Target: Multimedia Builder 3.0 
Site: www.mediachance.com 
Tool: Our loved Sice and Zen crack.  

Today is a day of Heineiken, Coffee of Kenya, Moskovkaya, Guiness, Mahou and women.  

Good, we are back again with a new trick under the sleve: " Crack in Color " that we will apply to our target, the excellent Multimedia Builder. A program to create applications that include sound, image, video. Don't lose the CD player that comes with the example. 

- a serial number Exists that is introduced from " Help\About\Register " 

- When we introduce a false serial number does not appear any window showing an error. 
So we have to discard the classic " bpx messageboxexa ". 

- The important character chains are encypted, reason why we cannot look for them with the  
" Search and Replace ", which prevents crack in 5 minutes. 

We put a garbage number " 12121212 ", Jumped to sice and we enter ' s 30:00 l ffffffff " 12121212 " ' 
In each case XX:xx we applied ' bpr XX:xx XX:xx+8 rw'. Once finished we push the OK button and BOOM, we appear in sice. F12 we arrived at routine " GetwindowTextA ". 
We leave this way because it is very boring.  

In the end we were able to isolate a routine in that it gives back 0 if we are registered and 1 if we are not. We can simulate it to be registered. And in fact " we obtained it ". Our name appears in the registry window. But there is a surprise. If we executed Project/Run it appears " unregistered... ". How it is possible? 

But IF we are registered. The thing is still worse, if we fought ourselves with the registry and we generated a valid serial number the things does not improve. What is happening here? 

This programmer has thought a little. HE SEPARATED the serial checks.  
And what is still more interesting, in each check he analyzes different things. Thus, if a check goes completely is not guaranteed that the rest goes. 

We know since at least there are two checks (one that we happened and another one not). 
A nexus of union between the checks must exist: A variable that keeps the serial that we have introduced. But there are multiple variants here: first check can encrypt the serial for the second check, to modify the flag so that the second check is always false ...  

The question is: How do I locate the second check??  
The only track is the horrible yellow signboard ".. unregistered.. ". could be analyzed all the variables that the first algorithm modifies, but that is too expensive. We must look for another way. 
The only method to know that we have not passed the checks is the yellow signboard.  
It is that way by where we must attack. 

The message is encrypted, so we reject that way. 
The signboard seems a Label in the style of JAVA or Delphi, reason why it does not have own organization like a window. 
By where must we attack? 

Normally the colors are formed from the combination of the so called " basic colors ". 
The normal thing is to use like basic colors RGB="Red Green and Blue. " Our problem is like expressing the yellow of the signboard based on RGB. Luckily our yellow is a simple combination. We can use the list of colors of any program to verify it. In my case I have used Visual Coffee 2.5 (cracked of course). 
Introducing Red=255, Green=255, Blue=0 we obtain the same yellow that the one of the signboard.  

If the color had been more complex, we captured the screen with the signboard and we concerned a graphical publisher as Photoshop. We select a yellow pixel from the signboard and we see its components in terms of Red, Green and Blue. 

So we must locate something like " setbkcolor(255 255 0) ". We needed to know if more parameters for the setbkcolor exist. Looking at the API we find:  

COLORREF SetBkColor(HDC hdc,    // handle of device context  
                    COLORREF crColor    // background color value
                    );  
The COLORREF value is a 32-bit value used to specify an RGB color. 
When specifying an explicit RGB color, the COLORREF value has the following hexadecimal form: 
0x00bbggrr  

bpx setbkcolor if (* (esp+8)==ffff0000) 

Let us explain a little thing that has appeared. bpx setbkcolor indicates that it is stopped when the setbkcolor routine is executed (* (esp+8)==00ffff), that is to say, when the content of registry EIP+8 is 00ffff. Remember that the parameters to the functions go through the stack (ESP=registry stack to pointer): 

Concretely it is ESP+8 because in two are piled up word of 4 bytes each one.  

Before Called call ESP=000 ESP=address of return (word of
4 bytes) ESP+4=parámetro HDC.(word of 4 bytes) ESP+8=second
parameter

:460a15 cmp [ ESI+378], 43ca 

If the values are not equal we see the error message. Therefore this is the flag that controls everything. Only it is already enough to see who initializes it. But this is a known work by all, so I leave it like exercise. 

Notice how classic flag 1.0 is not used, instead a difficult value 0x43CA. A new symptom of which the author has read about cracks.

bpx RutineName if (* (esp+8)==00BBGGRR)  

You remember that the values of Blue(blue), Green (Green), Network (red) are hexa. 

When we appeared on Sice we are gonna change the color to see if we are in the correct window. In such case of looking for a jump that avoids the message. 

This technique always is appliable, but it is recommended when few colors in the window and the message exist is stood out of the rest (quite habitual thing).  

A possible generalization of is technique is applicable to the color of the type of  letter (foreground color), the type of source, (setFont), the aspect (italic...). You remember to make use of  a good Api aid for win32.  

We do not forget the protection scheme so original ( SEPARATION OF VERIFICATIONS ) that has implemented the author. Really interesting. 

2. - I will only answer to theoretical questions on cracks, indicating some tips that facilitate the work. 

3. - Plz, write articles about your cracked programs.  
As anything it serves what you learn if you do not distribute it, rots to you in the head, word. 

4. - I haven't answered some interesting mails. From here my excuses. 

5. - If my articles were useful for you, plz send me an e-mail indicating it. Thanks  

Mr_PinK & WKT (Whiskey Kon Tekila)  

We wait for your opinions, suggestions and essays in estadoporcino@hotmail.com 
Shortly we will analyze much more interesting protections. 

Remember, drink of the source and look for +ORC in the net. 

No it does not sucks...... retouched by: nIabI