.---. .---. .----------.
| \ / | .-. | |
| |\ \ / /| | | | .--------. .-----------. .---------. .-------. | .-------'
| | \ \ / / | | `-' | .------' `----. .----' | .-------' | ,---. | | |
| | \ \/ / | | .-. | | | | | | | | | | | `----.
| | \__/ | | | | \ \ | | | `----. | `---' | | ,----'
| | | | | | \ `-----. | | | ,----' | .---' | |
| | | | | | `----. | | | | | | , \ | |
| | | | | | | | | | | | | |\ \ | |
| | | | | | | | | | | | | | \ \ | '-------.
| | | | | | .------' | | | | '------. | | \ \ | |
`--' `--' `-' `--------' `-' `--------' `-' `-' `----------'
.----------------------.
.-----------| Proudly Presents |-----------.
.--------------+----------------------------------------------+--------------.
| A cracking tutor for: | |
| Sticky Notes V1.5 |
`----------------------------------------------------------------------------'
This is a VERY EASY target, you should be able to crack it on your own, even if you are a newbie.
The tutor will be rather short, 'cause one could hardly speak of protection.
I'll show you how to get the right serial number and how to patch the program.
Target: Sticky Notes V1.5 (195 kB zipped)
Where to get the stuff: http://www.city-europeonline.com/cyberhome/frankschroeder/frameset.htm
Programs I have used:
- SoftIce V3.2
- Sticky Notes V1.5
.-----------------------------------------------------------------------------------------------.
`-----------------------------------------------------------------------------------------------'
Getting started:
First thing to do when you want to crack with softice (when dealing with s/n):
To place a breakpoint on an API, type: BPX "API"
Place a breakpoint on the following APIs:
getwindowtexta <= 32 bit
getwindowtext <= 16 bit
getdlgitemtexta <= 32 bit
getdlgitemtext <= 16 bit
the "a" on the end means that the API is 32 bit.
Fire Sticky Notes, and enter "123454" as your serial number.
When you press the OK button, you'll be kicked back into SoftIce. Press F11 or type P RET.
You will end up here:
:00424C31 50 push eax
:00424C32 56 push esi
:00424C33 FF1548D94300 Call [USER32!GetWindowTextA]
:00424C39 6AFF push FF <= you are here
:00424C3B 8B4D10 mov ecx, [ebp+10]
OK, let's search for our code, we do this by typing:
s 0 l ffffffff "123454" or
s ds:0 l fffffffff "123454"
Press "s" to continue to search.
These memory addresses contained my string:
"6906b8" and "812c52d2"
You are likely to find other addresses, just continue my tutor using your addresses instead.
Now we place a breakpoint on these addresses, we do this by typing:
BPM 6906b8
BPM 812c52d2
Continue running the program by pressing CONTROL D
BLAM, again we get kicked back into softice.
The code should look like this:
:00409AEC F2AE repnz scasb \
:00409AEE F7D1 not ecx | Get the length of the entered s/n (123454)
:00409AF0 49 dec ecx /
:00409AF1 B801000000 mov eax, 00000001 <= ??
:00409AF6 83F90C cmp ecx, 0000000C <= in the entered s/n 12 characters long?
:00409AF9 7402 je 00409AFD <= if so jump to 409AFD
:00409AFB 33C0 xor eax, eax <= if not, ???
:00409AFD 5F pop edi \
:00409AFE C20400 ret 0004 / Continue program
Hmm, the program checks if the s/n is 12 characters long. Lets disable all our breakpoints and
enter a 12 character long serial number.
To disable all your breakpoints type:
BD *
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! !!
!! When you have entered the s/n the programs says "Sticky Notes is now registered" !!
!! HUH, could this really be? Does Sticky Notes accept EVERY 12 char long s/n? !!
!! !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The answer is YES, who could ever think that such "protection" exists?
I'll give you a full explanation of the protection sceme:
:00409AEC F2AE repnz scasb \
:00409AEE F7D1 not ecx | Get the length of the entered s/n (123454)
:00409AF0 49 dec ecx /
:00409AF1 B801000000 mov eax, 00000001 <= set registered flag
:00409AF6 83F90C cmp ecx, 0000000C <= in the entered s/n 12 characters long?
:00409AF9 7402 je 00409AFD <= if so jump to 409AFD
:00409AFB 33C0 xor eax, eax <= if not, clear registered flag
:00409AFD 5F pop edi \
:00409AFE C20400 ret 0004 / Continue program
You could write a patch to let the program accept every s/n, there are several ways to do this:
1st method: change
:00409AF9 7402 je 00409AFD
to
:00409AF9 7502 jne 00409AFD
Now the program will always register itself.
2nd method: change
:00409AFB 33C0 xor eax, eax <= clear registered flag
to
:00409AFB 90 nop
:00409AFC 90 nop
Now the register flag will always be set.
Ofcourse you could also write a keygen, which produces a random 12 char s/n to show all your
friends how great you are. But better not let them see the source. ;))
.-----------------------------------------------------------------------------------------------.
`-----------------------------------------------------------------------------------------------'
Well, I hope you learned SOMETHING from this tutor.
If you have any comments, questions, or whatever, mail me at MisterE@freemail.nl
OR
look for me at EFNET => #cracking4newbies or #cracking
.-----------------------------------------------------------------------------------------------.
`-----------------------------------------------------------------------------------------------'