Reverse Code Engineering - PrimaSoft Dialer v1.4
Finding Correct Serial Numbers
Author: Volatility

Please Read The Disclaimer Before Continuing. 


Target  PrimaSoft Dialer v1.4 - (32pspd.zip) - 440,935 bytes 
(This Method Will Work For MOST Software At www.primasoft.com) 
Location  http://www.primasoft.com/demo/32pspd.zip 
Protection(s)  User Name/Serial Number/30-Day Time Limit 
Tools Needed  Soft-Ice (Any Version) 
Level  (X) Beginner ( ) Intermediate ( ) Advanced ( ) Expert 


Prepare To Crack: 

My entire motive for cracking this program, is that PrimaSoft puts out some goofy ass software that literally annoys the piss outta me! This program is about the most normal one of the bunch! 

Anyway... run the program, and you'll see a nag screen, telling you that you have 30 days to evaluate the product. When the program comes up, you'll see there is no place to enter your registration information. Hmm... a hidden registration? Click on the "Exit" button, and there's our answer, another nag screen, but this one with the option to enter registration. 

Go to the registration screen and enter some test data. For this program, let's try the HMEMCPY function. Press Cntrl+D to enter Soft-Ice, and set a breakpoint on HMEMCPY (BPX HMEMCPY). 

Making The Crack: 

Press Cntrl+D again to exit out of Soft-Ice, and click on the "Ok" button. Soft-Ice breaks. Press F11 to get into the code. You'll see down on the line above the command window the string "USER(0A). This isn't where we want to be, so step through the code using F10 until you see the string "PSDIAL!CODE" on the line. You should now be here: 
 
0137:004172C8  CALL     USER32!CallWindowProcA
0137:004172CD  MOV      [ESI+0C],EAX
0137:004172D0  JMP      004172DB
0137:004172D2  MOV      EDX,ESI
0137:004172D4  MOV      EAX,EBX
0137:004172D6  CALL     004172DB
 ==> 004172DB  POP      EBP
0137:004172DC  POP      EDI
0137:004172DD  POP      ESI
0137:004172DE  POP      EBX
0137:004172DF  RET

If you step through this routine, looking for a compare and a jump, you can find the place where the user name you entered is stored. This isn't where we want to be either. We want to be in the routine where our serial number is stored. So... step ALL the way through the code again using F10 until you see the string 'PSDIAL!CODE" on the line again. 

Now we're in the serial number routine. Slowly step through the code using F10, until we get to the compare and jump. You should be here: 
 
0137:00480C4D  CALL     004151E4
0137:00480C52  MOV      EAX,[EBP-08]                    :user name you entered
0137:00480C55  POP      EDX                             :serial number you entered
0137:00480C56  CALL     00437484                        :call the function to compare serial numbers
0137:00480C5B  TEST     AL,AL                           :compare serial numbers
0137:00480C5D  JZ       00480C94                        :jump to unregistered if 0 (0=bad flag)
0137:00480C5F  MOV      BYTE PTR [EBX+000001C4],01      :otherwise, get a 1 for registered (1=good flag)
0137:00480C66  LEA      EDX,[EBP-04]
0137:00480C69  MOV      EAX,[EBX+000001C0]
0137:00480C6F  CALL     004151E4
0137:00480C74  MOV      EAX,[EBP-04]

From my comments above, you should be able to find your correct serial number. If not, you need to press F10 until the line "0137:00480C5B TEST AL,AL" is highligted. Then, since your serial number is stored in EDX, display it by typing: d EDX. (you'll need to press ALT+Up Arrow keys a couple times to see your serial). 

My serial number was 674482699-214 (Cracked By Volatility [ID] for my user name). Don't be a lamer, use your own serial number. 

If time permits, I'll add more to this essay, showing you how to crack by getting a dead-listing and patching with a hex editor.  


*** Disclaimer ***
This Essay Is For Knowledge Purposes Only. Neither We, Our ISP, Nor Any Persons Mentioned Shall Be Held Liable For Any Damages Improper Usage May Cause To Your Machine. 
 
If You Successfully Crack A Program, You Must Delete It Immediately. If You Want To Keep The Program, Please BUY It! Support Shareware, This Is Our Learning Tool! 
 
It Is Illegal To Continue To Use Cracked/Patched Software.

Copyright © 1998 Volatility And The Immortal Descendants. All Rights Reserved.
  why do programmers bother creating long and or complicated serial numbers for their programs when it's usually so easy to simply sniff out the *real* serial code just by following a few lines of code.

Since I cracked this program without using a Dead Listing I won't tell you to go and create one using W32Dasm but if you really want to learn more about this program it might be a good idea to create one all the same..
 
First things first..
 
Run up the program then select the 'File' menu then the 'Register..' option.
 
You should now be in a simple looking Registration Screen.
 
Fill in your Name/Handle and a fake serial number.
 
I used:

The Sandman
999999999

Before clicking on the 'Ok' button press 'Ctrl-D' to activate Softice then type: bpx messageboxa.  Now press  'x' to leave Softice.

Now you can click on the 'OK' button.
 
Softice now breaks at the start of the messageboxa system function.

Press the 'F11' key once and click on the 'OK' button to the message saying your serial code was invalid.  Softice should break here..
 
:00423815 68A7E04400              push 0044E0A7 ;Messagebox Title
:0042381A 6842DF4400              push 0044DF42 ;"You've entered invalid.."
:0042381F 53                      push ebx
:00423820 E848550100              Call USER32.MessageBoxA
:00423825 E979010000              jmp 004239A3 ;We return here
 
What I normally do here is to scroll the Softice Assembly window until I come across the first occurrence of the following assembler instructions which are nearly always very close by:-

Call  XXXXXXXX
cmp Register,Register (or test Register,Register)
Conditional Jump

The first set of these instructions I came across I discounted because it was to do with creating a messagebox:-
 

:004237EB 686CDE4400            push 0044DE6C ;"Thank you for registering"
:004237F0 53                    push ebx
:004237F1 E877550100            Call USER32.MessageBoxA
:004237F6 85F6                  test esi, esi
:004237F8 7430                  je 0042382A
 
OK, no problem, I now scrolled up a few more lines and Bingo!, I found another classic set of my favorite set of instructions here:-
 
:004237CF E80C960000            call 0042CDE0 ;Compare serials
                                              ;eax=ffffffff if fail
                                              ;eax=1 if correct
:004237D4 83C408                add esp, 00000008
:004237D7 85C0                  test eax, eax ;serial correct?
:004237D9 7502                  jne 004237DD ;No? then jump

If you have a dead listing close by for this program then you'll see how close all these instructions are to our original Softice breakpoint on messageboxa.
 
At this point I cleared all of Softice's previous breakpoints by typing: bc *
then I type: bpx 004237cf then x to leave Softice.
 
Now re-run the registration process again and once again Softice breaks but this time on our newly created breakpoint at: 004237cf
 
Press the 'F10' key once, yep that's right don't trace into this call, just step over it. Now it's interesting to monitor the state of the pc's registers after you've just skipped over a call because this can reveal quite a lot about what the call has just been doing.
 
So now type: D ecx and you'll see in Softice's code window the *real* serial number you need to use to register this babe!.

If you type D edx then you'll see your *fake* serial.

Now re-run this program but now use the *real* serial number you've just sniffed out.
 
Job Done.
 
The Crack
     
None required.
 

If you intend on using this program beyond it's evaluation period then please BUY IT!
 
Final Notes 
    
Surly this program is not THAT easy to *crack*!, well yes it was, so it's doesn't really matter if the programmer used a 100 digit serial number to register this program with, we can always sniff it out with relative ease.

My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.
 
Ob Duh 
 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will be encouraged to producing even *better* software for us to use and enjoy.

Ripping off software through serials and cracks is for lamers..
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.
 


 
 
 Next   Return to Essay Index   Previous 
 

Essay by:          The Sandman
Page Created: 14th August 1998
, dword ptr [ecx+01]     ;