|
November 1998 |
"SaveCash 3.1" (Fishing the Zen way) |
Win '95/'98 PROGRAM Win Code Reversing
|
|
|
by Punisher |
|
|
|
Cracking 4 Newbies |
|
|
Program Details Program Name: SaveCash.exe Program Type:Online Cost Calculator Program Location: http://www.Rocketdownload.com/ Program Size: 694kb |
||
|
Tools Used: Soft-Ice -- Debugger
|
||
|
Rating |
Easy ( X ) Medium ( ) Hard ( ) Pro ( ) |
There is a crack, a crack in everything. That's how the light gets in. |
SaveCash 3.1
( Zen Fishing a Serial Number)
Written by Punisher
|
Introduction |
" Welcome to SaveCash 3. This program will help you to control the expenses with telephonic calls using the modem. Monitorial it any made connection, either for a ISP, BBS or any connection between 2 computers. "
|
About this protection system |
Registration is via the About Dialogbox at start or slecting it from the icon in the system tray. You will be presented with two editboxes for registration. They are :-
Register Name :
Key :
This protection scheme uses Name to calculate the key.
Install SaveCash 3.1 then run it. The program will start with a about dialogbox nag screen telling the usual crap about registering. On the nag screen you will see four buttons, click the register button and the registration screen will pop up. This screen contains two fields, one for Name and one for Key. Enter your name and a fake key. Ok! Is that done?
Enter Softice using ctrl-d. Set a breakpoint on hmemcpy eg:-
>> BPX HMEMCPY
GetDlgItemTextA, Windowtext etc don't work here.
Leave softice using ctrl-d. You will be at the Registration dialog box again, click the OK button.
Softice breaks at hmemcpy. Type x and press enter. Softice will break again in hmemcpy. This is because there are two pieces of information to be copied, then Name and the Fake key.
Press F1 to get back to the caller. You will land in USER.
Press F12 6 times to get to Savecash code. Now single-step through Savecash code using F10 until you get to this piece of code.
:0045F063 MOV EDX, [EBP-08]
:0045F066 POP EAX
:0045F067 CALL 00403C50 ; step into this call
:0045F06C JNZ 0045F168 ; bad_cracker jump
Yes I know what you are thinking change the JNZ at 0045F06C to JZ. Nah that won't work. The program will tell you it is registered if you changed the jump but when you run the program another time it will remain unregistered. We will do a clean crack no patching allowed. Ha, Ha, Ha. Just having some fun. As the old saying goes "all cracking and no fun makes Jack a dull boy".
OK Back to business.
The Call before the jump compares the real key with our fake key and sets the zero flag according to the result of the compare. The jump uses this flag to determine whether to register the program or not.
Step into the call at :0045F067 by typing T and pressing enter and you will land in the piece of code that compares the real key with our fake key. This is it:
:00403C4D LEA EAX, [EAX+00]
:00403C50 PUSH EBX ; You land here
:00403C51 PUSH ESI
:00403C52 PUSH EDI
:00403C53 MOV ESI, EAX ; Real key loaded in ESI
:00403C55 MOV EDI, EDX ; Fake key loaded in EDI
:00403C57 CMP EAX, EDX ; Real Key is compared with the
; fake key and the zero is set
; if the key matches
:00403C59 JZ 00403CEE
Step through this piece of code using F10 till you get past MOV ESI, EAX. This is where the real key is loaded in ESI for the compare instruction. To tell you the truth I don't know why the programmer put the real key and the fake key in ESI and EDI. He did not used them in the compare instruction. Who is he trying to fool.
Dump ESI to get the real key for your name:-
>> D ESI
You will see the real key for your name in the data window. Write it down clear all break points and press x to run the program.
Now Change the fake Key and put in the one youwrote down and click OK. A dialog box will pop up telling you thanks for registering.
When the correct Key is entered the program will store that information in SaveCash.ini in the windows directory under the heading:
[Registro]
UserName=Yourname
Chave=Yourkey