January 1999
"Datemind 1.2"
Serial catching
Win Code Reversing
by Skyfox 
Code Reversing For Beginners 
Program Details
Program Name: datemind.zip
Program Type: Event Manager
Program Location: Here 
Program Size: 112K 
Tools Used:
 Softice V3.2 - Win'95 Debugger
W32Dasm V8.93 - Disassembler
Winice.Dat - Softice settings I used
Easy ( X )  Medium ( )  Hard ( )  Pro (    ) 
There is a crack, a crack in everything. That's how the light gets in.
Datemind 1.2
Serial catching
Written by SkyFox
DateMind warns you of important events each time you boot up Windows by popping up a message box with the date of the event, the number of days until the event and a message you specify. If you have more than one event you want to be warned of during the same time frame, multiple message boxes pop up sequentially. DateMind launches automatically when your computer starts up, and closes when you confirm the message, so it doesn't use any unnecessary resources.
About this protection system
Upon running you will find the first "important" date already set for you, the day on which Datemind will expire, this will be 2 months after you first run the proggy and can be registered via a user/serial combination.
The Essay 
First off, lets fire up datemind and go to the Help/About Datemind menu item. Datemind pops up with "Unregistered Copy" and an option to register datemind, so hit yes to register.  Now enter some fake details into the registration box and hit ok, I used:

Name: Pirate
Number: 123987

After hitting enter, *UNLESS* you are psychic or something, you will get a messagebox saying "registration failed, check name and number"... What to do now? Lets fire up W32dasm and load datemind.exe into it.  Once it has diss'd click on Refs/String Data References and search for, you guessed it, the error message.  Now double-click on it and W32dasm will jump to this section of code:
:00410959 E8216C0000       Call 0041757F     <-Get the entered code
:0041095E 68E8174200       push 004217E8     <-Pushes serial on the stack
:00410963 E828200000       call 00412990     <-Calculates the length of
:00410968 59               pop ecx           <-the entered serial
:00410969 83F807           cmp eax, 00000007 <-Compares the length with 7
:0041096C 7428             je 00410996       <-Jumps if the serial > 7
:0041096E 6A00             push 00000000     <-otherwise executes the
                                             <-"Bad Cracker Code"

:00410970 68C4024200       push 004202C4 <-"Registration Failure"

* Possible StringData Ref from Data Obj ->"Registration Failed, check Name
                                        ->"and Number"  <-- We land here!!

:00410975 6899024200       push 00420299  <-- Push rego failed onto stack
:0041097A FF3588174200     push dword ptr [00421788]
:00410980 E8DC6B0000       Call USER32.MessageBoxA >-Display the messagebox

Well as you can probably gather from my commented code :) If you do not enter exactley 7 characters for your serial, you wont even get to the first compare, so make sure it is seven characters, so i changed my serial to: 1239876

Now double click on the error message again in W32dasm and you should land at this section of code:

* Referenced by a  (C)onditional Jump at Address: |:004109D0(C)
:00410A06 6A00             push 00000000
:00410A08 687F034200       push 0042037F ->"Registration Failure"

* Possible StringData Ref from Data Obj ->"Registration Failed, check Name
                                        ->"and Number" <-- We land here!!

:00410A0D 6854034200      push 00420354  <-- Push Rego failed onto stack
:00410A12 FF3588174200    push dword ptr [00421788]
:00410A18 E8446B0000      Call USER32.MessageBoxA <-Display the messagebox

If you look closely at the code segment, you'll see that it is called by a (c)onditional jump at address: 004109D0 , note this location down..

Once again double click on the error message and you will land at this third and final piece of code that displays our bad messaegbox:

* Referenced by a (C)onditional Jump at Address: 004109B2(C)

:00410A2B 6A00             push 00000000

:00410A2D 68BF034200       push 004203BF ->"Registration Failure"

* Possible StringData Ref from Data Obj ->"Registration Failed, check Name
                                        ->"and Number"  <-- We land here!!

:00410A32 6894034200       push 00420394  <-Push rego failed onto the stack
:00410A37 FF3588174200     push dword ptr [00421788]
:00410A3D E81F6B0000       Call USER32.MessageBoxA <-Display the messagebox

If you look closely at this third code segment, once again it is referenced by a (c)onditional jump at address: 004109B2 , Not far from the second call to the bad messagebox, note this location down also..

Okay, so both bits of code do the same thing, basically it pushes the bad rego message onto the stack and displays our "bad cracker" messagebox.. now, obviously if we do not want this bit of code to be executed, what we must do is find a way we can jump over it somehow.. So lets now go and take a look at the two code addresses you should have copied down b4, it looks a little like this:

* Referenced by a C)onditional Jump at Address: :0041096C(C)
:00410996 A09A174200       mov al, byte ptr [0042179A]
:0041099B 50               push eax
:0041099C E882110000       call 00411B23
:004109A1 59               pop ecx
:004109A2 8BD8             mov ebx, eax
:004109A4 A0EA174200       mov al, byte ptr [004217EA]
:004109A9 50               push eax
:004109AA E874110000       call 00411B23
:004109AF 59               pop ecx
:004109B0 3BD8             cmp ebx, eax
:004109B2 7577             jne 00410A2B  <-- First jump to bad messagebox
:004109B4 A09C174200       mov al, byte ptr [0042179C]
:004109B9 50               push eax
:004109BA E864110000       call 00411B23
:004109BF 59               pop ecx
:004109C0 8BD8             mov ebx, eax
:004109C2 A0EC174200       mov al, byte ptr [004217EC]
:004109C7 50               push eax
:004109C8 E856110000       call 00411B23
:004109CD 59               pop ecx
:004109CE 3BD8             cmp ebx, eax
:004109D0 7534             jne 00410A06  <-- Second jump to bad messagebox
:004109D2 6A24             push 00000024
:004109D4 680A034200       push 0042030A ->"Registration Success"

From this segment of code you should gather that the code addresses 004109B2 & 004109D0 Both jump to the bad code ie the bad messagebox code above, but they both also jump over the good piece of code, being the "registration success" segment.

What can we gather from all of this? Well basically, it's a classic protection, namely:

Compare two registers
Jump to bad guy/good guy

If we look at the first jump we see it compares ebx with eax, and then the jne (jump if not equal) will jump to the bad messagebox, if they are not equal.  The second jump is the same, it compares ebx with eax and then jumps to the second bad messagbox if they are not the same.

You may think, hmm, why set two compares if you are comparing the same serial twice, the answer lies ahead, read on..

Now go into help/about datemind, click yes and then enter all your details, but don't hit ok yet.

Hit CTRL + D to enter softice and type "bpx getdlgitemtexta"

Now exit softice with F5, and hit the ok button, *BOOM* we are in softice again.  Don't forget we entered two pieces of info and the program needs both to process the registration, so hit F5 so softice reads in your serial.  Now type "bd 0" to disable the breakpoint and press F12 to get to the programs code, when you get there, dont bother single stepping through any code as we already know where the compare(s) will take place, so go ahead and place a bpx on the first compare... Need help? OK, type "bpx 004109B0" to set a breakpoint on the first compare.

Press F5 to exit softice, *BOOM* we are back in softice, right at the first compare instruction.  Disable the breakpoint with "bd 1" and enter "d ebx", nothing interesting here, so enter "? ebx" and you should get a number, mine was 7.  Now it compares this with eax, so enter "? eax" and you should see the third number of your serial, in my case it was 3.  So we now know that the third character of your serial should be a 7, so change your serial to reflect this, i used 1279876.

This is were the second compare comes into action, so enter your newly aquired serial and then enter softice and enable the breakpoint on getdlgitemtexta, to do this type "be 0", hit F5 to exit softice and hit the ok button *BOOM* we are back in softice.  Disable the breakpoint with "bd 0", now you want to set a breakpoint on the second compare, so type "bpx 004109CE".  Exit softice with F5, *BOOM* we are right back in softice, and staring us in the face is the second compare, so once again enter "? ebx" and you should see a number, mine was a 9.  Go ahead and enter "? eax" and you will see the 5th number of your serial, mine was 8.

Well it should be straight forward what to do from here, enter softice and clear all the breakpoints with "bc *" and then enter your reg info, in my case it was:

Name: Pirate
Serial: xx7x9xx

Where x is anything you want :)  Congratulations if this was your first crack, if not, i hope you learnt something from it...
The Crack
None  required.
Final Notes 
BTW: Don't use this name and number, go ahead and crack it yourself for a personalised copy :)  Also, if you want you can re-register by deleting datereg.inf from the program directory, go ahead and practice without the tutorial :)

Greets and Thanks to: The Sandman :) , Warezpup , Hojo, Bubblegun , DeionXxX , Flu[X]
                      Sortof , all the gang at ECG and anyone else i forgot!!

Ob Duh 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will be encouraged to producing even *better* software for us to use and enjoy.

Ripping off software through serials and cracks is for lamers..
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.

 Back to Students Essay's 

Essay by: SkyFox
Page Created: 30th January 1999