Cracking "Drag and View v 4.5" Date: July 31, 1999 Author : +ViPeR+ [E]bola [V]irus [C]rew Program Name : Drag and View v 4.5 Location : http://www.canyonsw.com/ Method: COMPARE value based on the <> ------------------------------------------------------------------------------- First, the registration screen will show up when you exit this program. Enter the following code in the text field: 11110000000000 Note: the length of the key should be 14 = E(hex) 'Ctrl-D' into Soft-Ice and set a breakpoint with 'bpx getdlgitemtexta'. 'Ctrl-D' to get out of Soft-Ice and click 'Ok' and you are back to Soft-ice. 'F11' and 'F10' until you are at 00402B2F. You will find the standard TEST, JUMP statements just below the function call. Hence, we need to trace into the 'call 00402B70'. :00402B1E FF1570BD4400 Call dword ptr [0044BD70] :00402B24 FF352C5B4400 push dword ptr [00445B2C] :00402B2A 8D45EC lea eax, dword ptr [ebp-14] :00402B2D 50 push eax :00402B2E 56 push esi :00402B2F E83C000000 call 00402B70 <-- 'F8' into this call :00402B34 83C40C add esp, 0000000C :00402B37 85C0 test eax, eax <-- standard TEST, JUMP :00402B39 7417 je 00402B52 :00402B3B 6A40 push 00000040 : After 'F8', we are at 00402B70. 'F10' until you reach at 00402B8F. :00402B70 55 push ebp :00402B71 8BEC mov ebp, esp :00402B73 56 push esi :00402B74 57 push edi :00402B75 8B7D0C mov edi, dword ptr [ebp+0C] :00402B78 57 push edi :00402B79 FF1508BA4400 Call dword ptr [0044BA08] :00402B7F 83F80E cmp eax, 0000000E ; <-- compare length :00402B82 7550 jne 00402BD4 ; <-- jump is not equal :00402B84 57 push edi :00402B85 33F6 xor esi, esi :00402B87 FF1564BD4400 Call dword ptr [0044BD64] :00402B8D 33C9 xor ecx, ecx The following block of codes starts calculating a value based on your input key and the result is stored in ESI. :00402B8F 8A0439 mov al, byte ptr [ecx+edi] <----- :00402B92 3C41 cmp al, 41 | :00402B94 0FBEC0 movsx eax, al | :00402B97 7C06 jl 00402B9F | :00402B99 8D7406BF lea esi, dword ptr [esi+eax-41] | loops :00402B9D EB04 jmp 00402BA3 | through :00402B9F 8D7406D0 lea esi, dword ptr [esi+eax-30] | fake code :00402BA3 83FE09 cmp esi, 00000009 | :00402BA6 7E03 jle 00402BAB | :00402BA8 83EE09 sub esi, 00000009 | :00402BAB 41 inc ecx | :00402BAC 83F90E cmp ecx, 0000000E | :00402BAF 7CDE jl 00402B8F <---- :00402BB1 83FE04 cmp esi, 00000004 If esi == 4, the program will execute the following 'call 00402C64'. :00402BB4 750F jne 00402BC5 :00402BB6 FF7510 push [ebp+10] :00402BB9 FF7508 push [ebp+08] :00402BBC E8A3000000 call 00402C64 The following is the code list on 00402C64. From here, you can see that if esi=4, you will see a message box shows up saying that "You have 30 more days to evaluate the program". If you close the program, and restart it again, when you exit the program, it still asks you to register it. >>>> CALL 00402C64 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> * Referenced by a CALL at Address: |:00402BBC | :00402C64 837C240801 cmp dword ptr [esp+08], 00000001 :00402C69 7507 jne 00402C72 :00402C6B 68E0114400 push 004411E0 :00402C70 EB05 jmp 00402C77 :00402C72 6890114400 push 00441190 :00402C77 FF742408 push [esp+08] :00402C7B E823000000 call 00402CA3 :00402C80 59 pop ecx :00402C81 85C0 test eax, eax :00402C83 59 pop ecx :00402C84 741A je 00402CA0 :00402C86 6A40 push 00000040 :00402C88 68D4134400 push 004413D4 * Possible StringData Ref from Data Obj ->"You have 30 more days to evaluate " ->"the program" :00402C8D 68A4134400 push 004413A4 :00402C92 FF742410 push [esp+10] :00402C96 FF1574BD4400 Call dword ptr [0044BD74] :00402C9C 6A01 push 00000001 :00402C9E 58 pop eax :00402C9F C3 ret <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< What if esi is not equal to 4? If esi not equals 4, jump to 00402BC5. :00402BC5 8B4510 mov eax, dword ptr [ebp+10] ; eax=5 :00402BC8 3BF0 cmp esi, eax :00402BCA 7508 jne 00402BD4 :00402BCC 48 dec eax ; <-- notice this. :00402BCD 7425 je 00402BF4 :00402BCF 83E804 sub eax, 00000004 ; <-- notice this. :00402BD2 7419 je 00402BED ; jump if zero flag is set. ; and this is the case when ; eax = 0 : : :00402BED 6890114400 push 00441190 :00402BF2 EB05 jmp 00402BF9 :00402BF4 68E0114400 push 004411E0 :00402BF9 E808000000 call 00402C06 :00402BFE 59 pop ecx :00402BFF 6A01 push 00000001 <-- :00402C01 58 pop eax <-- this is what we want, eax = 1 :00402C02 5F pop edi :00402C03 5E pop esi :00402C04 5D pop ebp :00402C05 C3 ret From above, you can see that in order to register this program, the value in ESI should be 5. So, what would be the easy way to make ESI have value 5 based on the input we enter? Answer: 11111000000000 Enter the above number and you are registered. And when you exit the program , it won't ask you to register again. Final Note: I believe you can come up with thousands of ways to make ESI = 5. Ob Duh Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems. +ViPeR+ [E]bola [V]irus [C]rew July 31, 1999