by : OCHE SATRIANI
Before you start cracking it's very
important to know what programming language does the
program is written with, coz it will help you to determine what CRACKING TOOLS you will
need to use, if the program is written with VISUAL BASIC then you will need SMARTCHECK !
but in this case the program is written with BORLAND C++ with the STUPID programmer
PATRIK NILSSON, I say it STUPID coz there is a lot of BUGS in this PROGS and the STUPID protection they have. Anyway you can use this PROGGIE more than 50 times and you don't need to CRACK it do you know how to do that ?
JUST DELETE THE KEY IN REGEDIT.
OK let's start ....
(before you start, disassembled the SITEBUI~1.EXE with W32DASM)
Go to the registration area and
entered the name with 'OCHE SATRIANI ' and the
CODE with '12345678901234567890'
If you click the OK button then there will be some error message saying : 'I'm sorry but you wrote the wrong serial number!'
Now you can make that simple with W32DASM but when you go to STRING DATA REFERENCES
and search the error message, a lot of MATCH CASE will be found.
Don't get confused coz SOFTICE will help you !
Remember that there is a BEEP when you entered the wrong CODE so start to make a BREAKPOINT on it.
after you make a breakpoint then press the OK button in the registration area
you will land in SOFT ICE smoothly, press F11 then write down the OFFSET
Call 004E3D7E -----> CALL MESSAGEBEEP
:0040AE77 6A00 push 00000000 -----> after you press F11 you'll be here
write this OFFSET (0040AE77)
Now W32DASM will make it simple
go to that OFFSET address by pressing SHIFT F12 and then entered the OFFSET address
(in my case 0040AE77)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:0040AE70 6A00 push 00000000
* Reference To: USER32.MESSAGEBEEP, Ord:0000h
:0040AE72 E8078F0D00 Call 004E3D7E
:0040AE77 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"I'm sorry but you wrote the wrong "
Very Interesting ...
Look there is a CONDITIONAL JUMP -- [0040AD55(C)] -- go to this CODE LOCATION !
:0040AD4D E832390600 call 0046E684
--------------> remember the OFFSET
:0040AD52 59 pop ecx
:0040AD53 84C9 test cl, cl
:0040AD55 0F8415010000 je 0040AE70 ----------> F@CKIN BAD JUMP
WHAT HAPPEN INSIDE THE CALL 0046E684 ?
:0046E684 55 push
:0046E685 8BEC mov ebp, esp
:0046E687 51 push ecx
:0046E688 53 push ebx
:0046E689 56 push esi
:0046E68A 8BF2 mov esi, edx
:0046E68C 8945FC mov dword ptr [ebp-04], eax
:0046E68F 837DFC00 cmp dword ptr [ebp-04], 00000000
:0046E693 7419 je 0046E6AE
:0046E695 8B45FC mov eax, dword ptr [ebp-04] ---------->>>>>> SOMETHING STRANGE is HAPPENING HERE
After you trace the mov eax, dword ptr [ebp-04] then EAX will contain the address of the real SN#
Type this in SOFTICE ---> D EAX in my case you'll see 5C 9C 9A 00 (they always store in BACKWARD)
what to do next is to DUMP that address Type D 009A9C5C
There you see your DUMMY CODE and the REAL ONE .....................................
[READER] : HOW I CAN MAKE SOFTICE TO BREAK ON THIS call 0046E684 ?
[OCHE] : EASY , DO YOU
REMEMBER THE OFFSET ? MY CASE 0040AD4D
TYPE BPX 0040AD4D THEN F8 TO GO INSIDE THE CALL.
[READER] : IT DOESN'T WORK ??????????
[OCHE] : TRY THE BPX MESSAGEBEEP THEN BPX 0040AD4D, IF IT STILL DOESN'T
TRY IT AGAIN AND AGAIN, COZ IT NEED TIME TO LOAD IN SOFT ICE
TRUST ME IT WILL WORK !
OR FOR ANOTHER EASY WAY TRY TO USE TURBO DEBUGGER !
OE'97 ITS 4397100xxx