/------------------------------HellSpawn 2K1-----------------------\ | Author: KahnAbyss | | Target: LmSoft Presenter | | v 4.0.0.5 | | Tools: W32Dasm 8.93 | | Hiew 6.05 | | SoftIce 3.25 | | Crack Type: Pt2a: Patch | | Pt2b: Serial | | Level: Pt2a: Novice | | Pt2b: Advanced | \-----------------------------------------------------------------------------/ This software can be found at www.lmsoft.com Ok here we go on my 2nd tutorial I hope you gonna understand it since it have a lot of fuckin check but I guess its gonna be ok:) ---------------------------------> INTRODUCTION <--------------------------------------------- Part 2a: The fastest way to crack a software to bypass its protection and it can be a good way to see where the operations are done to get right serial since you dont have to patch it but just change a flag to see how the program gonna react. ---------------------------------------------------------------------------------------------------------------- Part 2a: Patch to bypass Serial Verification of LmSoft Presenter ================================================== Step 1: Run presenter and click Register then Ok You gonna have an error message about it wasnt able to match the Serial with the Key ok... Step 2: Make a copy of LMPres40.exe to Ori.exe Dissasaemble it with W32Dasm Click on Strn Ref Button and search for your error message Double click on it and press PgUp until you are here: Step 3: :00410751 E8A3BAFFFF call 0040C1F9 <--- call that generate the Key that match with Serial# :00410756 83C40C add esp, 0000000C :00410759 48 dec eax Step 4: Go on the line 410751 and click on Call to enter the procedure. You should land here: :0040C1F9 55 push ebp :0040C1FA 8BEC mov ebp, esp :0040C1FC 83C4F0 add esp, FFFFFFF0 :0040C1FF 53 push ebx :0040C200 8B5D0C mov ebx, dword ptr [ebp+0C] :0040C203 8D45F0 lea eax, dword ptr [ebp-10] :0040C206 50 push eax :0040C207 53 push ebx :0040C208 E87A54FFFF call 00401687 :0040C20D 8D55F0 lea edx, dword ptr [ebp-10] :0040C210 52 push edx :0040C211 FF7510 push [ebp+10] :0040C214 E8A7400300 call 004402C0 :0040C219 83C408 add esp, 00000008 :0040C21C 85C0 test eax, eax <--- Test the Serial :0040C21E 7407 je 0040C227 <--- If not equal jump to error :0040C220 B801000000 mov eax, 00000001 :0040C225 EB1D jmp 0040C244 Step 5: Get the offset of the line 40C21E that is B81E Open the file LMPres40.exe with Hiew. Press F4 to switch to Decode Mode Press F5 then type the Offset Press F3 to edit then change 74 (Je) for 75 (Jne) Press F9 to update the change then F10 to exit Step 6: Execute the newly patched file and click Register/Ok... Surprise it works!!!:) This way of cracking works fine but in part 2b we gonna see another method that didnt patch the program we'll use the well known debugger SoftIce of Numega and W32Dasm The advantage of the 2nd way is when the software have update you dont gonna have to recrack it again since updates often work on the executable.... anyway knowledge is power Part 2b: Get a valid Serial#/Key of LmSoft Presenter ========================================= Step 1: Enter any number for Serial #/Key I used Serial 0053-1212-69 Key 1212-3434-69 You get an error about Not a valid Serial Format Step 2: Make a backup of LMPres40.EXE Dissasemble it with W32Dasm Click on Strn Ref button and search for your error message Step 3: You should land here :004103EE E8179E0300 Call 0044A20A :004103F3 83C40C add esp, 0000000C * Possible Reference to String Resource ID=00409: "Le format du numéro de série est invalide. Assurez-vous que " Step 4: Press PgUp until you get these lines :004103CA 8B877C050000 mov eax, dword ptr [edi+0000057C] :004103D0 3B8540FBFFFF cmp eax, dword ptr [ebp+FFFFFB40] <--- its where we gonna break in :004103D6 0F83AD010000 jnb 00410589 <--- jump not below if it wrong format * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: :004103BA(C), :004103C8(C) Step 5: Enter SoftIce by using Ctrl-D and set breakpoint on GetWindowTextA (Bpx GetWindowTextA) switch back to LMSoft Presenter (F5) and click Ok hmmm nothing happen geez Go back to WinIce use bc* and set a new breakpoint on hmemcpy (Bpx hmemcpy) Press F11 to get back to the caller then press F10 until you are in LMSoft.exe now clear the break points and add a breakpoint on the address 4103D0 (Bpx 4103D0) Press F5 to get out of SoftIce Step 6: Up right of SoftIce you see SS 0087DCD0 = 032A90F5?? Well lets see what is hidden in 32A90F5 (? 32A90F5) WHOA our false code ! Now you see it make a comparison before a jump so what is in EAX? (? EAX) hmmm something that could looks like a valid Serial# (0053005000) so lets try it desable the breakpoint (BD*) and press F5 now in Serial# enter the founded serial is this working? Nah tha bitch need a good Key so lets find it Step 7: Search for the new error message in W32Dasm then press PgUp untill you see these lines :00410751 E8A3BAFFFF call 0040C1F9 <--- call that generate the Key that match with Serial# :00410756 83C40C add esp, 0000000C <--- Gonna break in here :00410759 48 dec eax :0041075A 740E je 0041076A :0041075C 83E802 sub eax, 00000002 :0041075F 0F84B2010000 je 00410917 :00410765 E9C5010000 jmp 0041092F * Referenced by a (U)nconditional or (C)onditional Jump at Address: :0041075A(C) Step 8: Now that you have the Serial# it just miss you the Key that match with it so put a break point on 410756 (bpx 410756). Now what had changed.... now lets have a look at EDX (d EDX) what do you see in the data window? a code that can looks like a valid key for me it was 3946-8351-16 so lets try it... it WORKS!!! tha fuckin bitch is now regged. Step 9: Use the software and remember the Serial# and the Key that are 0053-0050-00 and 3946-8351-16 :)