 2000
Location     : http://www.antonypr.pair.com/index.html

Method: HEX COMPARE

<<Note : this document is only for educational purpose ONLY>>
-------------------------------------------------------------------------------
+ViPeR+ from [E]bola [V]irus [C]rew again. This time, I am going to show you
how to crack the fun game CTris 2000. It is very similar to the Tetris we
played long long time ago.

As usual, locate the place to enter the registeration code. Here, I enter

Name : evc_viper
Code : 54545454

(hey, I always use 54545454 as my registration code)

Fire-up Soft-Ice and set a breakpoint by typing 'bpx hmemcpy'.
Press 'x Enter' to exit Soft-Ice.

Click the 'Ok' button and you will be sent back to Soft-Ice again.

Press 'x Enter' one time, then F11 one time and F12 6(or 7) times and then
F10 22 times to go go back to the caller. Usually, if you break by using 
'hmemcpy', you always need to perform the above sequence of actions to go 
back to the caller.) Ok, now, you are at 00451A1F.

:00451A1F 8B45F4                  mov eax, dword ptr [ebp-0C] ; <--we land here
:00451A22 E8AD4FFBFF              call 004069D4
:00451A27 8BD8                    mov ebx, eax
:00451A29 33C0                    xor eax, eax
:00451A2B 5A                      pop edx
:00451A2C 59                      pop ecx
:00451A2D 59                      pop ecx
:00451A2E 648910                  mov dword ptr fs:[eax], edx
:00451A31 EB18                    jmp 00451A4B
:00451A33 E9E816FBFF              jmp 00403120
:00451A38 0100                    add dword ptr [eax], eax
:00451A3A 0000                    add byte ptr [eax], al
:00451A3C 086140                  or byte ptr [ecx+40], ah
:00451A3F 00441A45                add byte ptr [edx+ebx+45], al
:00451A43 0033                    add byte ptr [ebx], dh
:00451A45 DBE8                    fucomi st(0), st(0)
:00451A47 B518                    mov ch, 18
:00451A49 FB                      sti
:00451A4A FF8B55F88B45            dec dword ptr [ebx+458BF855]
:00451A50 FC                      cld
:00451A51 E816FCFFFF              call 0045166C
:00451A56 3BD8                    cmp ebx, eax

'F10' one time, so you are at 00451A22. 'd eax' now, and you will see your 
fake reg. code in the data window.

Ok, F10 until you jump to 00451A4B. Important Note here: even though
the deadlisting shows you jmp 00451A4B at location :00451A31, you 
acturally can not see the location 00451A4B on deadlisting. If you use
Soft-Ice, you will see some weird thing happens when you F10 

:00451A31 EB18                    jmp 00451A4B

The thing is: the line :00451A4B shows up and it displays the following two
lines before the call at :00451A51.

:00451A4B                         MOV EDX, [EBP-8]
:00451A4D                         MOV EAX, [EBP-4]
:00451A51 E816FCFFFF              call 0045166C
:00451A56 3BD8                    cmp ebx, eax

After I F10 those two lines, they are gone!!! I don't know what is going on.
Maybe it is too late, and I feel sleepy....Anyway, F10 the call at :00451A51
then here comes a cmp instruction.

What is in EAX? what is in EBX? In EBX, I see 'EBX=03404C2E' which is my hex
value of 54545454. To verify this, type '? ebx' and you will see the following
lines

03404C2E   0054545454   "@#$%^&**&%%........"
   
Well, compare your fake registration code with what? Yes, compare it with the 
correct registration code in hex format. You got it, smart kid.

Hence, in order to see what is the correct registration code, do '? eax'. In
my case, it says 39714213 (my eax is EAX=025DFDA5). Get out of Soft-Ice and
enter it and prepare to see "Thank you for registering" greeting screen.

Not hard at all, right? My point for this tutorial is : There are a lot of 
protect schemes out there. One of them is to convert your registration code
into hex value and compare it with the correct one. CTris2000 is one of the
program that uses this scheme. So, one good thing to keep in mind is: 
Remember what is the hex value of your registration code. I always use 
54545454 as my registration code and so when I see 03404C2E shows up in one 
of the register (most cases are in EAX or EBX), I know what I am getting at.
 

Final Note:
   One thing you should learn from this tutorial: Always use the same fake 
   registration code and remember what's its hex value. In some cases, it 
   will come handy to crack the program.


Ob Duh
   Do I really have to remind you all that by buying and NOT stealing the 
   software you use will ensure that these software houses will continue to
   produce even *better* software for us to use and more importantly, to
   continue offering even more challenges to breaking their often weak
   protection systems.

+ViPeR+
[E]bola [V]irus [C]rew
July 4, 1999

(on the same web site, there is another program call 'B-Jigsaw'. It is also
a fun game to play. Try and see if it use the same protection as this one)