June 99
Find the user code for
MPEGPlayer 3.31
Win '95 Program
Win Code Reversing
 
 
by ViPeR 
  
 
Code Reversing For Beginners 
 
 
 
Program Details
Program Name: MPEGPlayer 3.31
Program Type: MPEG Player
Program Location: Here 
Program Size: 2.01 MB
 
   
Tools Used:
Softice V3.2 - Debugger
 
Rating
Easy ( X )  Medium (  )  Hard (    )  Pro (    ) 
 There is a crack, a crack in everything. That's how the light gets in.
 
  
 
MPEGPlayer 3.31
'Fish for the user code for MPEGPlayer 3.31'
Written by ViPeR
 
 
Introduction
 
MPEGPlayer is a 32-bit utility for playing MPEG, VCD and other movie files. Formats supported include .mpg, .vcd, .dat, .avi, .mov, .fli, and .flc. MPEGPlayer can extract still .mpg and .pic images from .vcd or .mpg video files, and cut your favorite part of the movie to disk when playing. You can extract the system stream or video and audio stream only.
 
About this protection system
 
The program will automatically generates the user ID. You need to enter user name and user code in order to become registered.
For this example, I use:
User name : evc_viper
User code : 54545454.
 
The Essay 
     

  Start the program, right-click the main menu folder and select configuration then click the registration tab. Here, the User ID is generated by the program. Enter your favorite user name and type the user code 54545454. Ok, Ctrl-D to invoke the Soft-Ice and set breakpoint by 'bpx getdlgitemtexta'. Ctrl-D to get out of Soft-Ice and click the register button.

Now, you are back to Soft-Ice. Press x one time (or two times? well, I forgot) and F11 to go back to the caller and you will land at 0041297C just after the call. (the memory address may vary on your machine). 


:0041297A FFD6                    call esi      ; call GetDlgItemTextA
:0041297C 6888A34700              push 0047A388 ; we land here. 
                                                ; type 'd 47A388' to see your code
:00412981 68A8934500              push 004593A8 ; your name
:00412986 E8154A0000              call 004173A0 ; call we need to trace inside
:0041298B 83C408                  add esp, 00000008
:0041298E 85C0                    test eax, eax
:00412990 0F8486000000            je 00412A1C
:
After F8 into call 004173A0, just press F10 (like a hundred times) until you land at 0041748F. 
:
:
* Possible StringData Ref from Data Obj ->"%8.8x-%8.8x"
                                  |
:0041748A 68C0864300              push 004386C0
:0041748F 51                      push ecx
type 'd ecx' first, then, press F10 to pass the following call and you will see your user code in the data window. 
* Reference To: USER32.wsprintfA, Ord:0264h
                                  |
:00417490 FF1508554800            Call dword ptr [00485508]
:
In my case, it shows d7779bcc-fe771eb1. The rest of the codes just compare your fake registration key with the real key.

Note: You must exit the program and re-run the program. Then, you will see the registration tab is gone and you are registered. ^__^
Ob Duh 
 
 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.
   

 
Essay by: ViPeR
Page Created: 21 June 1999