Hi there,

I read a lot of tutorials on reversing windows programs with tips on breaking SI at the registration process using BPX GetWindowTextA, GetDlgItemTextA, GetDlgItemInt, etc. But I discovered that SI does not break with the above APIs (for example, the registration for the game called Bejeweled from Pop Cap at h**p://www.popcap.com/installer_download.php?url=WinBejeweled_setup.exe.
Does anyone knows I can break straight after the password prompt for this case or any good tutorials that shows how to do it? Thanks for the help.

Delphi/BCB progs never call GetWindowTextA etc to get the string from editbox. You can find out why by reading the VCL source code(It's written in Object Pascal).

I often use "BPX DestroyWindow" after the "Incorrect key" dialog pops up and press the OK button, then trace back to find the regcode validation routine.

There is another way to find the routine. Just use RegMon/FileMon to find where the registration info is stored, put a fake key there, then BPX RegQueryValueExA/CreateFileA/_lopen.

Also don't forget the dead-listing way. You may find clues by string references there.

good luck.

Hello,

If any usual way didn't work for you, I think it's worth
then spending time analysis the death listing, using any
string related to the password prompt (windows title,
labels, mesasgeboxs messages,etc...), try to locate them
inside the listing and from them you can see :

- where it was called from..
- where it could go...

from there, mostly depend on what you look at...

Regards
FoolFox

Hi there,
I cracked this one a while ago. Try to use W32dasm or IDA (if you prefer this one), and do as the rest of the guys suggest. You will see that you get all the clues you need to reverse it. If I remember this correctly, you only have to change a couple of bytes to make it registered. When you dead-list it, you will also get clues enough to find out how to make Sice break at the correct place.
Good luck,
hobgoblin

also, DeDe is extremely useful for reversing delphi apps

Hi people, thanks for all the replies.

Solomon, thanks for the tips. It looks like the program doesn't use windows to prompt for password or showing the bad guy message. It does write to the registration details into the registry at the end of the program but I can't get sice to break on memory access for the details (weird...I wonder how it store the details there in the first place). Anyway, I learnt something from your suggestions .

FoolFox and hobgoblin, yep, I think I would have to do it the hard way. By saying dead-listing, do you mean using disassemblers to get the whole program listing in ASM? The problem with this program is it doesn't flow properly. It looks like after it draws the screen for registration details, it doesn't call any routines to get the input. It simply goes on and on repainting the surface (loops). Geez, being a newbie sure isn't easy :P. Anyway, my thanks for your tips.

hi,

The reg code is stored here:
HKEY_LOCAL_MACHINE\SOFTWARE\PopCap\ZoneBejeweled\RegName
HKEY_LOCAL_MACHINE\SOFTWARE\PopCap\ZoneBejeweled\RegCode

so, search for "RegCode" in the disassembled text, we are lucky tol find 2 occurences. The first is for RegSetValueExA, the 2nd is for RegQueryValueExA. I prefer he latter as a breakpoint. Put a BPX there. After the regcode is read from registry, set a BPM on your fake code. You can refer to MSDN documentation about the parameters of RegQueryValueExA. Write down the buffer addr passed to this API, your fake code will be stored there.

If it moves your code to another buffer, put a BPM/BPR on the new buffer too.

Hello,

Yeah chronos, study the death-listing mean taking it
with a disassembler, and search for interesting strings.

Currently, if you fix the PE header (hint: check the section
flag in the .text header), you'll find this with W32Dasm,
inside the string reference table :


"CLICK HERE TO REGISTER NOW!"
"Click here to register online"
"http://www.popcap.com"
"http://www.popcap.com/register.php?theGame=bej"
"http://www.popcap.com/win32updatecheck.php?pro"
"popcinfo.dat"
"ReferId"
"RegCode"
"REGISTER BEJEWELED"
"REGISTER NOW TO REMOVE THIS DELAY!"
"Register Now"
"Register online to remove the "
"Register"
"Registered Name"
"registration information below."
"Registration Invalid"
"RegName"
"THANKS FOR REGISTERING!"
"The registration number you entered "
"UNREGISTERED VERSION - YOU HAVE "
"UNREGISTERED VERSION"
"Up to Date"
"Update Check"
"Update Count = %d"
"Updates"
"Version "
"Version: "
"When you have registered, enter "
"You must register online now to "


From there, there is various way to find it what you want
to get....

Regards
FoolFox

P.S. : You should at first change those h**p://www.popcap.com,
just in case

Hi Solomon, I tried tracking the the RegQueryValueExA routine and noted down the buffer address and set a BPM on it to break whenever it is accessed (and I thought, Ah Ha! Gotcha now). But, when it broke next, its offset address was 77F82BC1 ! (which is way out of range) Do you know how I can find that code?

FoolFox, I tried using the Text Ref to find the bad guy message and I managed to patch a location to show the "Thanks for registering" message:

.text:00412C4F test eax, eax
.text:00412C51 jnz short loc_412C5D <- patch to jmp
.text:00412C53 mov ecx, [ebp+var_50]
.text:00412C56 call sub_4116F0
.text:00412C5B jmp short loc_412CCC

The problem is the game stay unregged after the message.

Thanks for the all the help and suggestions... Please inform me if anyone managed to reverse engineer the registration process before . I would really love to find out (this is the hardest program for me so far).

Hello,

Well, it look like you patched one location, while there is probably
other's location to patch that have still to be found.....

will try to have a closer look...

Regards
FoolFox

Wow FoolFox, that was a quick reply. Hope you'll be able to find the other location. Thanks!

Did you BPM the buffer AFTER the api call? If you BPM it BEFORE the api call, it will break when kernel dll fills the buffer, just as you got.

Hello,

Well, fast but not really helpfull, he...

i'me currently looking at it, wonder wich version you're working
on ? I'm on :

BEJEWELED
for Windows
version 1.5
October 29, 2001 (stated in the readme, have take it from
their website)


currently, adresses does not match. I've got the jump you
patched, think here :

00417AEE |. 8A91 F0000000 MOV DL,BYTE PTR DS:[ECX+F0]
00417AF4 |. 85D2 TEST EDX,EDX
00417AF6 |. 75 67 JNZ SHORT WinBej.00417B5F ; jump to THANKS FOR REGISTERING


Is that one you've patched ? then I'm afraid you are not
going in the right direction... you are curently patching a jump
to show a THANKS FOR REGISTERING message, whenever you
are or not, it will show the message. But as you've said, you are
still unregistered because the program Know that you are
unregistered. Just making him showing the message won't
get you registered, especially if he check at several place.

This call is at the end of a long function, starting at :

00417A3B |> 8B95 48FEFFFF MOV EDX,DWORD PTR SS:[EBP-1B8]

Setting a BP on 00417A3B, run the proggy

The program break. Running it step by step show that is tagged
as UNREGISTERED even before having a single windows displayed. If you want to register it, you have to make it
believe at the start that you are registered.

For your message, if you land on some adress like 77F82BC1 then
most probably you are inside a system DLL, not the proggy, so
at this point you have to trace back to the location of the call, or
run it till a RET to get back to your prog.

Currently i'm lokking on the RegCode direction.... will let you
know if I got the illumination about...

Regards
FoolFox

Hello,

didn't had really the time to look at it but found that
tutor on one popcap game... you should have a look
at it :

http://anticrack.p15106404.pureserver.info/modules.php?op=modload&name=News&file=article&sid=1757&mode=&order=0&thold=0


Regards
FoolFox

I am familiar with your problem on BPX after the
reg info is entered , I just began a thread which called :
"Serial fishing but no trivial" it discuss the same problem.
I can give you a hint . well in some games at the window
which contain the reg button there is a button which link
you to the game site , the api which opens the browser
is ShellExecuteA so after disassemble the file look for this
function ( it does not used so much so you'll find a one or two)
and begin the trace in the code line above (put bpx until you
manage to break before the reg Form is shown) then you will
land at the reg core !

Give it a try , I managed to find the reg core in Big Money
( this is a PopCap game ) and I cracked it very easily
(2 minutes work ) !

Good luck !

Hi guys, sorry for the late reply. Thanks for all your help. After reading all your ideas and tips, I finally managed to find the reg routine and able to patch it to be regged.

For those who are interested, this is the code that I changed:

00420C00 mov al, [ebp-0E0h]

to

00420C00 mov al, 1
00420C02 nop
00420C03 nop
00420C04 nop
00420C05 nop

The program will then think that it's regged and work like a regged version completely. Thanks again for the tremendous help.