TORN@DO's Cracking Tutorial for
SimulBrowse 1.5


Before we start, please read the Disclaimer section of this essay!

Date: 26/07/1998
Target Program: SimulBrowse 1.5
Protection: Registration Code
Rating: Easy - if you had read "Cracker's Notes"
Solution: Serial #
Cracked by: TORN@DO
Tools needed: - SoftICE 3.2 (Win 95)
  - W32DASM 8.9
  - Hex Editor (I like Hacker's View)
Level: (x) Beginner     ( ) Intermediate     ( ) Expert

Well, I thought nobody requires a tutorial for that program - but one Newbie ask for one (perhaps he hasn't even "tried" to crack it), because he got lost in the program (??). So here it is:

Step 1
Well, let's run the target and see what we can find out. A NAG-Screen appears saying "SimulBrowse 1.5 is shareware ...". This looks like a standard messagebox. So now press OK. Go to the Help-Menu and choose Register. Now a dialog "Validation" asks for our User Name and Registration Number. So enter "Cracking Tutorial" and "999999999". Press Ok. Now you get "Your registration user name and password could not be validated". So press OK and exit the application. The NAG-Screen pops up once again and then the application exits. So we know enough to take our Disassembler and have a look at the program in

Step 2
Now choose String Reference and look for interesting strings. I found the following interesting:
"SimulBrowse 1.5 is shareware. "
"Thank you for registering SimulBrowse."
"Your registration user name and "

Step 3
We want to go to the Validation-Function, so double click on "Validation". You'll get this:

* Possible StringData Ref from Code Obj ->"User"
:00457B17 mov ecx, 00457B6C
* Possible StringData Ref from Code Obj ->"Validation"

We want to be there, where this location was called, so scroll up a few lines, until you find

* Referenced by a CALL at Address:

So let's go to 457DE1. You'll get

:00457D56 call 0042F470  
:00457D5B mov eax, dword ptr [ebp-0C]  
:00457D5E cmp dword ptr [eax+00000150], 00000001  
:00457D65 jne 00457DF3 ; jump out of the function
... ... ...
:00457DB8 call 0045767C  
:00457DBD cmp dword ptr [ebp-08], 00000000 ; have we entered something? 
:00457DC1 je 00457DE8 ; if not, jump to invalid code message
:00457DC3 mov eax, dword ptr [ebp-08] ; the right serial# is in now hold in EAX
:00457DC6 mov edx, dword ptr [ebp-04]  
:00457DC9 mov edx, dword ptr [edx+3C] ; our serial# is now hold in EDX
:00457DCC call 00403CF8 ; compare right serial # with that what we entered
:00457DD1 jne 00457DE8 ; if they're not equal, jump to invalid code message
:00457DD3 mov edx, dword ptr [ebp-04]  
:00457DD6 mov eax, dword ptr [ebp-04]  
:00457DD9 call 00457A94  
:00457DDE mov eax, dword ptr [ebp-04]  
:00457DE1 call 00457AE4 ; we land here
:00457DE6 jmp 00457DF3 ; jump out of the function

Have you recognized those jumps to 457DF3 and 457DE8? 457DF3 simply jumps out of the function. 457DE8 jumps to the invalid code message.
Step 4
We can get the serial # we entered if we do a D EDX at just before that CALL 00403CF8 ... guess what's in EAX. Or we can trace through that call. So our registration code for "Cracking Tutorial" is "574368372017". BTW, it's not important if you write a capital letter or not.

Disclaimer: This essay is for educational purposes only. Any use, mis-use or illegal activity is the sole responsibility of the reader! I take no responsibility of the usage of this information!

This tutorial was written by TORN@DO. I hope you enjoyed reading it as I enjoyed writing it - I'm always trying to improve my writing skills.
I'd like to greet the following people (no specific order):
+ORC, Fravia, nIabI, JosephCo, Razzia, MisterE, Krazy_N, Vizion, YOSHi, Qapla, Odin
everyone in #Cracking and in #Cracking4Newbies ... and everyone else I forgot.
sp;                                           ;eax=ffffffff if fail
                                              ;eax=1 if correct
:004237D4 83C408                add esp, 00000008
:004237D7 85C0                  test eax, eax ;serial correct?
:004237D9 7502                  jne 004237DD ;No? then jump

If you have a dead listing close by for this program then you'll see how close all these instructions are to our original Softice breakpoint on messageboxa.
At this point I cleared all of Softice's previous breakpoints by typing: bc *
then I type: bpx 004237cf then x to leave Softice.
Now re-run the registration process again and once again Softice breaks but this time on our newly created breakpoint at: 004237cf
Press the 'F10' key once, yep that's right don't trace into this call, just step over it. Now it's interesting to monitor the state of the pc's registers after you've just skipped over a call because this can reveal quite a lot about what the call has just been doing.
So now type: D ecx and you'll see in Softice's code window the *real* serial number you need to use to register this babe!.

If you type D edx then you'll see your *fake* serial.

Now re-run this program but now use the *real* serial number you've just sniffed out.
Job Done.
The Crack
None required.

If you intend on using this program beyond it's evaluation period then please BUY IT!
Final Notes 
Surly this program is not THAT easy to *crack*!, well yes it was, so it's doesn't really matter if the programmer used a 100 digit serial number to register this program with, we can always sniff it out with relative ease.

My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end of the tunnel.
Ob Duh 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will be encouraged to producing even *better* software for us to use and enjoy.

Ripping off software through serials and cracks is for lamers..
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.

 Next   Return to Essay Index   Previous 

Essay by:          The Sandman
Page Created: 14th August 1998
, dword ptr [ecx+01]     ;