How to crack JPEG Optimizer 3.01

Hallo my newbies friends, here I am with tut No 5, I think. We have an easy target, JPEG Optimizer which you can found at http://www.xat.com and is shareware.

Run the program, go to About->Register and enter a code more than 5 numbers, I put the old classic 123456, press Ctrl+D for SoftIce to pop up and set a bpx hmemcpy. Press Ctrl+D again to get out and press the OK button. SoftIce will pop up and you shall press F12 12 times till you reach the following code:

:00428BDD 66C746100800     mov [esi+10], 0008
:00428BE3 66C746102C00     mov [esi+10], 002C
:00428BE9 33C9                       xor ecx, ecx
:00428BEB 894DF4                  mov dword ptr [ebp-0C], ecx
:00428BEE 8D55F4                  lea edx, dword ptr [ebp-0C]
:00428BF1 FF461C                  inc [esi+1C]
:00428BF4 8B83C8010000     mov eax, dword ptr [ebx+000001C8]
:00428BFA E8D98A0100        call 004416D8
:00428BFF 8D45F4                  lea eax, dword ptr [ebp-0C]
:00428C02 E823FA0100         call 0044862A
:00428C07 83F806                   cmp eax, 00000006    <= Compares the length or our code with 6
:00428C0A 751B                       jne 00428C27              <= If not 6,then jump to bad code

:00428C0C 837DF800             cmp dword ptr [ebp-08], 00000000
:00428C10 7405                        je 00428C17
:00428C12 8B55F8                   mov edx, dword ptr [ebp-08]
:00428C15 EB05                       jmp 00428C1C
:00428C17 BAFFDF4700        mov edx, 0047DFFF
:00428C1C 52                            push edx
:00428C1D E8A60C0000        call 004298C8            <= The procedure which checks the validity of our serial. Stop here
:00428C22 59                            pop ecx
:00428C23 84C0                       test al, al                    
:00428C25 7504                        jne 00428C2B            <= If wrong code, then jump to bad code
:00428C27 33C0                       xor eax, eax
:00428C29 EB05                       jmp 00428C30

 

    So, you stopped at 00428C1D. Press F8 to step into and F10 till you see

:0042994E E84D1F0000       call 0042B8A0              <= Checks the validity of our code. Stop again here
:00429953 59                           pop ecx
:00429954 84C0                      test al, al
:00429956 7404                       je 0042995C                <= Jump if bad
:00429958 B001                      mov al, 01                     <= That's good!
:0042995A EB0C                    jmp 00429968

 

    Stopped again at 0042994E and trace into by F8 till you see

:0042B8CF 0FBE0B            movsx ecx, byte ptr [ebx]
:0042B8D2 83F93A             cmp ecx, 0000003A
:0042B8D5 7548                   jne 0042B91F                <= Offset 2AED5
:0042B8D7 0FBE4301        movsx eax, byte ptr [ebx+01]
:0042B8DB 83F83D            cmp eax, 0000003D
:0042B8DE 753F                  jne 0042B91F                <= Offset 2AEDE
:0042B8E0 0FBE5302        movsx edx, byte ptr [ebx+02]
:0042B8E4 83FA55             cmp edx, 00000055
:0042B8E7 7536                  jne 0042B91F                <= Offset 2AEE7
:0042B8E9 0FBE4B03       movsx ecx, byte ptr [ebx+03]
:0042B8ED 83F959            cmp ecx, 00000059
:0042B8F0 752D                  jne 0042B91F                <= Offset 2AEF0
:0042B8F2 0FBE4304        movsx eax, byte ptr [ebx+04]
:0042B8F6 83F859             cmp eax, 00000059
:0042B8F9 7524                  jne 0042B91F                <= Offset 2AEF9
:0042B8FB 0FBE5305        movsx edx, byte ptr [ebx+05]
:0042B8FF 83FA5F            cmp edx, 0000005F
:0042B902 751B                  jne 0042B91F                <= Offset 2AF02
:0042B904 C705584348001443FC69 mov dword ptr [00484358], 69FC4314
:0042B90E C605C442480001             mov byte ptr [004842C4], 01
:0042B915 E86688FDFF     call 00404180
:0042B91A B001                  mov al, 01                    <= We want the program to execute this line.
:0042B91C 5B                      pop ebx
:0042B91D 5D                      pop ebp
:0042B91E C3                      ret

 

        OK, now we are almost done. Open the jpegopt.exe file with HIEW and go in decode/asm mode. Press F5 and enter 2AED5. If the offsets are different in your computer, then disasm a copy of the exe file in W32Dasm and look for the same code and write down the first offset. When in Hiew, change the 75xx to 9090 for all the jne 0042B91F and press F9 for changes to be saved. Press <ESC> to exit, run the program and ...Registered.

Thanks for reading this tut.

For any questions you can reach me on EF-Net #cracking and #cracking4newbies, or on GR-NET in #cracking (that’s mine,hehe) with the nick iNFRA .

My e-mail is dmitspan@usa.net

Goodbye my friends.

 

                                                                                                                                                            Written by: Mitsaras Nuker®