Target: JPEG Optimizer 4.00 T00lz: SICE, W32Dasm Level: 1 Protection: Serial Background: As being CrEaM's member I thought I should take part in this cracking project. So this tute is my contribution for the first project. This project also suits me great coz its directed for newbies and I'm one So these are our goals assigned by SHeeP140: 1. Find me the email address of JPEG Optimizer. 2. Tell me how many characters in a valid serial number for JPEG Optimizer. 2a. Explain how you answered question 2. 3. (BONUS) Get me a valid Serial number for JPEG Optimizer. Let's go then 1. Find me the email address of JPEG Optimizer Err.. since I didnt' talk to SHeeP140 before this tute/crack I'm not sure if he means the e-mail provided in the "About" info or something else. But since I didnt come up with any additional e-mail addresses I'll use the one from About box: E-Mail: jpinfo@xat.com I dunno if this is the right email but I'll go with this for now. 2. Tell me how many characters (there are) in a valid serial number for JPEG Optimizer and 2a. Explain how you answered questions 2. Heh, looks like Sheep missed some words from the sentence ;) You fill in the reg box with some dummy info and get "Incorrect registration.." (unless you're fucking lucky!! :)) We search for this in W32Dasm but no hits. Let's use Soft-Ice, place a breakpoint on hmemcpy: BPX HMEMCPY. SICE breaks three times (press F5 3x followed by F12 4x or so, until you see this): :00429563 8D45EC lea eax, dword ptr [ebp-14] <-- you should be here :00429566 E863320200 call 0044C7CE :0042956B 83F808 cmp eax, 00000008 <-- compare eax (your serial) with 8 :0042956E 751B jne 0042958B <-- jump if not 8 :00429570 837DF800 cmp dword ptr [ebp-08], 00000000 :00429574 7405 je 0042957B :00429576 8B55F8 mov edx, dword ptr [ebp-08] :00429579 EB05 jmp 00429580 The program compares your serial length to 8, so that means the serial has to be 8 characters long. Sections 2 & 2a completed 3. (BONUS) Get me a valid Serial number for JPEG Optimizer. The last and the most "difficult" part. Finding the right serial can be tuff, but luckily this program only relies on one serial (no companys or names etc.). So we can assume the correct serial is hardcoded. BPX 00429563 (do this if you dont want to press F5 and F12 so many times) You'll break on the code above (I used 22446688 for my serial btw!!!) :00429563 8D45EC lea eax, dword ptr [ebp-14] <-- you should be here :00429566 E863320200 call 0044C7CE <-- get the length of your serial :0042956B 83F808 cmp eax, 00000008 <-- compare eax (your serial) with 8 :0042956E 751B jne 0042958B <-- jump if not 8 :00429570 837DF800 cmp dword ptr [ebp-08], 00000000 <-- confirmation :00429574 7405 je 0042957B :00429576 8B55F8 mov edx, dword ptr [ebp-08] :00429579 EB05 jmp 00429580 :00429580 52 push edx <-- your serial in edx (in fact your serial 3 times) :00429581 E88E0B0000 call 0042A114 <-- call to serial calc :00429586 59 pop ecx <-- remove from stack :00429587 84C0 test al, al <-- test (1 for passed, 0 for failed) :00429589 7504 jne 0042958F <-- jump if not g00d serial, beggar off :) So the main interest is on call 0042A114, lets examine it more closely: (lots of code but easy to understand) :0042A114 55 push ebp :0042A115 8BEC mov ebp, esp :0042A117 83C4F4 add esp, FFFFFFF4 :0042A11A 53 push ebx :0042A11B 8B4508 mov eax, dword ptr [ebp+08] <-- move your serial to eax :0042A11E 8D5DF4 lea ebx, dword ptr [ebp-0C] <-- store it also in ebx :0042A121 8A10 mov dl, byte ptr [eax] <-- move the first # of serial to dl (2) :0042A123 8813 mov byte ptr [ebx], dl <-- store it in [ebx] :0042A125 8A4801 mov cl, byte ptr [eax+01] <-- proceed with second (2) :0042A128 884B01 mov byte ptr [ebx+01], cl :0042A12B 8A5002 mov dl, byte ptr [eax+02] <-- and third (4) :0042A12E 885302 mov byte ptr [ebx+02], dl :0042A131 8A4803 mov cl, byte ptr [eax+03] <-- fourth (4) :0042A134 884B03 mov byte ptr [ebx+03], cl :0042A137 8A5004 mov dl, byte ptr [eax+04] <-- fifth (6) :0042A13A 885304 mov byte ptr [ebx+04], dl :0042A13D 8A4805 mov cl, byte ptr [eax+05] <-- sixth (6) :0042A140 884B05 mov byte ptr [ebx+05], cl :0042A143 8A5006 mov dl, byte ptr [eax+06] <-- seventh (8) :0042A146 885306 mov byte ptr [ebx+06], dl :0042A149 8A4807 mov cl, byte ptr [eax+07] <-- eigtht (8) :0042A14C 884B07 mov byte ptr [ebx+07], cl :0042A14F 8A4008 mov al, byte ptr [eax+08] <-- anymore numbers? (0) :0042A152 884308 mov byte ptr [ebx+08], al :0042A155 C6430900 mov [ebx+09], 00 :0042A159 0FBE03 movsx eax, byte ptr [ebx] <-- the first number :0042A15C 50 push eax <-- push it on the stack :0042A15D E8228C0400 call 00472D84 :0042A162 59 pop ecx <-- remove ecx from stack :0042A163 83F84A cmp eax, 0000004A <-- compare 2 (32h) to J (4Ah) :0042A166 7559 jne 0042A1C1 <-- jump if they dont match, beggar off cracka :0042A168 0FBE5301 movsx edx, byte ptr [ebx+01] <-- continue with next number :0042A16C 52 push edx <-- push it on the stack :0042A16D E8128C0400 call 00472D84 :0042A172 59 pop ecx :0042A173 83F853 cmp eax, 00000053 <-- compare 2 to S (53h) :0042A176 7549 jne 0042A1C1 <-- if they dont match, go away :0042A178 0FBE4B02 movsx ecx, byte ptr [ebx+02] <-- go on with next # :0042A17C 83F924 cmp ecx, 00000024 <-- compare to $ :0042A17F 7540 jne 0042A1C1 <-- go away :0042A181 0FBE4303 movsx eax, byte ptr [ebx+03] :0042A185 83F832 cmp eax, 00000032 <-- compare to 2 :0042A188 7537 jne 0042A1C1 <-- etc... :0042A18A 0FBE5304 movsx edx, byte ptr [ebx+04] :0042A18E 83FA38 cmp edx, 00000038 <-- 8 :0042A191 752E jne 0042A1C1 :0042A193 0FBE4B05 movsx ecx, byte ptr [ebx+05] :0042A197 83F939 cmp ecx, 00000039 <-- 9 :0042A19A 7525 jne 0042A1C1 :0042A19C 0FBE4306 movsx eax, byte ptr [ebx+06] :0042A1A0 83F832 cmp eax, 00000032 <-- 2 :0042A1A3 751C jne 0042A1C1 :0042A1A5 0FBE5307 movsx edx, byte ptr [ebx+07] :0042A1A9 83FA31 cmp edx, 00000031 <-- 1 :0042A1AC 7513 jne 0042A1C1 :0042A1AE C70554A448001443FC69 mov dword ptr [0048A454], 69FC4314 :0042A1B8 E8CFA7FDFF call 0040498C <-- i didnt trace it so i dunno what it does :0042A1BD B001 mov al, 01 <-- move "registered" flag to al :0042A1BF EB1B jmp 0042A1DC <-- exit from the routine You should be able to find your serial based on the code above.. Final notes: Indeed a very good practice for newbies and myself (coz i'm a newbie goddammit!!). I must express my gratitude for SHeeP140 on this excellent app he had picked up for us. Thx mate :) Suits awesomely a project like this. The registration routine was fairly easy to understand and shouldn't be any problem for anyone to follow on with. In fact (like I said) you could've done this crack with just W32Dasm (hardcoded serial..) by just finding the right place... that could've proved fairly hard without SICE :) But we're done for this one now.. let's see what Project 2 brings along.. -C_DKnight Greetings: AB4DS, r!SC, Dead-Mike, NrOC, Warezpup, Hutch, [yAtEs], [E_BLiss], [LaZaRuS], Doufas, SeKt0r, nchanta, Icecream, |Xmen|, LordOfLA, F0dder, Predator, aCiDHaC, ACiD BuRN, X-Calibre, DnNuke, noos, nu, Thesmurf, defiler, Sinn0r, ^tCM^, Norika, cTT, Weazel, MisterE, Dawai, RevX, Maybird, BlackB, FireWorx, SheeP140, extasy_, KaOsAuS, _zoltan, Torn@do, ByteBurn, Miscreant, croc, Br4t, [ViKiNg], N|Te and the rest of you guys & gals i forgot should you have any comments or just some bla bla you can reach me 1. c_dknight@iobox.com 2. IRC, efnet -> #cracking4newbies