Run the program again and lets see what other things the unregistered version has that is annoying. Like the Nag on startup and the Nag on shutdown.
Nag at startup:
Register Now
Dear User
blah blah blah blah blah
Register Name:| |
Register Code: | |
[OK] [Cancel]
Try to select more than 5 tracks on the main screen or 3 files on the conversions screen, or try to select the box that lets you select all boxes and we get another annoying bug:
Please Register
Dear User
BLAH BLAH BLAH BLAH BLAH
[I SEE]
Lastly try to register the program and for some reason my code didn't get taken, maybe yours will, if that's the case then you cracked it! Good Job! Anyway I get this nag:
Register Info
The register info is not correct,
Please register later.
[OK]
I tried registering it later but it keeps telling me the same thing. Oh well.
Disassemble the CDMP3Terminator.W32 backup file and lets check the Strn Refs and look for useful or interesting doorways into cracking this program.
W32dasm interesting strings:
"Register Info"
"Register Now"
"RegisterCode"
"RegisterName"
"You have registered successfully,"
Hmm, nothing about our nags though, so browse the beginning of the program disassembly for clues, this works a lot for nags and what do we find:
Name: DialogID_0085, # of Controls=013, Caption:"Register Now", ClassName:""
001 - ControlID:FFFF, Control Class:"STATIC" Control Text:""
002 - ControlID:FFFF, Control Class:"STATIC" Control Text:"Dear User"
003 - ControlID:FFFF, Control Class:"STATIC" Control Text:"
If you have not yet paid the CD MP3 Terminator registration fee, you c"
004 - ControlID:FFFF, Control Class:"STATIC" Control Text:"You can visit the "
005 - ControlID:0408, Control Class:"STATIC" Control Text:"CD MP3 Terminator HOMEPAGE"
006 - ControlID:FFFF, Control Class:"STATIC" Control Text:"for more information and "
007 - ControlID:0409, Control Class:"STATIC" Control Text:"BUY NOW !"
008 - ControlID:FFFF, Control Class:"STATIC" Control Text:"Register Name:"
009 - ControlID:040B, Control Class:"EDIT" Control Text:""
010 - ControlID:FFFF, Control Class:"STATIC" Control Text:"Register Code:"
011 - ControlID:040C, Control Class:"EDIT" Control Text:""
012 - ControlID:0001, Control Class:"BUTTON" Control Text:"OK"
013 - ControlID:0002, Control Class:"BUTTON" Control Text:"Register Later"
Ok, well the top one is our first nag for startup and shutdown of the program and the bottom one looks a lot like the nag you get when you try to many songs to rip.
Name: DialogID_0086, # of Controls=007, Caption:"Please Register", ClassName:""
001 - ControlID:0001, Control Class:"BUTTON" Control Text:"I SEE"
002 - ControlID:FFFF, Control Class:"STATIC" Control Text:"Dear User"
003 - ControlID:FFFF, Control Class:"STATIC" Control Text:"You can visit the "
004 - ControlID:0408, Control Class:"STATIC" Control Text:"CD MP3 Terminator HOMEPAGE"
005 - ControlID:FFFF, Control Class:"STATIC" Control Text:"for more information and "
006 - ControlID:0409, Control Class:"STATIC" Control Text:"BUY NOW !"
007 - ControlID:FFFF, Control Class:"STATIC" Control Text:""
Well now we know our 2 nags are DialogID_0085 & DialogID_0086, lets
go look for those in the DLG REF's. Click the button and here is the stuff we need!
Dialog: DialogID_0085 <-startup/shutdown nag
Dialog: DialogID_0085, CONTROL_ID:0408, "CD MP3 Terminator HOMEPAGE"
Dialog: DialogID_0085, CONTROL_ID:040B, ""
Dialog: DialogID_0085, CONTROL_ID:040C, ""
Dialog: DialogID_0086 <-select too many songs nag
First let's double click on the DialogID_0085 and we see it only shows in one place, so obviously the same nag is called twice.
* Referenced by a CALL at Address:
|:00416FC1 <-double right click on this and lets check it out
|
:00427980 6AFF push FFFFFFFF
:lines of code
:004279A1 50 push eax
* Possible Reference to Dialog: DialogID_0085
:004279A2 6885000000 push 00000085
:004279A7 89742418 mov dword ptr [esp+18], esi
* Referenced by a CALL at Addresses:
|:004162F6 , :0041CC7C , :0041CCDD <-ok, looks like these are the calls
|
:lines of code
:00416FBD 8D4C2404 lea ecx, dword ptr [esp+04]
:00416FC1 E8BA090100 call 00427980
Ok lets trace into the 1st one and we see this:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004162E0(C)
|
:004162E9 8BCE mov ecx, esi
:004162EB E8E0080000 call 00416BD0
:004162F0 85C0 test eax, eax
:004162F2 756B jne 0041635F <-jump over the startup nag screen
:004162F4 8BCE mov ecx, esi
:004162F6 E8A50C0000 call 00416FA0 <-call to eventual nag screen
Ok so we know what to do here:
Change this:
:004162F2 756B jne 0041635F
To this:
:004162F2 EB6B jmp 0041635F
Ok so now let's trace into the second location the code is called from:
:0041CC63 E8F2190500 Call 0046E65A
:0041CC68 8B4804 mov ecx, dword ptr [eax+04]
:0041CC6B E8609FFFFF call 00416BD0
:0041CC70 85C0 test eax, eax
:0041CC72 7551 jne 0041CCC5 <-jump over the shutdown nag screen
* Reference To: MFC42.Ordinal:0490, Ord:0490h
:0041CC74 E8E1190500 Call 0046E65A
:0041CC79 8B4804 mov ecx, dword ptr [eax+04]
:0041CC7C E81FA3FFFF call 00416FA0 <-call to eventual nag screen
Once again here we are:
Change this:
:0041CC72 7551 jne 0041CCC5
To this:
:0041CC72 EB51 jmp 0041CCC5
Run the program, no nag at startup, close the program, no nag at shutdown. Ok well those are out of the way. Don't worry about that 3rd call location, I don't think its used, at least not for the nags.
Next we have the nag that pops up when you select 5 or more songs on the main screen, also this nag will show if you select 3 or more songs in the conversion screen. This nag also shows if you check the box that selects all songs or tracks on the main screen or the conversion screen. So a total of 4 places where this nag gets called from. Well from above we learned that the nag's name is DialogID_0086 so open the DLG Ref's and double click it and you will land here and only here:
* Referenced by a CALL at Addresses:
|:0041CA44 , :0041CBBF , :00436E3C , :00437944 <-hmm 4 places right =)
|
:lines of code
* Possible Reference to Dialog: DialogID_0086 <-our nag
:00427D1E 6886000000 push 00000086
Well let's start with the first one, goto code location 41CA44 and let's see what we can see:
:0041CA06 E8C5A1FFFF call 00416BD0 <-call to check if registered
:0041CA0B 85C0 test eax, eax <-are we registered?
:0041CA0D 0F859C000000 jne 0041CAAF <-jump if we are
:0041CA13 8B8424D8040000 mov eax, dword ptr [esp+000004D8]
:0041CA1A 8B0DC02E4900 mov ecx, dword ptr [00492EC0]
:0041CA20 3BC1 cmp eax, ecx <-compare selected boxes with 6
:0041CA22 0F8287000000 jb 0041CAAF <-jump if 5 boxes or less are checked
:0041CA28 8B8C24DC040000 mov ecx, dword ptr [esp+000004DC]
:0041CA2F 6A00 push 00000000
:0041CA31 51 push ecx
:0041CA32 50 push eax
:0041CA33 8D8EEC1A0000 lea ecx, dword ptr [esi+00001AEC]
:0041CA39 E822350200 call 0043FF60
:0041CA3E 6A00 push 00000000
:0041CA40 8D4C2408 lea ecx, dword ptr [esp+08]
:0041CA44 E8B7B20000 call 00427D00 <-call nag and don't allow more boxes
Well the easiest way is to Change this:
:0041CA0D 0F859C000000 jne 0041CAAF
To this:
:0041CA0D E99D000000 jmp 0041CAAF
:0041CA12 90 NopX1
Now run the program and you see we can select single boxes past 5 on the main screen.
One down, three to go!
Next area is the second call at 41CBBF, let's look at the code:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041CB98(C) <-jumped from here, let's check it out
|
:0041CBB9 6A00 push 00000000
:0041CBBB 8D4C240C lea ecx, dword ptr [esp+0C]
:0041CBBF E83CB10000 call 00427D00 <-call nag
:0041CB75 E856A0FFFF call 00416BD0 <-check if we are registered
:0041CB7A 85C0 test eax, eax <-are we?
:0041CB7C 0F85A6000000 jne 0041CC28 <-jump if we are
:0041CB82 85F6 test esi, esi
:0041CB84 0F859E000000 jne 0041CC28 <-this one will work too
:0041CB8A 8B35C02E4900 mov esi, dword ptr [00492EC0]
:0041CB90 8B87441C0000 mov eax, dword ptr [edi+00001C44]
:0041CB96 3BF0 cmp esi, eax
:0041CB98 7D1F jge 0041CBB9 <-jump to nag area if we select more than 3 songs in the converter area.
Well once again lets make the jump that sees us a registered, take you pick of the two, i just used this one.
Change this:
:0041CB84 0F859E000000 jne 0041CC28
To this:
:0041CB84 E99D000000 jne 0041CC28
:0041CB89 90 NopX1
Now lets runs the program and try to select more than three songs in the mp3/wav conversion screen. Hey it works, two down.
Third call is next, at location 436E3C.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00436E33(C) <-jumped from here, let's check it out
|
:00436E12 6A00 push 00000000
:00436E14 6A00 push 00000000
:00436E16 56 push esi
:00436E17 8BCD mov ecx, ebp
:00436E3C E8BF0EFFFF call 00427D00 <-call nag if we select the "select all" box on the converter screen.
:00436DCD E888780300 Call 0046E65A
:00436DD2 8B4804 mov ecx, dword ptr [eax+04]
:00436DD5 E8F6FDFDFF call 00416BD0 <-the "are we registered" call
:00436DDA 85C0 test eax, eax
:00436DDC 0F85C4000000 jne 00436EA6 <-we are! then jump
:00436DE2 85F6 test esi, esi
:00436DE4 0F85BC000000 jne 00436EA6 <-good jump also
:00436DEA 8B35545D4900 mov esi, dword ptr [00495D54]
:00436DF0 53 push ebx
* Reference To: USER32.SendMessageA, Ord:0214h
:lines of code
:00436E0C 8DAFD0000000 lea ebp, dword ptr [edi+000000D0]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00436E33(C)
|
:lines of code
:00436E19 E842910000 call 0043FF60 <-User32SendMessage in this call
:lines of code
:00436E31 3BF0 cmp esi, eax
:00436E33 7CDD jl 00436E12 <-jump to nag
OK, so it's easy to say even though we had to trace back a little further this time that we need to Change this:
:00436DE4 0F85BC000000 jne 00436EA6
To this:
:00436DE4 E9BD000000 jmp 00436EA6
:00436DE9 90 NopX1
Ok make that change and run the program again, try to put a check in the select all box under the converter. Success, No naggy nag nag.
Now last one, so we can select all the songs in the main screen by putting a check in the checkbox. Start at the 4th place on the call list, here: 437944
:004378FE E8576D0300 Call 0046E65A
:00437903 8B4804 mov ecx, dword ptr [eax+04]
:00437906 E8C5F2FDFF call 00416BD0 <-check if we are registered
:0043790B 85C0 test eax, eax <-are we?
:0043790D 0F859C000000 jne 004379AF <-jump if we are!
:00437913 8B8424D8040000 mov eax, dword ptr [esp+000004D8]
:0043791A 8B0D545D4900 mov ecx, dword ptr [00495D54]
:00437920 3BC1 cmp eax, ecx
:00437922 0F8287000000 jb 004379AF <-this might work too
:00437928 8B8C24DC040000 mov ecx, dword ptr [esp+000004DC]
:0043792F 6A00 push 00000000
:00437931 51 push ecx
:00437932 50 push eax
:00437933 8D8ED0000000 lea ecx, dword ptr [esi+000000D0]
:00437939 E822860000 call 0043FF60
:0043793E 6A00 push 00000000
:00437940 8D4C2408 lea ecx, dword ptr [esp+08]
:00437944 E8B703FFFF call 00427D00
So we just need to do the following!
Change this:
:0043790D 0F859C000000 jne 004379AF
To this:
:0043790D E99D000000 jmp 004379AF
:00437912 90 NopX1
The smarter way if we had softice would be to go into the registered call and make it return the value we want it to. Patching will work today though.
This part is pointless since we patched the program to do what we want but here you can
register any code, just nop it out. Registration wont stay but who cares. (This can be traced with the w32dasm Strn Ref "You have registered successfully,"
Change this:
:0041CCF5 740E je 0041CD05
To this:
:0041CCF5 9090 NopX2
Now i did notice an error in the program, when you right click at the top the about menu is screwy, looks like this:
101, "¹ØÓÚCD MP3 Terminator (&A)..."
Well lets open up resource hacker and fix it as well as a few other things.
Goto String Table, you will see this:
-String Table
-7
-1033
Click on 1033 and edit the above to this:
101, "About CD MP3 Terminator (&A)..."
Ok that's fixed, now let's change some stuff that is annoying:
Goto here:
-Dialog
-100
-2052
This as you can tell is the about screen, I just made mine like so:
{
CONTROL 128, -1, STATIC, SS_ICON | WS_CHILD | WS_VISIBLE, 7, 7, 20, 20 CONTROL "CD MP3 Terminator 1.05", -1, STATIC, SS_LEFT | SS_NOPREFIX | WS_CHILD | WS_VISIBLE | WS_GROUP, 36, 7, 135, 8 CONTROL "Copyright (C) 2002 TianShaoSoft.com Cracked bY: sLeEpY¿[KaNaL23]", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 36, 23, 150, 21 CONTROL "OK", 1, BUTTON, BS_DEFPUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_GROUP | WS_TABSTOP, 92, 51, 52, 20
}