Cracking Tutorial for Dictionary for Windows 4.2
Defeating a common serial scheme

 
 


Target Program: Dictionary for Windows 4.2
Description: Dictionary is a small and handy program to translate a words. You can add new words to the dictionary.
Location: http://members.xoom.com/LapotSoft
Protection: Name/Company/Serial
Tools needed: - SoftICE 3.24
Ob duh: Do I really have to remind you all that by BUYING and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
BTW, It's illegal to use cracked Software!

 
If you're looking for cracks or serial numbers from these pages then your wasting your time, try to search elsewhere on the Web under Warez, Cracks, etc.
Info: Brand and product names are trademarks or registered trademarks of their respective holders.
Level: (X)Beginner ( )Intermediate ( )Advanced ( )Expert

Someone had real problems cracking this program and as the file size of the program was OK, I decided to have a quick look at it. I didn't think getting the serial number should be a big problem. Coding a KeyGEN for this should also be no problem. This *isn't* a KeyGEN tutorial, since I'm very VERY BUSY at the moment.

Well, first of all we need to enter some fake registration details. The program was soo good and filled my WINDOWS REGISTRATION information in automatically. Now we only have to fill in a Product Number. The product number already filled in looks like WDx.x-xxxxx-xxxxx. So the author gave us the information how the good code must look like. Well I also noticed the information Product Number is valid for any future versions of this program!

Well the version is 4.2 so I assumed the Product Number should be WD4.2-xxxxx-xxxxx ... and as you can find out on your own this is true. If it isn't 4.2, then you're just registered for a LIMITED TIME and the NAG at startup still pops up. However the good code is still the same - you just have to replace the number and version (x.x) with 4.2!

I enterd WD4.2-12345-67890 as fake registration code and set a BPX to HMEMCPY. Then I pressed OK. SoftICE popped up. Since there were 3 input fields, I skipped the first two pop ups. Then I pressed F12 until I reached the following code snippet:

 
  :0040797E    LEA     EDX,[EBP-10]
  :00407981    MOV     EAX,0045E40C
  :00407986    CALL    00450B94
  :0040798B    DEC     DWORD PTR [ESI+1C]
  :0040798E    LEA     EAX,[EBP-10]
  :00407991    MOV     EDX,00000002
  :00407996    CALL    00450B64
  :0040799B    CALL    00407608
  :004079A0    TEST    EAX,EAX                        ; is serial ok?
  :004079A2    JNZ     00407AE0                       ; if not => JMP

A scheme like this is very common. Some CALLs and then a JZ/JNZ instruction. To find the good serial you normally just have to trace into the CALL before the JZ/JNZ instruction - and that was it. And in this program that's also the case. Tracing in the CALL, you'll get the following code snippet:

  :00407608    PUSH    EBX
               ...
  :00407618    CALL    00450CE8                      ; get length of serial
  :0040761D    CMP     EAX,06                        ; serial 6 chars long
  :00407620    JLE     00407665
               ...
  :0040666A    CALL    00450CE8                      ; get length of name
  :0040766F    CMP     EAX,02                        ; name 2 chars long
  :00407672    JLE     004076B2
               ...
  :004076BC    MOVSX   EAX,BYTE PTR [ESI]            ; move char[counter] in EAX
               ...
  :004076CB    MOVSX   EDX,BYTE PTR [ESI]            ; move char[counter] in EDX
  :004076CE    PUSH    EDX
  :004076CF    CALL    004499C4                      ; convert to lower case
  :004076D4    POP     ECX
  :004076D5    MOVZX   ECX,DI
  :004076D8    IMUL    ECX,[004551D4]                ; DI * 15h
  :004076DF    MOVZX   EDX,DI
  :004076E2    IMUL    ECX,EDX                       ; ECX * EDX
  :004076E5    ADD     AX,CX                         ; add result to AX
  :004076E8    ADD     DI,AX                         ; add result of this loop to DI
  :004076EB    INC     EBX                           ; chars done + 1
  :004076EC    INC     ESI                           ; counter + 1
  :004076ED    PUSH    ESP
  :004076EE    CALL    00444C00
  :004076F3    POP     ECX
  :004076F4    CMP     EBX,EAX                       ; did all chars?
  :004076F6    JB      004077BC                      ; if not => JMP
  :004076F8    MOV     EAX,0045E408
  :004076FD    CALL    00450CE8                      ; get length of company
  :00407702    TEST    EAX,EAX                       ; no company enterd?
  :00407704    JZ      00407744                      ; if so => JMP
               ...
  :0040774E    MOVSX   EAX,BYTE PTR [ESI]            ; move char[counter] in EAX
               ...
  :0040775D    MOVSX   EDX,BYTE PTR [ESI]            ; move char[counter] in EDX
  :00407760    PUSH    EDX
  :00407761    CALL    004499C4
  :00407766    POP     ECX
  :00407767    MOVZX   ECX,BP
  :0040776A    IMUL    ECX,[004551D4]                ; ECX * 15h
  :00407771    MOVZX   EDX,BP
  :00407774    IMUL    ECX,EDX                       ; ECX * EDX
  :00407777    SUB     AX,CX                         ; substract result from AX
  :0040777A    ADD     BP,AX                         ; add result of this loop to BP
  :0040777D    INC     EBX                           ; chars done + 1
  :0040777E    INC     ESI                           ; counter + 1
  :0040777F    PUSH    ESP
  :00407780    CALL    00444C00
  :00407785    POP     ECX
  :00407786    CMP     EBX,EAX                       ; did all chars?
  :00407788    JB      0040784E                      ; if not => JMP
  :0040778A    MOVZX   EAX,BP                        ; get result for company in EAX (NR)
  :0040778D    MOVZX   ECX,DI                        ; get result for name in ECX    (CR)
  :00407790    PUSH    EAX
  :00407791    PUSH    ECX
  :00407792    PUSH    00455288
  :00407797    LEA     EAX,[ESP+0C]
  :0040779B    PUSH    EAX
  :0040779C    CALL    0044809C                      ; format serial: NR-CR
  :004077A1    ADD     ESP,10
  :004077A4    LEA     EAX,[ESP+40]                  ; get enterd serial
  :004077A8    MOV     EDX,ESP                       ; get real serial
  :004077AA    MOV     CL,[EAX]                      ; get part of fake serial
  :004077AC    CMP     CL,[EDX]                      ; part of serial correct?
  :004077AE    JNZ     004077C6                      ; if not => JMP
  :004077B0    TEST    CL,CL
  :004077B2    JZ      004077C6
  :004077B4    MOV     CL,[EAX+01]                   ; get part of fake serial
  :004077B7    CMP     CL,[EDX+01]                   ; part of serial correct?
  :004077BA    JNZ     004077C6                      ; if not => JMP
  :004077BC    ADD     EAX,02
  :004077BF    ADD     EDX,02
  :004077C2    TEST    CL,CL                         ; checked complete serial?
  :004077C4    JNZ     004078AA                      ; if not => JMP
  :004077C6    SETNZ   DL                            ; set flag

With the help of the comments in the code snippet you can understand the calculations for your serial. You can use this knowledge to code a KeyGEN if you have enough free time. The serial for the name PIRATED COPY and the company name CR@CKING TUTORI@L is WD4.2-16337-50000 - just for you to check your KeyGEN!

Another target has been Reverse Engineerd. Any questions (no crack requests)?

 
If you're USING Dictionary for Windows BEYOND it's FREE TRIAL PERIOD, then please BUY IT.


Copyright © 1999 by TORN@DO and The Immortal Descendants. All Rights Reserved.

s set the