Cracking Tutorial for Close Popup 4.0

Target Program: Close Popup 4.0
Description: Close Popup closes the PopUp-Windows from Geocities, Tripod and other Web-Hosting-Services.
Location: CPOPUP4.ZIP (the version used in this tut) - 31 KB
Close Popup Site:
Protection: Name / Serial #
Tools needed: - SoftICE 3.24
Ob duh: Do I really have to remind you all that by BUYING and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
BTW, It's illegal to use cracked Software!

If you're looking for cracks or serial numbers from these pages then your wasting your time, try to search elsewhere on the Web under Warez, Cracks, etc.
Info: Brand and product names are trademarks or registered trademarks of their respective holders.
Level: (X)Beginner ( )Intermediate ( )Advanced ( )Expert

In my 19th essay I taught you how to crack a Visual Basic program by using SmartCheck. This time I'll teach you how to crack a Visual Basic program using SoftICE. I've used this technique on quite a lot of Visual Basic 5 programs - and mostly it works perfectly (there were some exceptions of course). Before we can start our Cracking Session, make sure you've the a line like "EXP=C:\WINDOWS\MSVBVM50.DLL" in your WINICE.DAT - then let's start our Cracking Session:
After you've started Close Popup and pressed the "Register"-Button, a dialog box asking for a "User Name" and "Registration Code" get's displayed. As "User Name", enter "Cracking Tutorial" - and as "Registration Code" enter "12345". Then enter SoftICE and set a BPX to HMEMCPY; leave SoftICE and press the "OK"-Button. Now SoftICE will pop up. Clear that HMEMCPY breakpoint and press F12 until you reach the code located in MSVBVM50.DLL. Now use another great feature of SoftICE - the memory search. Now let's search for the Visual Basic 5 String Compare routine, which looks like the following:

:0F00D9EA  56                  PUSH    ESI
:0F00D9EB  57                  PUSH    EDI
:0F00D9EC  8B7C2410            MOV     EDI,[ESP+10]
:0F00D9F0  8B74240C            MOV     ESI,[ESP+0C]
:0F00D9F4  8B4C2414            MOV     ECX,[ESP+14]
:0F00D9F8  33C0                XOR     EAX,EAX
:0F00D9FA  F366A7              REPZ     CMPSW
:0F00D9FD  7405                JZ      0F00DA04
:0F00D9FF  1BC0                SBB     EAX,EAX
:0F00DA01  83D8FF              SBB     EAX,-01
:0F00DA04  5F                  POP     EDI
:0F00DA05  5E                  POP     ESI
:0F00DA06  C20C00              RET     000C

We must search this part of the code if we look for the Visual Basic 5 String Compare routine. So we need to look for "56, 57, 8B, 7C, 24, 10, 8B, 74, 24, 0C, 8B, 4C, 24, 14" - but why to search for such a "long" part of the code? Well, if we don't look for that "long" part of the Code, we would find several other addresses which are not interesting for us. So you may edit your WINICE.DAT and edit the Alt-F4 key, which is nearly never used, to the following:
AF4="^S 0 L FFFFFFFF 56,57,8B,7C,24,10,8B,74,24,0C,8B,4C,24,14"
Then every time we're looking for the Visual Basic 5 string compare routine, we can just press ALT-F4 and we get the address. Then we BPX on that address. Then we can check what's compared and if our fake serial # get's compared to the right one, we can simply sniff out the real serial #.
But before we can use our "Hotkey", we must reboot, since we changed the WINICE.DAT so do this now. Then enter the same registration details as before and set a BPX to HMEMCPY. Then press the "OK"-Button. Delete that BPX HMEMCPY and press F12 until you reached the Visual Basic 5 code. Then just press "Alt-F4". SoftICE will now display something like the following:
Pattern found at 013F:0F00D9EA (0F00D9EA)
So just set a BPX to 0F00D9EA and leave SoftICE. SoftICE will now pop up at the string compare function. Just have a look at ESI and EDI (at e. g. 0F00D9E4) to check what's checked. First EDI will contain "TEX98" and ESI will contain "CRACKING TUTORIAL" - so our User Name get's compared with "TEX98" (the name of someone who has been blacklisted). We're *not* interested in that, so leave SoftICE. As SoftICE pops up "UNREGISTERED" and "Cracking Tutorial" are compared to see if we've changed that (it was the start text as the dialog box was displayed). We're also *not* interested in that, so leave SoftICE. SoftICE pops up again - and this time "12345" and "16558gVX`^c\`Ijidg^Va" are compared.
So let's try "16558gVX`^c\`Ijidg^Va" as Registration Code - and voilla - you get the "Thank you!"-dialog.
So you can Reverse Engineer a lot of Visual Basic 5 programs in less than 60 seconds:
1) enter the registration details
2) set a BPX to HMEMCPY
3) press the "OK"-Button
4) press F12 until you're in the Visual Basic 5 code
5) delete the HMEMCPY breakpoint
6) press ALT-F4
7) BPX to the address SoftICE displayed
8) sniff out the real code
BTW, your registration info is stored at
"HKEY_CURRENT_USER/Software/VB and VBA Program Settings/Take a Hike Software/Close Popup"
- so just delete the "User" and "Code" key and you can Reverse Engineer it again
Another target has been Reverse Engineerd. Any questions (no crack requests)?


If you're USING Close Up BEYOND it's FREE TRIAL PERIOD, then please BUY IT.

Copyright © 1999 by TORN@DO and The Immortal Descendants. All Rights Reserved.