-----------------------------------------------
How to find a serial in JPEG Optimizer 4.00
-----------------------------------------------
Cracker: stealthFIGHTER
Target: JPEG Optimizer 4.0
Tools: W32DASM
Brain
Where: http://www.xat.com
Sorry for my english, its not my mother language.
-------
Step 1:
-------
Run Jpeg otp., go to about, registration, enter
any serial. Some bullshit pop-up in some nag.
-------
Step 2:
-------
Run W32DASM, disassemble jpegopt.exe.
Click to SDR window the nag (NAG16) and double
on it. But if you try dbl click on it more times
you will find next 3 strings. So, go to the
last string (double on it 8 times) and you
should be here:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404782(U)
|
:004047A5 66C78568FFFFFF6401 mov word ptr [ebp+FFFFFF68], 0164
* Possible StringData Ref from Data Obj ->"Nag16"
|
:004047AE BA45C64700 mov edx, 0047C645
:004047B3 8D4580 lea eax, dword ptr [ebp-80]
:004047B6 E8597B0400 call 0044C314
:004047BB FF8574FFFFFF inc dword ptr [ebp+FFFFFF74]
:004047C1 8B10 mov edx, dword ptr [eax]
:004047C3 8B8D50FFFFFF mov ecx, dword ptr [ebp+FFFFFF50]
:004047C9 41 inc ecx
:004047CA 8B8554FFFFFF mov eax, dword ptr [ebp+FFFFFF54]
:004047D0 8B8008030000 mov eax, dword ptr [eax+00000308]
:004047D6 E889A50500 call 0045ED64
:004047DB FF8D74FFFFFF dec dword ptr [ebp+FFFFFF74]
:004047E1 8D4580 lea eax, dword ptr [ebp-80]
:004047E4 BA02000000 mov edx, 00000002
:004047E9 E8867D0400 call 0044C574
:004047EE 837DF400 cmp dword ptr [ebp-0C], 00000000
:004047F2 7405 je 004047F9
:004047F4 8B4DF4 mov ecx, dword ptr [ebp-0C]
:004047F7 EB05 jmp 004047FE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004047F2(C)
|
:004047F9 B94BC64700 mov ecx, 0047C64B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004047F7(U)
|
:004047FE 51 push ecx
:004047FF E810590200 call 0042A114 <------------ here is the call
:00404804 59 pop ecx
:00404805 84C0 test al, al <------------ compare
:00404807 7533 jne 0040483C <------------ bad boy
:00404809 6A00 push 00000000
:0040480B E884270700 call 00476F94
:00404810 59 pop ecx
:00404811 8BF0 mov esi, eax
:00404813 8BC6 mov eax, esi
:00404815 2B854CFFFFFF sub eax, dword ptr [ebp+FFFFFF4C]
:0040481B B980510100 mov ecx, 00015180
:00404820 99 cdq
:00404821 F7F9 idiv ecx
:00404823 83F81E cmp eax, 0000001E
:00404826 7E14 jle 0040483C
:00404828 898544FFFFFF mov dword ptr [ebp+FFFFFF44], eax
:0040482E C60530A4480001 mov byte ptr [0048A430], 01
:00404835 C68548FFFFFF00 mov byte ptr [ebp+FFFFFF48], 00
-------
Step 3:
-------
Look at this line and execute it.
:004047FF E810590200 call 0042A114 <------ our call
You should be here:
* Referenced by a CALL at Addresses:
|:004047FF , :00429581
|
:0042A114 55 push ebp
:0042A115 8BEC mov ebp, esp
:0042A117 83C4F4 add esp, FFFFFFF4
:0042A11A 53 push ebx
:0042A11B 8B4508 mov eax, dword ptr [ebp+08]
:0042A11E 8D5DF4 lea ebx, dword ptr [ebp-0C]
:0042A121 8A10 mov dl, byte ptr [eax]
:0042A123 8813 mov byte ptr [ebx], dl
:0042A125 8A4801 mov cl, byte ptr [eax+01]
:0042A128 884B01 mov byte ptr [ebx+01], cl
:0042A12B 8A5002 mov dl, byte ptr [eax+02]
:0042A12E 885302 mov byte ptr [ebx+02], dl
:0042A131 8A4803 mov cl, byte ptr [eax+03]
:0042A134 884B03 mov byte ptr [ebx+03], cl
:0042A137 8A5004 mov dl, byte ptr [eax+04]
:0042A13A 885304 mov byte ptr [ebx+04], dl
:0042A13D 8A4805 mov cl, byte ptr [eax+05]
:0042A140 884B05 mov byte ptr [ebx+05], cl
:0042A143 8A5006 mov dl, byte ptr [eax+06]
:0042A146 885306 mov byte ptr [ebx+06], dl
:0042A149 8A4807 mov cl, byte ptr [eax+07]
:0042A14C 884B07 mov byte ptr [ebx+07], cl
:0042A14F 8A4008 mov al, byte ptr [eax+08]
:0042A152 884308 mov byte ptr [ebx+08], al
:0042A155 C6430900 mov [ebx+09], 00
:0042A159 0FBE03 movsx eax, byte ptr [ebx]
:0042A15C 50 push eax
:0042A15D E8228C0400 call 00472D84
:0042A162 59 pop ecx
:0042A163 83F84A cmp eax, 0000004A <--- first cmp
:0042A166 7559 jne 0042A1C1
:0042A168 0FBE5301 movsx edx, byte ptr [ebx+01]
:0042A16C 52 push edx
:0042A16D E8128C0400 call 00472D84
:0042A172 59 pop ecx
:0042A173 83F853 cmp eax, 00000053 <--- second cmp
:0042A176 7549 jne 0042A1C1
:0042A178 0FBE4B02 movsx ecx, byte ptr [ebx+02]
:0042A17C 83F924 cmp ecx, 00000024 <--- third cmp
:0042A17F 7540 jne 0042A1C1
:0042A181 0FBE4303 movsx eax, byte ptr [ebx+03]
:0042A185 83F832 cmp eax, 00000032 <--- fourth cmp
:0042A188 7537 jne 0042A1C1
:0042A18A 0FBE5304 movsx edx, byte ptr [ebx+04]
:0042A18E 83FA38 cmp edx, 00000038 <--- fifth cmp
:0042A191 752E jne 0042A1C1
:0042A193 0FBE4B05 movsx ecx, byte ptr [ebx+05]
:0042A197 83F939 cmp ecx, 00000039 <--- sixth cmp
:0042A19A 7525 jne 0042A1C1
:0042A19C 0FBE4306 movsx eax, byte ptr [ebx+06]
:0042A1A0 83F832 cmp eax, 00000032 <--- seventh cmp
:0042A1A3 751C jne 0042A1C1
:0042A1A5 0FBE5307 movsx edx, byte ptr [ebx+07]
:0042A1A9 83FA31 cmp edx, 00000031 <--- last cmp
:0042A1AC 7513 jne 0042A1C1
:0042A1AE C70554A448001443FC69 mov dword ptr [0048A454], 69FC4314
:0042A1B8 E8CFA7FDFF call 0040498C
:0042A1BD B001 mov al, 01
:0042A1BF EB1B jmp 0042A1DC
-------
Step 4:
-------
If you look at these compares, you will see some interesting:
cmp eax, 0000004A <--- first character of a serial: J
cmp eax, 00000053 <--- second character of a serial: S
cmp ecx, 00000024 <--- third character of a serial: $
cmp eax, 00000032 <--- fourth character of a serial: 2
cmp edx, 00000038 <--- fifth character of a serial: 8
cmp ecx, 00000039 <--- sixth character of a serial: 9
cmp eax, 00000032 <--- seventh character of a serial: 2
cmp edx, 00000031 <--- last character of a serial: 1
Run Jpeg opt., go to help, register,
enter JS$28921 *** we are registered ***
---------------------------------------
If i make a mistake, please e-mail
me to: stealthfighter@another.com
---------------------------------------h can be bpx'd easily, 2 pushes of F12 and you'll