December 1998 
"DeepSky99" Astronomy Program for Win'95/98  
VB PROGRAM Visual Basic Cracking   
by Eisenbeiss  
Code Reversing For Beginners  
  Program Details
Program Name: Deepsky99.exe
Program Type: Win'95/98 Utility
Program Location:  Here
  Program Size: 32 Meg
Packed using: N/A   
   Tools Required: SmartCheck (NuMega)
Trivial ( X )  Easy (   )  Medium (    )  Hard (    )  Pro (    )  
There is a crack, a crack in everything. That's how the light gets in.

  DeepSky99 - A Great Astronomy Utility for Win'95/98 Written by Eisenbeiss  
  Morale: IF Visual Basic THEN cracked in 5 min
What the author - Steven S. Tuma - says:

'Deepsky 99 solves an important need for amateur and professional observers. The software allows the user to plan a productive observing session and record what was observed quickly and easily. The logbook features in Deepsky make it extremely easy to transfer your observing plans to the logbook with minimal data entry. To accomplish this, users first create a customized observing list of those objects they want to observe by querying the database and then tagging those objects that appear on the screen. The custom list of objects can then be saved to disk and recalled later if required. When you are finished observing, the list you created earlier can be used to help enter your observations into the logbook.

1. 400,000 Object Database of Deepsky Objects
2. Observing Planner
3. Observer’s Logbook
4. Star Chart Creator with stars to Magnitude 15.5 (Mag. 10 in shareware version)
5. Image Processing
6. LX200 Goto Support including Deepsky’s unique Slide Show feature.
7. Support for Bob Denny’s ACP software for the LX-200 telescope'
The Essay  
DeepSky99 is a quite professional tool for the serious (amateur) astronomer, but it has one severe shortcomming: it is written in Micro$oft Visual Basic. This renders it slow to load and execute, and - perhaps more interestingly for you, dear reader - extremely easy to crack

When the program is installed and executed for the first time, it shows a message saying it's unregistered, and a 15 s delay is imposed before operation continues. Furthermore, the unregistered version does not allow access to object databases except the NGC2000 catalogue and is limited to 30 days of use. All these 'shareware' features have been implemented by use of an Active-X control called 'Registration Wizard', available to shareware authors at this site. At the Registration Wizard homepage, technical documetation is available that reveals the following information:

1. The registration key is calculated from the username and a so-called 'encryption key' that is either randomly generated or supplied by the user. Optionally, information about the user's system can be included into the calculation as well.

2. Shareware authors may format the registration code by supplying a regkey mask in the form of 'RWS-#####-^^^^&-^&#^&', where # is a number, ^ represents an upper case character and & stands for an upper or lower case character.

Armed with that knowledge, we now run DeepSky under SmartCheck, open the registration dialog and type in bogus information, e.g. 'Fra Diavolo' as UN and '1234567890' as unlock key. After klicking the register button, a message box informs us that we have entered invalid information. We can now stop logging with SmartCheck and examine the results.

The function call 'RegWizardPro1.ShowRegDialog' will be of interest to us, so we expand its tree by clicking on the '+' icon. Lots of string operations are performed here. Among them is the processing of our UN. We can easily see that the functions Mid$ and Asc transform the individual characters of 'Fra Diavolo' into their ASCII values, which are then concatenated to a string '701149732...'.

Reading further, we notice the occurence of another string, 'M31 - Andromeda Galaxy', that is somehow interacting with our new string '791149732...'. This apparently is the 'encryption key' specified by the author of DeepSky (see above). What kind of calculation is taking place here? The function Mid$ is used to grab a digit from the '701149732...' string, which is then transformed into its corresponding ASCII value. The first digit, '7', yields an ASCII value of 55. The first letter of 'M31- Andromeda...', 'M', is grabbed next and yields an ASCII value of 77. Now follows a line 'Chr$(Integer: 122)' Immediately we realize that 55 + 77 is ... 132, not 122.

Still, we suspect that the value 122 must somehow be calculated from 77 and 55, because we know the regkey is calculated from the UN and the 'encryption key'. Now, what will a Visual Basic lamer mean when he talks about encryption? Probably the most basic of the binary operations - XOR. So let's try... BINGO! 77 XOR 55 is 122. The 'andromeda' string is XORed with our string '701149732...' according to the pattern just described. A new string 'HIPTP...' is the result. This cannot be the reg code, because it contains weird charachters like '|'. Instead, it is transformed into a 'number string' just like it was the case with our UN 'Fra Diavolo', and the string is '727380...122'.

This is interesting, because the result of the first operation, 55 XOR 77 = 122 appears at the end of the string - the whole thing is inverted. Now, with this string '727380...', how do we get our registration code? The regkey mask, "RWS-###...' is apparently used for some string operations now. The first five Mid$ calls don't have anything to do with '727380...', so we need not deal with them. Then follows a  Mid$ on position 1 of our string '727380...', followed by a Mid$ on position 6 of the mask. Although it is not immediately evident from the SmartCheck log, one can imagine that the digits are simply filled in here, so our password so far would be 'RWS-72738-'.

Now, according to the mask, we should produce some upper case letters. We see that digits 6 and seven of our string '7273808...' are grabbed, inverted to yield 80 and transformed into a character by Chr. The upper case status is then assured by the function UCase.

At this point, we realize that we can actually read down the regcode as it is generated. We also know how it is generated. The 'protection' is a joke. The author of DeepSky, Steven S. Tuma, has been blatantly ripped off by the author of   the 'Registration Wizard', Russell Anderson. Anyone running SmartCheck can immediately get the regcode for any username he sees fit. In our case, the key is 'RWS-72738-PT...'. 'Registration Wizard' easily qualifies for the most stupid protection award.

It is worth mentioning that the use of SmartCheck is absolutely not the only approach to cracking this program. A softice breakpoint on 'hmemcpy' takes us into the 'Registration Wizard', where we can easily s 0 l ffffffff 52 00 57 00 53 00 2D 00 to find the regkey mask in memory. With a BPR on it, we land in a routine copying it, character by character, to another memory location. A casual inspection of the target area reveals the registration code being generated in front of our eyes... .

Crack Loader  
A simple key generator can be written - here's some Delphi source:
procedure TForm1.Button1Click(Sender: TObject);

    codestring: string;
    i: byte;
    bst: integer;
    bstr: string;
    andromeda: array[1..22] of byte =(77, 51, 49, 32, 45, 32, 65, 110, 100,
                                                            114, 111, 109, 101, 100, 97, 32,
                                                                        71, 97, 108, 97, 120, 121);
    if Edit1.text = '' then Edit1.text := 'Lamer';
    name := Edit1.text;
    namestring := '';
    codestring := '';
    serial := '';
    bst := 0;
    bstr := '';
for i := 1 to length(name) do
        namestring := namestring + IntToStr(Ord(name[i]));
for i := 22 downto 1 do
        codestring := codestring + IntToStr(Ord(namestring[i]) xor andromeda[i]);
serial := 'RWS-' + Copy(codestring, 1, 5) + '-';

for i := 3 to 6 do
        bst := StrToInt(codestring[(2*i)+1] + codestring[2*i]);
            if (bst >= 0) and (bst < 23) then bst := bst +100;
            if (bst >= 23) and (bst < 65) then bst := bst + 42;
            if (bst >= 91) and (bst < 97) then bst := bst - 6;
        bstr := UpperCase(Chr(bst));
        serial := serial + bstr;

bst := StrToInt(codestring[15] + codestring[14]);
    if (bst >= 0) and (bst < 23) then bst := bst +100;
    if (bst >= 23) and (bst < 65) then bst := bst + 42;
    if (bst >= 91) and (bst < 97) then bst := bst - 6;
serial := serial + Chr(bst) + '-';
bst := StrToInt(codestring[17] + codestring[16]);
    if (bst >= 0) and (bst < 23) then bst := bst +100;
    if (bst >= 23) and (bst < 65) then bst := bst + 42;
    if (bst >= 91) and (bst < 97) then bst := bst - 6;
bstr := UpperCase(Chr(bst));
serial := serial + bstr;


The interested reader can write the missing part or take another approach - it should be clear how things work.
Final Notes  
 The above example demonstrates, once again, how easy VB programs can be cracked even by the most inexperienced crackers (like me).
Ob Duh  
You may have realized that I didn't provide a full serial for you to leech. Steven S. Tuma has written DeepSky99 in his spare time from a 40 h/week job, and he surely deserves the low registration fee of $25. If you are not interested in learning how to crack, but just want to steal software, try the following combination to register DeepSky99: 'Phrozen Crew' + RWS-75758-USNQq-LD8AV. You will get what you deserve.

Ripping off software through serials and cracks is for lamers.

If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warez, Cracks etc.


Essay by:          eisenbeis
Page Created: 12th December 1998