http://www.webcom.com/vulcan - Webpage.
http://www.wco.com/~micuan/Targets/vnotes21.zip - (270k).
This is a another recommended tutorial for people looking to make their very first steps with reverse engineering. I am always on the look out for small applications such as this, which are useful to help people get started. This version of Vulcan Notes is also in excess of 2 years old and therefore the publishing of this tutorial is highly unlikely to damage the author financially. Vulcan Notes uses a user name / serial # protection, this tutorial will show you how to find a valid serial # using SoftICE, when you have learnt more about ASM / reversing and key generators you can attempt to understand the mechanism.
The first thing to do is locate the registration option accessible from the Register menu. When the input box shown below appears you should enter your own 'handle' and a fake registration code of your own choice.
The next thing we'll do his set some breakpoints, a lot of new reversers often ask "how do you know which breakpoint to use?", the answer is usually a matter of trial and error. Push Ctrl+D to enter SoftICE, type bpx Hmemcpy on the command line (press enter). Now return to Windows using Ctrl+D. As soon as you press the OK button on the registration window SoftICE will fire. On the first trigger press F11. As we have 2 dialog items to retrieve you should press Ctrl+D and F11 once again.
If you've managed this correctly you'll be inside SoftICE looking at the module User. The code should look like this below, the code segment part however (17C7) most probably will be different.
17C7:0B45 PUSH WORD PTR [DI] <-- you'll be here. 17C7:0B47 CALL KERNEL!LOCALUNLOCK 17C7:0B4C MOV AX,SI 17C7:0B4E POP SIThe objective now is to allow the code to continue until we reach the application code (vnotes95.exe) in this instance. The quick way to achieve this is by using the F12 (P RET) key which executes until it reaches a RET instruction, stopping immediately afterwards but first we need to disable our breakpoint by typing bd *. When you have reverse engineered many programs you'll get a feel for the number of F12's to press, most applications require between 6 & 12. With Vulcan Notes you'll need 6 to reach the application but a further 5 to find anything interesting (11 in total).
The reason why you need 5 extra F12's is fairly obvious, the next RET instructions on each of these breaks is never more than 5 lines away, code such as POP EDI, POP ESI is not interesting. This is the section that is interesting (once again note that the code segment (0137) may not be the same on your machine).
0137:00464FFE MOV EAX,[EBP-10] <-- 'd eax' shows serial # entered. 0137:00465001 LEA EDX,[EBP-14] 0137:00465004 CALL 00405A70 0137:00465009 MOV EAX,[EBP-14] <-- 'd eax' once again shows serial # entered. 0137:0046500C PUSH EAX <-- push the entered serial # on the stack. 0137:0046500D LEA EDX,[EBP-10] 0137:00465010 MOV EAX,[EBP-04] 0137:00465013 MOV EAX,[EAX+000001B8] 0137:00465019 CALL 00414F00 0137:0046501E MOV EAX,[EBP-10] <-- 'd eax' shows the user name. 0137:00465021 LEA EDX,[EBP-18] 0137:00465024 CALL 00464DF0 <-- this is the calculation routine. 0137:00465029 MOV EDX,[EBP-18] <-- F10 to this point. 0137:0046502C POP EAX <-- The code you entered retrieved from the stack. 0137:0046502D CALL 004036DC <-- This call will compare the codes. 0137:00465032 JNZ 00465208 <-- Check.Now use your F10 key to single-step through the code line by line until the highlight bar reaches 0046502C.
If you now type d edx you'll be able to read the good code from the data window. This is the simplest crack you will ever do, it is known as the "snatch" technique, you obviously have gained no knowledge of how the program generated this code, you know only the result for your own handle, now try some other shareware from your archives.
[CrackZ / 747814678818532]
In your own time, try using the F8 key to trace instead of F10, this means that when you step over a call instruction you will enter the call as opposed to executing it. The algorithm requires fairly good knowledge of ASM and FPU instructions so don't be disappointed if you don't understand it. Work out how the program tracks your newly acquired registered status (RegMon may be of assistance).
Back to Main Index, New Reversers.
xxxxxxx:10005713x 8D8C24D8000000xx LEAxxxx ECX,[ESP+000000D8]
xxxxxxx If you dump (d ecx) this: LEA....ECX, you will find the unlockingcode.
Step12. Go to the line:
xxxxxxxType: d 100030F40 => 1234567890, this is our fake serial!
Step13. Ok, we have found the serial...BUT WE WHANT TO FIND THE PUSH....RIGHT!!
xxxxxxxType: d ecx => This is the valid Unlockingcode!
Step17. Now type: bc * (to delete all breakpoints).
Step18. Press 'Ctrl' and 'D' to leave softice and try your
xxxxxxx unlocking code. Wow!!!!!!.......You have just cracked Norton AntiVirus
The information in this essay is for educational purpose only!
You are only allow tocrack, reverse engineer, modify code and debugg programs that you legaly bought andthen for personal use only!!
To ignore this warning is a criminell act and can result in lawful actions!
So please note!
I take noresponebility for how you use the information in this essay, i take NO responebilityfor what might happen to you or your computer! You use this information on your own risk!!
What i mean is: Please buy the software!