|
|
Win Code Reversing |
|
|
|
|
|
|
Program Details Program Name: CLine97.exe Program Type: 3D Graphic Program Program Location: HERE Program Size: 25 K |
||
Softice V3.2 - Debugger |
||
|
|
There is a crack, a crack in everything. That's how the light gets in. |
CLine97 Cracking
Written by KLee8084
|
CLine97 is a useful utility that allows you to use the DOS command line
from Windows 95.
|
This program requires a registration number that is calculated from
the user name.
|
When you first start Cline97.exe a screen pops up with registration information and allows you to either run the unregistered version, or to register the program. We want to register it, of course.
Click on REGISTER.
In the Name textbox, put in your name. I put in KLee8084. Notice that the program automatically capitalizes all of the letters that you enter. In the Number textbox, put in a fake registration number. I put in 76543.
Now we want to set a breakpoint in Softice.
Press CTRL-D to go into Softice. Once there, type BPX GetDlgItemTextA (I first used GetWindowTextA, but that was not the function that was called.).
Type X to get out of SoftIce and back to the program. Ready? Click on OK.
Back in SoftIce, notice that we are at the start of USER32!GetDlgItemTextA. Press F11 to step out of the function.
Here is what we have:
:00402558 CALL [USER32!GetDlgItemTextA]
:0040255E PUSH 00
:00402560 MOV EDI, 00410B30
<- the name that you entered
:00402565 PUSH 00
:00402567 PUSH 000003FC
:0040256C PUSH ESI
:0040256D CALL [USER32!GetDlgItemInt]
<-
get the reg # that you entered
:00402573 MOV ECX, FFFFFFFF
<-
Set up for getting the length of user name
*NOTE: if you look at the value of EAX, you'll see that it already holds the length of the name that you entered.
:00402578 MOV [0040A554], EAX
If you scroll down, you'll see the routine that calculates the registration number based on the name that you entered.
:00402584
MOVSX EAX, BYTE PTR [00410B30] <- first letter
of name you
<- entered
:0040258B
IMUL ECX, EAX
:0040258E
SHL ECX, 0A
:00402591
ADD ECX, 002F8CC
:00402597
MOV [0040A550], ECX
<- Real registration number
:0040259D
CMP [0040A554], ECX
:004025A3
JZ 004025D6
<- Same? Then jump to good code.
:004025A5
CMP DWORD PTR [0040A554], 0361DECA <- Well!!!
A MASTER REG
<- NUMBER
:004025AF
JZ 004025D6
<- Same? Then jump to good code.
:004025B1
PUSH 30
<- Start of REGISTRATION ERROR routine.
Press F10 until you reach :0040259D.
If you type ? ECX in Softice, you'll see the hex, decimal, and ascii values of ECX. The decimal value is the registration number.
If you type ? 0361DECA in Softice (from the CMP instruction in :004025A5), you'll see that the decimal value is 56745674. This is the Master Registration Number. No matter what name you put in, 56745674 will register the program.
Program cracked.
|
There is no crack, per se. We have found, though, that if we put in
56745674 in the Number textbox, we can put in any name that we choose and
the program will become registered.
|
CLine97 is a small program that had me scratching my head for a time, trying to reverse the calculations, until I thought to look at the decimal values of EAX and ECX. *grin*
My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end
of the tunnel.
|
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.
Essay by: KLee8084
Page Created: 8th August
1998