April 1999 |
"Applet Marquee Wizard v3.5" |
Win '95/'99 PROGRAM Win Code Reversing
|
|
by Punisher |
|
|
Cracking 4 Newbies |
|
Program Details |
||
Tools
Used: |
||
Rating |
Easy (X ) Medium ( ) Hard ( ) Pro ( ) |
There is a crack, a crack in everything. That's how the light gets in. |
Applet Marquee Wizard v3.5
(Killing two birds with one stone)
Written by Punisher
Introduction |
About this protection system |
This program uses a hard coded serial. It is pretty easy to crack, once you isolate the protection scheme.
Registration is via startup nag screen or help/Registration Information menu. You are asked to enter
Username:
Password:
THE ESSAY |
We are going to use this essay to crack two programs, Applet Marquee Wizard & Applet Button Factory v4.5. Both programs was made by Silicon Joy Software and they used the same stupid protection scheme to protect or should I say (un)protect them.
Install Applet Marquee Wizard now referred to as AMW. Run AMW, the main window comes up and then a nag screen appears. The nag tells you that since this is an unregistered copy you can only use the applets created on a local hard drive. Click the Register button and the Registration window appears. Also appearing is the Applet preview window, close that.
Enter your name and fake password. I use Punisher and 45454545.
Enter Soft-Ice by pressing ctrl-d. We are going to set a breakpoint on hmemcpy so type bpx hmemcpy and hit enter. eg:-
>>> BPX HMEMCPY
Leave Soft-ICe by pressing ctrl-d. Now click Register and Soft-Ice breaks in kernel at the hmemcpy function. This program makes three calls to hmemcpy before going to the protection scheme so we will bypass the first two calls. To do this type X and Press enter twice. eg:-
>>> X [ENTER] <-- press it don't type.
>>> X [ENTER]
We are now at the third call to hmemcpy. We are going to trace trough hmemcpy to see where our name is being copied to. Trace using F10 key util you come to this snippet of code
0117:9E8E shr ecx, 2
0117:9E92 repz movsd <- moves your name to a new location
0117:9E96 pop ecx
0117:9E98 and ecx, 3
0117:9E9C repz movsb
0117:9E9F xor dx, dx
At REPZ MOVSD dump the addres of edi. eg:-
>>> D ES:EDI
Now trace past the REPZ MOVSB and you will see you name being copied to the address you dumped. Now look at the left side of the data window and note the starting address of your name. It is in the form 253F:00000000. this addres may be different on your computer so take your own. Now we are going to do a page of that addres to find the real addres where your name is then set a breakpoint on that real address. This is done by doing the following:-
>>> PAGE 253F:00000000 <- your address not this one.
You will see:
Linear |
Physical |
Attributes |
Type |
xxxxxxxx |
xxxxxxxx |
P D A U |
System |
The addres we want is the linear address, so set a breakpoint on that range for the number of characters in your name. Your selector for that segment must be 30. eg:-
>>> BPR 30:xxxxxxxx 30:xxxxxxxx + 8 rw
Now let the program run by pressing F5. Softice will break at this piece of code.
:00408DC9 repz cmpsb <- our name is compareed with the real name
:00408DCB jz 00408DF1
:00408DCD mov al, [esi-01]
:00408DD0 cmp al, 61
:00408DD3 jb 00408DDD
:00408DD5 cmp al, 7A
:00408DD8 ja 00408DDD
at :00408DC9 repz cmpsb dump esi and you will see your name, now dump edi and you will see what your name and what it is compared with. you will see two sets of alpha numeric characters. The first is compared with your name and the second is compared with your password. Write down these two sets of alphanumeric characters. Disable all breakpoints. eg:-
>> BD *
Let the program run by pressing F5. You are now back at the main program screen.
Select the Help/Registration Information menu item and the reg screen comes up now enter the first set alphanumeric word in the username field and the second one in the password field and click register. A messagebox pops telling you thanks for registering.
FINAL WORDS |
You can also register this program by changing the common leters in the regcodes to capital letters. Applet Button Factory v4.5 has the same protection scheme but the codes are different. You can crack it by doing exactly what you did with Applet Marquee Wizard v3.5.
I will like to say thanks to +Fravia, Sandman, CrackZ, Cruehead, Iczelion and all the others out there who help by providing the knowledge to make this possible.