Name      : Free2Fax

Version   : 1.00.03

Editor    : Answers 2000

Target    : free2fax.exe

Tools     : W32Dasm 8.93
	    Hacker's View 6.01
	    Hex Workshop 2.54 or other Hexcalculator
	    Brain

Cracker   : LW2000

Tutorial  : No.3

http://www.wildcomputer.com/free2fax/


---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---


Well, this is my third tutorial *ever*
Please excuse my poor english, its not my mother language....



1.	Load free2fax when you are NOT connected with the internet.
	*BOOM* "free2fax needs to download the advertising data (adverts are placed on the top of 	faxes sent using the unregistered version of free2fax) from the Internet before it can be 	used." Hey, what's this, we should download advertising? Nope! Press No!
	*BOOM* "free2fax is now exiting. When you are ready to download the advertising data 		please re-start freefax" Exit free2fax and copy free2fax.exe to backup.exe.

2.	mhmm, lets try to crack this bitch of a program. Load W32Dasm with free2fax.exe, click 		the SDR Button, and search for "free2fax needs to download the ". Close the SDRwindow.
	
	You get this:
	
	* Referenced by a (U)nconditional or (C)onditional Jump at Address:
	|:00418164(U)
	|
	:0041816B 85C0                    test eax, eax
	:0041816D 0F84D40D0000            je 00418F47	<-- Here the check if already downloaded!
	:00418173 6A00                    push 00000000
	:00418175 6A24                    push 00000024

	* Possible StringData Ref from Data Obj ->"free2fax needs to download the "
          	                                ->"advertising data (adverts are "
           	                                ->"placed on the top of faxes sent "
            	                                ->"using the unregistered version "
             	                                ->"of free2fax) from the Internet "
                     	                        ->"before it can be used."



3.	Ok lets change this. Place the bar at :0041816D 0F84D40D0000   je 00418F47.
	In the statusbar you get the offset 1756Dh. The h is for hex, forget it, our offset is 		1756D. Quit W32Dasm and load hiew with free2fax.exe.
	Press Enter twice to go to decode mode.
	Press F5 to go to codelocation 1756D. Press F3 to edit the file and change the 84 to 85
	this makes je to jne. Press F9 to update and F10 to quit.

4.	Start free2fax again. Mhmm, some messageboxes, ignore them, go to options, register.
	Enter your registration password, ok lets try LW2000. Mhmm, letters don't work, we get 		2000, ok lets try 2000 out. Press ok. We see a new messagebox with "Invalid Registration 	Password". OK, lets exit free2fax and load W32DASM with free2fax.exe.

5. 	Cklick the SDR Button and search for "Invalid Registration Password" We find this string 	three times. Let's look at the first:
	
	:00417CBE 8378F809                cmp dword ptr [eax-08], 00000009
	:00417CC2 7430                    je 00417CF4		<- lets go there and take a look
	:00417CC4 8B442420                mov eax, dword ptr [esp+20]
	:00417CC8 85C0                    test eax, eax	
	:00417CCA 740E                    je 00417CDA		
	:00417CCC 6A00                    push 00000000
	:00417CCE 6A30                    push 00000030

	* Possible StringData Ref from Data Obj ->"Invalid Registration Password"

6.	Go to the Code location 00417CF4.
	
	:00417CF4 50                      push eax
	:00417CF5 E816640000              call 0041E110
	:00417CFA 8BF0                    mov esi, eax
	:00417CFC 83C404                  add esp, 00000004
	:00417CFF 81FED323FD26            cmp esi, 26FD23D3 <<-- mhhm, very interesting...
	:00417D05 0F8429010000            je 00417E34	<- good boy
	:00417D0B 81FECB4EFD26            cmp esi, 26FD4ECB <<-- mhhm, very interesting...
	:00417D11 0F841D010000            je 00417E34	<- good boy
	:00417D17 81FEC379FD26            cmp esi, 26FD79C3 <<-- mhhm, very interesting...
	:00417D1D 0F8411010000            je 00417E34	<- good boy
	:00417D23 85F6                    test esi, esi
	:00417D25 7F30                    jg 00417D57	<- bad boy
	:00417D27 8B442420                mov eax, dword ptr [esp+20]
	:00417D2B 85C0                    test eax, eax
	:00417D2D 740E                    je 00417D3D
	:00417D2F 6A00                    push 00000000
	:00417D31 6A30                    push 00000030

* Possible StringData Ref from Data Obj ->"Invalid Registration Password" <- The second string

	
7.	:00417CFA 8BF0                    mov esi, eax
	:00417CFC 83C404                  add esp, 00000004
	:00417CFF 81FED323FD26            cmp esi, 26FD23D3 <<-- mhhm, very interesting...
	:00417D05 0F8429010000            je 00417E34	<- good boy

	ok what does this mean? The program stores eax on thesource index.
	He adds to the stack pointer 4 and then he compares our code with the correct code!!!
	26FD23D3 is the hexvalue for the serial. Let's compare it to decimal, remembering,
	we found out that the program accept only numbers as serial.
	Ok, start hexworkshop. Click on Tools, Calculator. insert our hex value and click on 		decimal. We get 654123987. Our correct serial.

8.	Load up free2fax. Go to the registration dialog. Insert 654123987 and press ok.
	"Registration Accepted - Thankyou"

	Congratulation! You are an registered user!

	You already checked it, or? 26FD4ECB and 26FD79C3 are two more hex values for serial 		numbers.


FINISH! Easy, or?

cu LW2000
Any comments? Mail me LW2000@gmx.net !!!
----

I'd like to thank tKC for his tutors!
I started with tutor 1 and i still read them... they are the best!