April 1999

"Applet Marquee Wizard v3.5"
(Killing two birds with one stone)

Win '95/'99 PROGRAM

Win Code Reversing

 

 

by Punisher 

 

 

 
Cracking 4 Newbies 

 

 

Program Details
Program Name: Marquee35.zip
Program Type: Marquee Wizard for HTML
Program Location: http://www.coffeecup.com/java/marquee/mirrors1.html
Program Size: 1.15 MB 

   Tools Used:
Soft-Ice -- Debugger

Rating

Easy (X )  Medium (  )  Hard (    )  Pro (    ) 

There is a crack, a crack in everything. That's how the light gets in.
 

Applet Marquee Wizard v3.5

(Killing two birds with one stone)

Written by Punisher

  

Introduction
 
The author(s) of this program can be found at:
http://www.coffeecup.com
 
The author says:
"Welcome to the Applet Marquee Wizard!
The Applet Marquee Wizard offers a fast, simple way to create fascinating Java applets without needing to know any Java code. With the Marquee Wizard, you can enhance your web pages by adding customized Java Marquees.


What does the Marquee Wizard do?
The Marquee Wizard’s main purpose is to display images in succession with various visual transitions, effects and web links. You can use them as banner adds at your site or display news and other information."

About this protection system
 

This program uses a hard coded serial. It is pretty easy to crack, once you isolate the protection scheme.

Registration is via startup nag screen or help/Registration Information menu. You are asked to enter

Username:

Password:


    

     
      

       THE ESSAY

We are going to use this essay to crack two programs, Applet Marquee Wizard & Applet Button Factory v4.5. Both programs was made by Silicon Joy Software and they used the same stupid protection scheme to protect or should I say (un)protect them.

Install Applet Marquee Wizard now referred to as AMW. Run AMW, the main window comes up and then a nag screen appears. The nag tells you that since this is an unregistered copy you can only use the applets created on a local hard drive. Click the Register button and the Registration window appears. Also appearing is the Applet preview window, close that.

Enter your name and fake password. I use Punisher and 45454545.

Enter Soft-Ice by pressing ctrl-d. We are going to set a breakpoint on hmemcpy so type bpx hmemcpy and hit enter. eg:-

>>> BPX HMEMCPY

Leave Soft-ICe by pressing ctrl-d. Now click Register and Soft-Ice breaks in kernel at the hmemcpy function. This program makes three calls to hmemcpy before going to the protection scheme so we will bypass the first two calls. To do this type X and Press enter twice. eg:-

>>> X [ENTER] <-- press it don't type.

>>> X [ENTER]

We are now at the third call to hmemcpy. We are going to trace trough hmemcpy to see where our name is being copied to. Trace using F10 key util you come to this snippet of code

0117:9E8E     shr   ecx, 2
0117:9E92     repz  movsd       <- moves your name to a new location
0117:9E96     pop   ecx
0117:9E98     and   ecx, 3
0117:9E9C     repz  movsb
0117:9E9F     xor   dx, dx

At REPZ MOVSD dump the addres of edi. eg:-

>>> D ES:EDI

Now trace past the REPZ MOVSB and you will see you name being copied to the address you dumped. Now look at the left side of the data window and note the starting address of your name. It is in the form 253F:00000000. this addres may be different on your computer so take your own. Now we are going to do a page of that addres to find the real addres where your name is then set a breakpoint on that real address. This is done by doing the following:-

>>> PAGE 253F:00000000 <- your address not this one.

You will see:

Linear

Physical

Attributes

Type

xxxxxxxx

xxxxxxxx

P D A U

System

The addres we want is the linear address, so set a breakpoint on that range for the number of characters in your name. Your selector for that segment must be 30. eg:-

>>> BPR 30:xxxxxxxx 30:xxxxxxxx + 8 rw

Now let the program run by pressing F5. Softice will break at this piece of code.

:00408DC9     repz   cmpsb         <- our name is compareed with the real name
:00408DCB     jz     00408DF1
:00408DCD     mov    al, [esi-01]
:00408DD0     cmp    al, 61
:00408DD3     jb     00408DDD
:00408DD5     cmp    al, 7A
:00408DD8     ja     00408DDD

at :00408DC9 repz cmpsb dump esi and you will see your name, now dump edi and you will see what your name and what it is compared with. you will see two sets of alpha numeric characters. The first is compared with your name and the second is compared with your password. Write down these two sets of alphanumeric characters. Disable all breakpoints. eg:-

>> BD *

Let the program run by pressing F5. You are now back at the main program screen.

Select the Help/Registration Information menu item and the reg screen comes up now enter the first set alphanumeric word in the username field and the second one in the password field and click register. A messagebox pops telling you thanks for registering.

FINAL WORDS

You can also register this program by changing the common leters in the regcodes to capital letters. Applet Button Factory v4.5 has the same protection scheme but the codes are different. You can crack it by doing exactly what you did with Applet Marquee Wizard v3.5.

I will like to say thanks to +Fravia, Sandman, CrackZ, Cruehead, Iczelion and all the others out there who help by providing the knowledge to make this possible.

You should buy this program if you intend to use it longer than the evaluation period.

  Index