Cracking Tutorial for JPEG Optimizer 1.31

Cracking Tutorial for JPEG Optimizer 1.31

Target Program:	JPEG Optimizer 1.31
Description:	JPEG Optimizer is designed to create the smallest possible JPEG image files. Savings of up to 50% in file size are possible which can considerably increase Web Page download times or save on disc space.
Location:	http://www.xat.com If you prefer a FTP-Search, look for JPGOPT13.EXE (990271 Bytes).
Protection:	Registration Code
Tools needed:	- SoftICE 3.24
Ob duh:	Do I really have to remind you all that by BUYING and NOT stealing the software you use will ensure that these software houses will continue to produce even better software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems. BTW, It's illegal to use cracked Software! If you're looking for cracks or serial numbers from these pages then your wasting your time, try to search elsewhere on the Web under Warez, Cracks, etc.
Info:	Brand and product names are trademarks or registered trademarks of their respective holders.
Level:	(X)Beginner ( )Intermediate ( )Advanced ( )Expert

Choose "Register", which you find in the Help menu. Then a dialog box asking for a Registration Code get's displayed. So enter "1234567890" as Registration Code and enter SoftICE (CTRL-D). Then set a BPX to HMEMCPY and exit SoftICE (CTRL-D). Now press the "OK"-Button. Now SoftICE will pop up. Press F12 (about 12 times) until you see the following code snippet:

:004277FA E82D2A0100 CALL 0043A22C ... ... ... :00427829 83F806 CMP EAX,06 :0042782C 7511 JNZ 0042783F ... ... ... :00427836 E85DCBFDFF CALL 00404398 :0042783B 84C0 TEST AL,AL :0042783D 7504 JNZ 00427843 :0042783F 33D2 XOR EDX,EDX :00427841 EB05 JMP 00427848 :00427843 BA01000000 MOV EDX,00000001 :00427848 52 PUSH EDX :00427849 FF4E1C DEC DWORD PTR [ESI+1C] :0042784C 8D45F8 LEA EAX,[EBP-08] :0042784F BA02000000 MOV EDX,00000002 :00427854 E843940100 CALL 00440C9C ... ... ... :00427917 EB16 JMP 0042792F ... ... ... :0042792A E8016A0300 CALL 0045E330

At 427829, EAX get's compared with 6. If you do a "? EAX", at this line, you'll find out, that the result is 10 - which is the length of our enterd Registration Code ("1234567890"). So press CTRL-D and reenter the Registration Code. This time use "123456".
Now at 42782C, you won't jump, since EAX, which contains the lenght of our Registration Code, is 6 now. If you trace forward through the code, you'll come accross 42783B. Here AL is checked. Well, if you have a look at 427843, EDX will be assigned the value 1, which means Registration Code is valid. So if AL is 0, you won't jump to 427843 and this means Registration Code is invalid.
Since this is the decision if we've enterd a valid Registration Code or not, we must trace the CALL before that "TEST AL,AL". So when the "CALL 00404398" is highlighted in SoftICE, press F8 to enter that CALL. Now you'll be confrontated with the following code snippet:

:00404398 55 PUSH EBP ... ... ... :004043E0 83F84A CMP EAX,4A :004043E3 0F85A6000000 JNZ 0040448F ... ... ... :00404410 83F84F CMP EAX,4F :00404413 8D45F8 LEA EAX,[EBP-08] :00404416 0F94C2 SETZ DL :00404419 83E201 AND EDX,01 :0040441C 52 PUSH EDX :0040441D BA02000000 MOV EDX,00000002 :00404422 FF4DF0 DEC DWORD PTR [EBP-10] :00404425 E872C80300 CALL 00440C9C :0040442A 59 POP ECX :0040442B 85C9 TEST ECX,ECX :0040442D 7460 JZ 0040448F ... ... ... :00404442 83FA31 CMP EDX,31 :00404445 7548 JNZ 0040448F ... ... ... :0040445A 83F836 CMP EAX,36 :0040445D 7530 JNZ 0040448F ... ... ... :00404472 83F833 CMP EAX,33 :00404475 7518 JNZ 0040448F ... ... ... :0040448A 83F838 CMP EAX,38 :0040448D 7404 JZ 00404493 :0040448F 33D2 XOR EDX,EDX :00404491 EB05 JMP 00404498 :00404493 BA01000000 MOV EDX,00000001 :00404498 52 PUSH EDX :00404499 FF4DF0 DEC DWORD PTR [EBP-10] :0040449C 8D45FC LEA EAX,[EBP-04] :0040449F BA02000000 MOV EDX,00000002 :004044A4 E8F3C70300 CALL 00440C9C :004044A9 59 POP ECX :004044AA 84C9 TEST CL,CL :004044AC 7435 JZ 004044E3 ... ... ... :004044CE C60588A9470001 MOV BYTE PTR [0047A988],01 :004044D5 B001 MOV AL,01 :004044D7 8B55D4 MOV EDX,[EBP-2C] :004044DA 64891500000000 MOV FS:[00000000],EDX :004044E1 EB13 JMP 004044F6 :004044E3 C60588A9470000 MOV BYTE PTR [0047A988],00 :004044EA 33C0 XOR EAX,EAX :004044EC 8B55D4 MOV EDX,[EBP-2C] :004044EF 64891500000000 MOV FS:[00000000],EDX :004044F6 5F POP EDI :004044F7 5E POP ESI :004044F8 5B POP EBX :004044F9 8BE5 MOV ESP,EBP :004044FB 5D POP EBP :004044FC C3 RET

At 4043E0, EAX and 4A get compared. If you do a "? EAX" and "? 4A", you'll find out that "1" and "J" get compared. Since they aren't equal, the JNZ will be executed and you'll jump to 40448F. Then AL won't be 1 and the "Valid Registration-Code-Check" at 42783B will be failed.
At 404410, EAX and 4F get compared. If you check the values of them, you'll find out that "2" and "O" get compared. Since they aren't equal, the JE will be executed and you'll jump to 40448F. Then AL won't be 1 and the "Valid Registration-Code-Check" at 42783B will be failed.
At 404442, EAX and 31 get compared. If you do a "? EAX" and "? 31", you'll find out that "3" and "1" get compared. Since they aren't equal, the JNZ will be executed and you'll jump to 40448F. Then AL won't be 1 and the "Valid Registration-Code-Check" at 42783B will be failed.
Just do the same until you reach 40448A. Here EAX and 38 get compared. If you do a "? EAX" and "? 38", you'll find out that "8" and "6" get compared. Since they aren't equal, the JZ instruction at 40448D won't be executed. The JMP 404498 will be executed. Then AL won't be 1 and the "Valid Registration-Code-Check" at 42783B will be failed.
So the valid Registration Code for JPEG Optimizer 1.31 is: 4A 4F 31 36 33 38, which is "JO1638".

Another target has been Reverse Engineered. Do you have any questions?

If you're USING JPEG Optimizer BEYOND it's FREE TRIAL PERIOD, then please BUY IT.