Cracking "SuperJPG v 3.2"
Date: August 1, 1999
Author : +ViPeR+
[E]bola [V]irus [C]rew

Program Name : SuperJPG v 3.2
Location     : http://www.midnightblue.com/

Method: HEX COMPARE

<<Note : this document is only for educational purpose ONLY>>
-------------------------------------------------------------------------------

Click 'File' then 'Register' then 'Enter Registration Code'.
You need to enter registered name and passcode. I entered the following info:

Name    : evc_viper
Passcode: 545454-54545454

'Ctrl-d' to open Soft-Ice and set a breakpoint by typing 'bpx getwindowtexta'
then 'Ctrl-d' out of Soft-Ice.

Click 'Enter' button and you are back to Soft-Ice.
'x enter' one time.
'F11' one time. 
Then, 'F10' hundreds of times (sometimes in the middle of this 'F10' action
you need to 'F12' to get out of kernel32) until you reach 00424BFA.

:
:00424BFA 8D85CCFEFFFF            lea eax, dword ptr [ebp+FFFFFECC]  
:00424C00 8D8D30FFFFFF            lea ecx, dword ptr [ebp+FFFFFF30] 
:00424C06 50                      push eax
:00424C07 E8B9980600              call 0048E4C5
:00424C0C C645FC04                mov [ebp-04], 04
:00424C10 8D8D30FFFFFF            lea ecx, dword ptr [ebp+FFFFFF30]
:00424C16 E8F49E0600              call 0048EB0F
:00424C1B 8B85D0FEFFFF            mov eax, dword ptr [ebp+FFFFFED0] ; <--                                            
:00424C21 8B8DCCFEFFFF            mov ecx, dword ptr [ebp+FFFFFECC] ; <--

Note here (for 00424C1B and 00424C21) that EAX points to the first part 
of the passcode we entered, ECX points to the name.
Type 'd eax' and 'd ecx' to see them in the data window.

:00424C27 50                      push eax      ; push eax into stack
:00424C28 51                      push ecx      ; push ecx into stack
:00424C29 E8C2F9FFFF              call 004245F0 ; <-- generate the second
                                                ;    part of the passcode
						;
:00424C2E 83C408                  add esp, 00000008
:00424C31 8B8DC8FEFFFF            mov ecx, dword ptr [ebp+FFFFFEC8]
:00424C37 3BC1                    cmp eax, ecx 

EAX contains the second part of passcode, ECX contains the fake one. They are
presented in hex format. So, in our case, 

EAX=00EEB568 (type '? eax' to see the real second part of passcode, in our 
case, it is '15644008')
ECX=03404C2E (type '? ecx' to see 54545454 <- the second part of fake passcode 
we entered)

:00424C39 0F85BE000000            jne 00424CFD
:00424C3F 8B85D0FEFFFF            mov eax, dword ptr [ebp+FFFFFED0]
:00424C45 50                      push eax
:00424C46 E8E51C0500              call 00476930
:00424C4B 83C404                  add esp, 00000004
:00424C4E 3D06120F00              cmp eax, 000F1206
:00424C53 0F84A4000000            je 00424CFD
:
:

Hence, enter the following info to register this program.

Name     : evc_viper
Passcode : 545454-15644008


In the following, I list the block of call that generates the second part of
the real passcode. If you would like to write a key generator, study it.

>>>>> CALL 004245F0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

:004245F0 8B542404                mov edx, dword ptr [esp+04]
:004245F4 81EC00010000            sub esp, 00000100
:004245FA B84D28D207              mov eax, 07D2284D
:004245FF 90                      nop
:00424600 8D4C2400                lea ecx, dword ptr [esp]
:00424604 53                      push ebx
:00424605 56                      push esi
:00424606 8A1A                    mov bl, byte ptr [edx]
:00424608 84DB                    test bl, bl
:0042460A 7419                    je 00424625
:0042460C 8A1A                    mov bl, byte ptr [edx]
:0042460E 80FB61                  cmp bl, 61
:00424611 7C08                    jl 0042461B
:00424613 80FB7A                  cmp bl, 7A
:00424616 7F03                    jg 0042461B
:00424618 80EB20                  sub bl, 20
:0042461B 8819                    mov byte ptr [ecx], bl
:0042461D 42                      inc edx
:0042461E 41                      inc ecx
:0042461F 8A1A                    mov bl, byte ptr [edx]
:00424621 84DB                    test bl, bl
:00424623 75E7                    jne 0042460C
:00424625 8D742408                lea esi, dword ptr [esp+08]
:00424629 C60100                  mov byte ptr [ecx], 00
:0042462C 8A4C2408                mov cl, byte ptr [esp+08]
:00424630 84C9                    test cl, cl
:00424632 744E                    je 00424682
:00424634 8A0E                    mov cl, byte ptr [esi]
:00424636 80F920                  cmp cl, 20
:00424639 743F                    je 0042467A
:0042463B 80F92E                  cmp cl, 2E
:0042463E 743A                    je 0042467A
:00424640 0FBED1                  movsx edx, cl
:00424643 8BCA                    mov ecx, edx
:00424645 8D1CD2                  lea ebx, dword ptr [edx+8*edx]
:00424648 8D1459                  lea edx, dword ptr [ecx+2*ebx]
:0042464B C1E207                  shl edx, 07
:0042464E 03D1                    add edx, ecx
:00424650 8D1C92                  lea ebx, dword ptr [edx+4*edx]
:00424653 8D14D9                  lea edx, dword ptr [ecx+8*ebx]
:00424656 8BC8                    mov ecx, eax
:00424658 C1E105                  shl ecx, 05
:0042465B 03D1                    add edx, ecx
:0042465D 8BC8                    mov ecx, eax
:0042465F C1F807                  sar eax, 07
:00424662 81E100F80700            and ecx, 0007F800
:00424668 C1E90B                  shr ecx, 0B
:0042466B C1E010                  shl eax, 10
:0042466E 33D1                    xor edx, ecx
:00424670 33D0                    xor edx, eax
:00424672 81E2FFFFFF00            and edx, 00FFFFFF
:00424678 8BC2                    mov eax, edx
:0042467A 8A4E01                  mov cl, byte ptr [esi+01]
:0042467D 46                      inc esi
:0042467E 84C9                    test cl, cl
:00424680 75B2                    jne 00424634
:00424682 8B942410010000          mov edx, dword ptr [esp+00000110]
:00424689 8D4C2408                lea ecx, dword ptr [esp+08]
:0042468D 803A00                  cmp byte ptr [edx], 00
:00424690 7419                    je 004246AB
:00424692 8A1A                    mov bl, byte ptr [edx]
:00424694 80FB61                  cmp bl, 61
:00424697 7C08                    jl 004246A1
:00424699 80FB7A                  cmp bl, 7A
:0042469C 7F03                    jg 004246A1
:0042469E 80EB20                  sub bl, 20
:004246A1 8819                    mov byte ptr [ecx], bl
:004246A3 42                      inc edx
:004246A4 41                      inc ecx
:004246A5 8A1A                    mov bl, byte ptr [edx]
:004246A7 84DB                    test bl, bl
:004246A9 75E7                    jne 00424692
:004246AB 8D742408                lea esi, dword ptr [esp+08]
:004246AF C60100                  mov byte ptr [ecx], 00
:004246B2 8A4C2408                mov cl, byte ptr [esp+08]
:004246B6 84C9                    test cl, cl
:004246B8 7449                    je 00424703
:004246BA 8A0E                    mov cl, byte ptr [esi]
:004246BC 80F920                  cmp cl, 20
:004246BF 743A                    je 004246FB
:004246C1 0FBED1                  movsx edx, cl
:004246C4 8BCA                    mov ecx, edx
:004246C6 8D1CD2                  lea ebx, dword ptr [edx+8*edx]
:004246C9 8D1459                  lea edx, dword ptr [ecx+2*ebx]
:004246CC C1E207                  shl edx, 07
:004246CF 03D1                    add edx, ecx
:004246D1 8D1C92                  lea ebx, dword ptr [edx+4*edx]
:004246D4 8D14D9                  lea edx, dword ptr [ecx+8*ebx]
:004246D7 8BC8                    mov ecx, eax
:004246D9 C1E105                  shl ecx, 05
:004246DC 03D1                    add edx, ecx
:004246DE 8BC8                    mov ecx, eax
:004246E0 C1F807                  sar eax, 07
:004246E3 81E100F80700            and ecx, 0007F800
:004246E9 C1E90B                  shr ecx, 0B
:004246EC C1E010                  shl eax, 10
:004246EF 33D1                    xor edx, ecx
:004246F1 33D0                    xor edx, eax
:004246F3 81E2FFFFFF00            and edx, 00FFFFFF
:004246F9 8BC2                    mov eax, edx
:004246FB 8A4E01                  mov cl, byte ptr [esi+01]
:004246FE 46                      inc esi
:004246FF 84C9                    test cl, cl
:00424701 75B7                    jne 004246BA
:00424703 0D0000A000              or eax, 00A00000
:00424708 5E                      pop esi
:00424709 5B                      pop ebx
:0042470A 81C400010000            add esp, 00000100
:00424710 C3                      ret

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<


Final Note:
   none.


Ob Duh
   Do I really have to remind you all that by buying and NOT stealing the 
   software you use will ensure that these software houses will continue to
   produce even *better* software for us to use and more importantly, to
   continue offering even more challenges to breaking their often weak
   protection systems.


+ViPeR+
[E]bola [V]irus [C]rew
August 1, 1999tional or (C)onditional Jump at Addresses: