Tutorial #2

tARGET pROGRAM:                   JPEG Optimizer 3.07

pROTECTION:                           Registration Code that is hard-coded

cure:                                        Registration Code

uRL:                                         http://www.xat.com/

pROGRAM sIZE :                       385 KB

tOOLS uSED:                            - W32Dasm 8.93

- SoftICE 4.01 (Optional)

dESCRIPTION:                          JPEG Optimizer is designed to create the smallest possible JPEG image files savings of up to 50 % in the file size are possible

which can considerably decrease Web Page download times and save on disc space.

cOMPILED bY:                          Borland C++

rEGISTRATION fEE:                   $29

Hi Again! I hope you will enjoy my second TuT and helps you learn more!

This cracking tutorial it's for beginner, I'll show you here how to find a serial using W32Dasm


¶¦¬| Register The Program


Install the program.


Live Approach:

Run it ! at the main window caption we see the #1 magic word "UNREGISTERED" . Now, Go Help/Register and put a  fake registration code. I entred: 11223344, DO NOT PRESS ANYTHING YET, Press CTRL-D, Type bpx GetDlgItemTextA  to break when that function is called . CTRL-D again or F5 to return in JO. Click on " Register ". and we get  the message "Icorrect registration code", Hmmm! Nothing's happened, ok anyway So CTRL-D again, this time type  bpx GetWindowTextA. F5, Click on "Register!" Nothing's happened too, seems like the program doesn't use those  API's Call, Hmmmm Let's think a little bit, so if we break at HMemCpy, it goes to take a lot of time to crack it, about 19 times pressing F12 and several F10 hits, so do BC* under SoftICE to clear all breakpoints then X.


Dead Listing Approach:

So let's change our approch to dead listing. Launch W32Dasm, and disassemble the program , and search for the message "Icorrect registration code",we didn't find it :( so do another search for all the strings linked to the registration, and we found ...

 " - Unregistered"  one reference, so Dblclick on it:


* Possible StringData Ref from Data Obj ->" - Unregistered"       <---  We land here.


:00404759 BABF864700          mov edx, 004786BF

:0040475E 8D8568FFFFFF        lea eax, dword ptr [ebp+FFFFFF68]

:00404764 E8DB460400          call 00448E44

:00404769 FF8548FFFFFF        inc dword ptr [ebp+FFFFFF48]

:0040476F 33C0                xor eax, eax

:00404771 898564FFFFFF        mov dword ptr [ebp+FFFFFF64], eax

:00404777 8D9568FFFFFF        lea edx, dword ptr [ebp+FFFFFF68]

:0040477D FF8548FFFFFF        inc dword ptr [ebp+FFFFFF48]

:00404783 8D8D64FFFFFF        lea ecx, dword ptr [ebp+FFFFFF64]

:00404789 58                  pop eax

:0040478A E86C490400          call 004490FB


 As always, we must look before that Ref for CCJ (Call+Compare+Jump) , so scroll up a little bit, to understand what is done before, and…



* Referenced by a (U)nconditional or (C)onditional Jump at Address:<-- we are here



:00404719 51                      push ecx

:0040471A E8C5570200              call 00429EE4       C  <-- Call

:0040471F 59                      pop ecx

:00404720 84C0                    test al, al         C  <-- Test

:00404722 0F85E8010000            jne 00404910        J  <-- Jump if not equal jump

:00404728 66C7853CFFFFFFA001      mov word ptr [ebp+FFFFFF3C], 01A0

:00404731 33C0                    xor eax, eax

:00404733 89856CFFFFFF            mov dword ptr [ebp+FFFFFF6C], eax

:00404739 8D956CFFFFFF            lea edx, dword ptr [ebp+FFFFFF6C]

:0040473F FF8548FFFFFF            inc dword ptr [ebp+FFFFFF48]

:00404745 8B3D98434800            mov edi, dword ptr [00484398]

:0040474B 8BC7                    mov eax, edi

:0040474D E85ADC0300              call 004423AC

:00404752 8D956CFFFFFF            lea edx, dword ptr [ebp+FFFFFF6C]

:00404758 52                      push edx


As crackers, we draw the conclusion that the call in 40471A is the one we after, let's verify that by executing it



* Referenced by a CALL at Addresses:

|:0040471A , :00429355     <-- This procedure is called twice


:00429EE4 55                      push ebp                        <-- We land here

:00429EE5 8BEC                    mov ebp, esp

:00429EE7 83C4F8                  add esp, FFFFFFF8

:00429EEA 53                      push ebx

:00429EEB 8B4508                  mov eax, dword ptr [ebp+08]     <-- Put serial in EAX

:00429EEE 8D5DF8                  lea ebx, dword ptr [ebp-08]     <-- Prepare the place for Duplication

:00429EF1 8A10                    mov dl, byte ptr [eax]    --\

:00429EF3 8813                    mov byte ptr [ebx], dl      \

:00429EF5 8A4801                  mov cl, byte ptr [eax+01]    \

:00429EF8 884B01                  mov byte ptr [ebx+01], cl     \

:00429EFB 8A5002                  mov dl, byte ptr [eax+02]      \

:00429EFE 885302                  mov byte ptr [ebx+02], dl       \  Duplicates our

:00429F01 8A4803                  mov cl, byte ptr [eax+03]       /  serial into EBX

:00429F04 884B03                  mov byte ptr [ebx+03], cl      /

:00429F07 8A5004                  mov dl, byte ptr [eax+04]     /

:00429F0A 885304                  mov byte ptr [ebx+04], dl    /

:00429F0D 8A4005                  mov al, byte ptr [eax+05]   /

:00429F10 884305                  mov byte ptr [ebx+05], al --/

:00429F13 0FBE0B                  movsx ecx, byte ptr [ebx]       <-- Put our 1st char in ECX

:00429F16 51                      push ecx                        <-- Save our 1st char

:00429F17 E86C590400              call 0046F888                   <-- Upcasing our 1st char (Seems like to be a Letter)

:00429F1C 59                      pop ecx                         <-- Restore our 1st Letter

:00429F1D 83F841                  cmp eax, 00000041          (1)  <-- Compare it with 1st Lettre of the real serial

:00429F20 7547                    jne 00429F69                    <-- If not equal then jump to Unregistered

:00429F22 0FBE4301                movsx eax, byte ptr [ebx+01]    <-- Put our 2nd char in EAX

:00429F26 50                      push eax                        <-- Save our 2nd char

:00429F27 E85C590400              call 0046F888                   <-- Upcasing our 2nd char (Seems like to be a Letter)

:00429F2C 59                      pop ecx                         <-- Restore our 2nd Letter

:00429F2D 83F859                  cmp eax, 00000059          (2)  <-- Compare it with 2nd lettre of the real serial

:00429F30 7537                    jne 00429F69                    <-- If not equal then jump to Unregistered

:00429F32 0FBE5302                movsx edx, byte ptr [ebx+02]    <-- Put our 3rd char in EDX

:00429F36 83FA38                  cmp edx, 00000038          (3)  <-- Compare it with 3rd char of the real serial (Seems like to be a number)

:00429F39 752E                    jne 00429F69                    <-- If not equal then jump to Unregistered

:00429F3B 0FBE4B03                movsx ecx, byte ptr [ebx+03]    <-- Put our 4th char in ECX

:00429F3F 83F931                  cmp ecx, 00000031          (4)  <-- Compare it with 4th char of the real serial (Seems like to be a number)

:00429F42 7525                    jne 00429F69                    <-- If not equal then jump to Unregistered

:00429F44 0FBE4304                movsx eax, byte ptr [ebx+04]    <-- Put our 5th char in EAX

:00429F48 83F832                  cmp eax, 00000032          (5)  <-- Compare it with 5th char of the real serial (Seems like to be a number)

:00429F4B 751C                    jne 00429F69                    <-- If not equal then jump to Unregistered

:00429F4D 0FBE5305                movsx edx, byte ptr [ebx+05]    <-- Put our 6th char in EDX

:00429F51 83FA34                  cmp edx, 00000034          (6)  <-- Compare it with 6th char of the real serial (Seems like to be an number)

:00429F54 7513                    jne 00429F69                    <-- If not equal then jump to Unregistered

:00429F56 C705284B48001443FC69    mov dword ptr [00484B28], 69FC4314

:00429F60 E8B7AAFDFF              call 00404A1C

:00429F65 B001                    mov al, 01

:00429F67 EB1B                    jmp 00429F84


Kewl! so :

1st : the serial must be six chars

2nd : the 1st and the 2nd char must be letters, and the others numbers. so here it:


(1)   (2)   (3)   (4)   (5)   (6)

Hex      41    59    38    31    32    34           

Dec      A     Y     8     1     2     4


Look like there is one universal serial,If we enter it and go to About, it says the #2 magic word "REGISTERED". I'll let you to do a keygen! ok ! and if you do so, please send it to me! J.  For the final touch! here is a freeware called Ascii Table it can help you a  lot, Download it.


¶¦¬| Ending:


Well, that's that. I hope you could follow it all, For any comments or if there's anything that I didn't explain too well then don't hesitate to mail me at: tBS@iquebec.com.




Greetingz to:

tKC , Northpole , Styx2000 , WaVeR`, DyNoBrEmO , Ivanopulo , rEd , schUmU , DaVinci , Nitallica , LagPRO , Socko , Fli7e , DnNuke, TDVFR ,