how 2 crack

ClipMate v5.0

by seneca of stoicForce

newbie-information

there are actually two tutorials on Clipmate 5.0 by stoicForce - the one you're reading now targets on complete newbies. i'll put a lot of useful background-information in here, the cracking of Clipmate is just a kind of - uhm - side-effect. ;)
the second tutorial was written by Ignatz and shows you the 'slightly advandced techniques' of creating a key-generator for the prog.

if you've ever cracked some serial-protection all by yourself you're completely wrong in here (go read ignatz's tut instead). if not, it'd be a good idea to read this tut first to familiarize yourself with the target and move on to the second tut afterwards.


foreword

hi guys and girls, believe it or not, i'm writing my 2nd tutorial... a few days have passed since i wrote my first one, and you know what? i learned a lot meanwhile. i'm telling you this because i guess starting to crack can be - uhm - kinda depressive sometimes. if you don't think so, just skip the next paragraph. ;)

yep, i have to admit that i was quite happy when i cracked Xara3D (my first crack ever - see tutorial 1) coz i thought "allright, it's easy, what the heck is the fuss all about?"
man, was i wrong. i started to download one shareware-piece after the other and failed to crack 'em. failed badly. i soon decided to do what i've should done all the time. i decided to learn. and to read... to read great tutorials, just like this one ;).
so if you think you're stuck in cracking something, don't give up, just forget it for a while and read some more tutorials and then try it again and be successful.
ok, enough with the babbling already, let's get to work.

i'll try to put things as clearly as i can for you and i'll try to explain what we're doing instead of just telling you which byte to patch, allright? here we go...


brain and tools, once again

we will need a few things to complete this crack:

WDasm32 by URSoftware THE Disassembler. try to get version 8.9 or above
Hiew by SEN 'Hacker's View' - get this one from our site's tools-section
Clipmate version 5.0 the software we'd like to - uhm - evaluate a little bit longer...
a glas of barcadi and some cigarettes this is essential! (really)


it's ok if you have absolutely no idea what WDasm32 is and what Hiew does, i'll explain this later.
just be sure you download and install these tools - don't read on before you haven't.


get going...

now start up Clipmate and - doh! - the first thing those guys from thornsoft give us is nothing else than a dumb first-time-nag-screen. read the text on the nag carefully: it says that you may enter a registration key to turn Clipmate into a fully functional, licensed program. aha. looks like everything depends on this key, right?

now click on Enter Registration Key, 'cause we'll try our luck. a new page pops up. allright, they want us to enter our name and the mentionned key which are some kind of magically linked to each other. every name has a corresponding number and vice versa. that's how they proof if we actually bought the key or if we're just trying to enter bogus data. to be even more exact - the registration process works as follows: you give thornsoft some money and your name, and they give you the key corresponding to your name for it. if the program can validate the key you entered, it'll unlock itself and stops displaying the nags etc.

now let's put it all together: how can thornsoft give you a key the program won't reject? easy: they push your name through some crazy functions and get a unique key in return. if you give your name to Clipmate it pushes it through exactly the same crazy functions and secretly compares the generated key to the one you enter. if they match, you're in, if not then ... well, guess. ;)

pretty simple so far, huh?

allright, you didn't close the registration-dialog, did you? now click on Validate Key because we want to find out who Clipmate tells us that our key was wrong. There is a problem with the 2nd or 3rd digit. aha. that's strange. that's not really what we expected.
ok, they didn't accept NO key as a valid one, that's allright, but nevertheless, the message the give us is kinda strange. anyway, try to enter any bogus data now and click on Validate Key again. now look at this: This Is An Invalid Name/Number Combination. that's more like it.
write down the two messages you got and light another cigarette before you continue. ;)

we're going to set up a strategy now. it's alway good to disassemble the target-program and to look around a bit in its source, but unfortunatelly we can't always do this. i said it in my 1st tut and i'm saying it again: we can't disassemble programs written in Visual Basic (this does by no way mean that vb's are uncrackable, we just have to do it another way).
for those of you who don't know what disassembling means: it's turning a .exe (or .dll or whatever) back to the corresponding Assembler-Instructions. and for those of you who don't know what Assembler (ASM) is: it's is a very low-levelled programming language.
sure, the programmers of Clipmate didn't write their code in ASM but in some higher-levelled language, namely VC++. the point is that we just can convert the compiled program back to ASM.

some of you might think "how the hell can this idiot say Clipmate was written in VC++? it could as well be written in VB and he just said we can't disassemble VB's. how does he know?" good question. i don't care if the program was written in C, C++, Visual C++ or Delphi, as long as it's NOT VB. and there are ways to find that out. easy ways... ;)

VB is not a real programming language because most of the code executed by these programs is not stored in the .EXEs themselfes, but in certain .DLLs (Dynamic Link Libraries). these special Libraries are called "Visual Basic Runtimes" and they have to be imported prior to possible usage.
VB5 uses msvbvm50.dll, VB6 uses msvbvm60.dll, blah blah blah.
we just have to look if a program imports any of these DLLs and we can say if it was written in VB. now open up the windows explorer, goto Clipmate's directory and right-click on ClipMt50.exe, then select "Quickview". a new window pops up, showing us some information 'bout the file. scroll down a bit until you reach a section labelled Import Table. Every DLL imported by the program is listed in here. you'll find kernel32.dll, user32.dll and some other stuff, but actually none of the VB-runtimes. that's good because it means that we can disassemble.

by the way: i know that Clipmate is written in VC++ because i pushed it through a File-Analyzer. i won't go any deeper into this now, read my 1st tutorial if you're interested. (lazy me!)


taking it apart

you may close every opened window now (you'll have to cancel ClipMate's registration process to enter the prog and to close it).
first of all, backup ClipMT50.exe (always make a backup copy in case soething goes wrong. shit happens, believe me ;). launch W32DAsm and select Disassembler | Select File to Disassemble from the menu. Choose ClipMT50.exe and wait for W32Dasm to finish the disassemling process (this might take a minute or so).
we're in. the strange-lokking garbage you're seeing now is the pure asm-code of Clipmate. now choose Disassembler | Save... from the menu to write the code to a text file, which is, by the way, 22 MB big (!).
allright, we now have to find the part of the code which processes our name and the key we entered. doh! 22 mb of asm-code and we're searching for a few specific lines. how can we ever find those?

remember the two messages you should've written down earlier? they sure appear somewhere near the protection scheme... now we have to know that static texts as these messages are nor really stored in the code everywhere they're used. they are kept in the data block of the file and are only referenced everytime they're needed. choose Refs | String Data references from the menu to see a complete listing of all these strings. now search for the string "There is a problem with the 2nd or 3rd digit" and once found, double-click on it. WDAsm beams your right to the code-location where this string is referenced the first time. cool. now double-click on the string again and see if we're beamed to some other location (which would be the next one the string is used). no? allright, this means that the string is only used once in the whole prog. we're getting somewhere...
look at WDAsm's main window: you should see something like this:

* Possible StringData Ref from Code Obj ->"There is a problem with the 2nd "
                                        ->"or 3rd digit."
                                  |
:004D8D68 B8F88F4D00              mov eax, 004D8FF8       <-- [1] you landed here
:004D8D6D E82A12F8FF              call 00459F9C
:004D8D72 E941020000              jmp 004D8FB8



aha. in the first line, [1], our string (or better: some adress containing it, namely 004D8FF8) is MOVed to a register called eax, then a procedure located at 00459F9C is called. it's very likely that this procedure creates and shows the dialogbox saying "There is a problem with ...". then the code JuMPs to 004D8FB8. this seems to be the place where no more actions are taken, where control is passed back to the program as if nothing had happened. now let's see if we're right: go to this location (004D8FB8) by placing your cursor over the line with the JuMP and pressing the right-cursor-key. zap, you're there. if you scroll up a little bit, you'll see this:

* Possible StringData Ref from Code Obj ->"This Is An Invalid Name/Number "
                                        ->"Combination"
                                  |
:004D8FAE B850924D00              mov eax, 004D9250       <-- [2] very interesting
:004D8FB3 E8E40FF8FF              call 00459F9C           <-- [3] NOT a JuMP !

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004D8D72(U), :004D8DB5(U), :004D8DF8(U), :004D8FA1(U)   <-- [4] even more interesting
|
:004D8FB8 33C0                    xor eax, eax            <-- [1] you landed here
:004D8FBA 5A                      pop edx
:004D8FBB 59                      pop ecx
:004D8FBC 59                      pop ecx
:004D8FBD 648910                  mov dword ptr fs:[eax], edx
:004D8FC0 68E38F4D00              push 004D8FE3



look at location 004D8FAE [2]. they MOVe the "This is An..."-string to eax and then they call the same procedure [3] as they did before (the one that shows us a dialogbox).
and now comes somehing very interesting: the next line of code [4] is exactly the one we JuMPed to from the piece of code we saw before (the one where they showed us the "digit"-message ;). now look at the note WDAsm gives us for this line:

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004D8D72(U), :004D8DB5(U), :004D8DF8(U), :004D8FA1(U)



it says that this line is (U)ncoditionally jumped to from 4 other locations.
aha. now what does this mean? looks like there were 5 different ways the porgram goes after checking the registration-key. 4 of them are very likely to tell us we did something wrong, but one of them will actually unlock the software for us.
doh! how the heck do i know this? it's easy, think a little bit:

we found the place in code where control seems to be passed back to the program. it's jumped to from 4 locations (we preassume these to be the calls of dialoboxes) plus one location directly before it (this one doesn't need to jump) makes 5 locations in sum.
what else did we find out? we already know what happens around the first of the 4 jumps and we know what happens directly before the "back-to-program"-code, thus we know 2 of the 5 possibilities. if you take a deeper look at WDAsm's note shown above you'll notice that the rest of the jumps (the 3 we didn't inspect so far) are located between the 2 locations we already know. this renders things quite easy for us...

now go back to the There was a problem with...-message at 004D8D68 and scroll down until you reach This Is An Invalid Name/Number Combination again and look at the code (especially the JuMPs!). you don't have to understand the code, just look at it, that's enough ;). you'll see some interesting string references:

[1 ]  "There is a problem with the 2nd or 3rd digit",  ...jumps to 004D8FB8
[2 ]  "Sorry, that is an old number form Clipmate 4",  ...jumps to 004D8FB8
[3 ]  "Sorry, that is an old number form Clipmate 3",  ...jumps to 004D8FB8

[4a]  "Software/Thornsoft/Clipmate5"
[4b]  "Name"
[4c]  "Registration"
[4d]  "RegistrationNumber"
[4e]  "Registration"
[4f]  "Please Re-Start Clipmate To Restore Full
       Functionallity",                                ...jumps to 004D8F7F (!)

[5 ]  "This Is An Invalid Name/Number Combination",    ...continues at 004D8FB8



damn!
we (or I, respectively) have done it all wrong! why? look at the strings 4a to 4f. they're doing something in the registry! first (4a), they open up the key "Software/Thornsoft/Clipmate5".
then (4b & 4c) they push "Name" and "Registration" and call some procedure (look at the code). this means they read or write a value named "Name" in a key named "Registration". aha. they do the same with "RegistrationNumber" and "Registration" (4d & 4e). afterwards (4f), we're asked to restartd the program to enable it's functionality.

ok. now let's think. what does this all mean?
Clipmate test our name and number and if they are ok, it writes 'em to the registry. aha. it does NOT unlock itself at this point, it unlocks when restarted - that's the important stuff.
now try to put the things we found out together and you should finally make up the follwoing simple conclusions:

1. we were completely wrong until now. ;)
2. that's ok, we're newbies.
3. when started, Clipmate checks if some name and number are in the registry and, if yes, read 'em and checks 'em. if they're ok, we're registered, else we're not.
4. we have to go and find this part of code and crack it!

fine. open up the string-references window in WDAsm again and search for an item labelled "RegistrationNumber". double-click it. you'll be beamed to the 1st a reference to the string and that's the place we just saw - the place where they write into the registry. that's not what we're searching for, so double-click again. you're beamed to code-location 004D982C. bingo! (note: if you'd double-click again, you'd go back to whare you came from, so there are only two references to this string - this means that we're at the right place!)

now look at the code and scroll down a bit. you'll see that the Name is read as well as the number and if you scroll down a little more you'll encounter 5 jumps:
the first four jumps are conditionally jumps (4 jne's (Jump if Not Equal), the last one is unconditional. also note that the first four jumps go to the same location in code.

let's think again: 4 conditional jumps go to location X, the last one goes to Y. i bet my arse that the first four jumps are taken if our number is wrong (remember, we had 4 possible error-messages). if our number is ok, none of 'em will jump, that's why the fifth, last jump will do: it's an unconditional one...

we know what do to know: we have to make sure that none of the first four jumps is taken - but how?


cracking it - at last

allright, we're going to alter clipmt50.exe now. we need to know the offset where to change something so move your cursor in WDAsm over the first of the 5 jumps. that should be at address 004D991D. look at WDAsm's statusbar, it says we're at offset D8D1D. write down that number.
open clipmt50.exe in Hiew, a Dos-Hex-Editor with a very special ability...
you'll have to do this in dos-mode, type "hiew <path_to_clipmate>\clipmt50.exe").

you should see the file in hex-mode now. press F4 and choose "decode" as the new display-mode and voilá: you see nothing else than Clipmt50.exe's asm-code! cool.
Now we have to go to the offset we noted first, so press F5, enter "D8D1D" and press enter. you're transported to the correct offset. look at the code, do you recognize it? it's just the one we saw in WDasm.

now, here they are, the "5 jumps of interest"... hehe. we said we had to kill the first four of 'em, right? now that is what we're going to do! we "nop" 'em out. what? "nop" stands for "No OPeration" and is a special asm-instruction that does absolutley nothing. it's hexadecimal equivalent is 90 - that's one byte. you can see that each jump takes 2 bytes, so we'll have to overwrite these two bytes per jump with "9090" to kill it. easy.

press F3 to get in edit mode and place your cursor over the line with the first "jne" and enter "9090". do the same with the next 3 "jne"'s. press F9 to update the file, i.e. to write the changes. you should see something like this now:

 000D8D1D: 90                           nop                    <-- 1st nop's
 000D8D1E: 90                           nop
 000D8D1F: 8D8553FFFFFF                 lea       eax,[ebp][0FFFFFF53]
 000D8D25: E8BEFBF2FF                   call      0000088E8   -------- (1)
 000D8D2A: 83F80D                       cmp       eax,00D
 000D8D2D: 90                           nop                    <-- 2nd nop's
 000D8D2E: 90                           nop
 000D8D2F: 8A4703                       mov       al,[edi][00003]
 000D8D32: 3A8556FFFFFF                 cmp       al,[ebp][0FFFFFF56]
 000D8D38: 90                           nop                    <-- 3rd nop's
 000D8D39: 90                           nop
 000D8D3A: 8A470C                       mov       al,[edi][0000C]
 000D8D3D: 3A855FFFFFFF                 cmp       al,[ebp][0FFFFFF5F]
 000D8D43: 90                           nop                    <-- 4th nop's
 000D8D44: 90                           nop
 000D8D45: A17C0D5000                   mov       eax,[000500D7C]
 000D8D4A: C70001000000                 mov       d,[eax],000000001
 000D8D50: EB09                         jmps      0000D8D5B    <-- hehehe... ;)
 000D8D52: A17C0D5000                   mov       eax,[000500D7C]
 000D8D57: 33D2                         xor       edx,edx
 000D8D59: 8910                         mov       [eax],edx
 000D8D5B: A17C0D5000                   mov       eax,[000500D7C]
 000D8D60: 833800                       cmp       d,[eax],000



Clipmate will actually recognize you as unregistered but it can't do anything against it because it will always take the last, fifth jump now which starts the program unlocked - in short: it's cracked!

try it. start clipmate and open the about box. it says: "registered to: A" cool, it's really regged! but who the hell is "A"? let's try this:
start regedit and open the key "Software/Thornsoft/Clipmate5/Registration". we know Clipmate searches for 2 entries in here: "Name" and "RegistrationNumber". allright, let's create a name: right-click at the white space under the item labelled "First time" and choose "New | String". use "Name" as it's name. double-click on the newly created item and enter whatever name you want.

exit Clipmate, restart it and look at the About-Box again; it's your name at last - cool

we're done!
success!

shake your hand and tap yourself on the shoulder.


last words

allright folks, thanx alot for reading! i'd really appreciate any comment on this tutorial. c'mon guys & girls, it took quite a lot of time to bring this to you, whereas writing a mail with your opinion about it isn't that damn hard, is it? here's the email-adress: dr.seneca@gmx.net.
feedback, guys & girls, feedback!

oh, i almost forgot this very important stuff:

the coders at Thornsoft had a lot of work making Clipmate and they absolutely have my respect for this. it's not ok to get their shareware, crack it and then use it any longer than you are allowed to.
if you like the program then get your ass moving and buy it! allright? thanks.

keep on learning,

                           seneca