			
			How To Register Deep Pockets 1.0
			--------------------------------	
				A password tutorial
					by
				
				  Mister Legend


introduction:

	HI everybody. this is my *very first* cracking tutorial, please respect that :)
	That's for the introduction. now on to the real stuff: lets twist!

target: Deep Pockets 1.0 (rocketdownload.com/prgs/deepp.exe)
tools:
	W32DASM (i used 8.9 for the job)

part 1: Examine the target

	Run deepp.exe. In the title bar you will see that unpleasant message saying 
	"EVALUATION COPY". It wont keep you from playing the game, but only the idea
	using UNREGISTERED shareware gets on yer nerves, doesn't it. Lets register it!
	
	Goto Help|Register and you will see a *Good Old Register Dialog* that lets you 
	enter Name and Registration code. Type in some crap and hit [ENTER]. =boom= 
	"Invalid serial number". Keep that message in mind...

part 2: Find the code
	
	Load deepp.exe in w32dasm (file|open file..)
	Remember what happened when we tried to register: Deep Pockets presented you a 
	MessageBox saying: "Invalid serial number". Lets go and find it!	
	Goto Refs|String data Refs. Double click on the string "Invalid serial number".
	Then close the Reference window. You'll see the following code:

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004016C0(C), :004016CF(C), :004016E4(C)
|
:00401758 6A30                    push 00000030

* Possible StringData Ref from Data Obj ->"Deep Pockets"
                                  |
:0040175A 687C004100              push 0041007C

* Possible StringData Ref from Data Obj ->"Invalid serial number"
                                  |
:0040175F 68CC004100              push 004100CC
:00401764 56                      push esi

* Reference To: USER32.MessageBoxA, Ord:0188h
                                  |
:00401765 FF156C544100            Call dword ptr [0041546C]
:0040176B EB04                    jmp 00401771

	
	That's our MessageBox: we have found it!
	OK lets see.... three calls from the addresses:

	004016C0, 004016CF, and 004016E4

 	Looks like three successive BAD jumps, scroll up to address 004016C0
	this is what you should see:



:004016B5 8B3D5C534100    mov edi, dword ptr [0041535C] <- get imported function's address:
:004016BB 50              push eax			   won't be OUR call
:004016BC FFD7            call edi			<- call import function 1st time
:004016BE 85C0            test eax, eax				   
:004016C0 0F8492000000    je 00401758			<- bad jump nr.1
:004016C6 8D442408        lea eax, dword ptr [esp+08]			
:004016CA 50              push eax
:004016CB FFD7            call edi			<- call import function 2nd time
:004016CD 85C0            test eax, eax				   
:004016CF 0F8483000000    je 00401758			<- bad jump nr.2
:004016D5 8D442408        lea eax, dword ptr [esp+08]
:004016D9 50              push eax
:004016DA E871FDFFFF      call 00401450			<-  then this must do the
:004016DF 83C404          add esp, 00000004		    comparing stuff 
:004016E2 85C0            test eax, eax
:004016E4 7472            je 00401758			<- bad jump nr.3: wrong serial!
:004016E6 8D442408        lea eax, dword ptr [esp+08]
:004016EA 8D4C2418        lea ecx, dword ptr [esp+18]
:004016EE 50              push eax
:004016EF 51              push ecx
:004016F0 E84BFEFFFF      call 00401540			<- edit deepp.ini file (useless, in 
:004016F5 83C408          add esp, 00000008		   this case, though interesting:
:004016F8 85C0            test eax, eax			   don't go there before you've finished)
:004016FA 7447            je 00401743			<- some registration error jump 
:004016FC 6A40            push 00000040				    
									    
* Possible StringData Ref from Data Obj ->"Deep Pockets" <- this is where we should get when no
                          |			            bad jumps are executed.  
:004016FE 687C004100      push 0041007C							  

* Possible StringData Ref from Data Obj ->"Successfull registration, thank "	<- looks nice!
                                        ->"you!"
                          |
:00401703 68FC004100      push 004100FC
:00401708 56              push esi

* Reference To: USER32.MessageBoxA, Ord:0188h				
                          |					   
:00401709 FF156C544100    Call dword ptr [0041546C]
 
	
part 3: "Decypher" the password

	Look at the comments i added for you in part 2: now you should know what to do next: 
	goto 00401450!
	you will see this:


:00401450 83EC18                  sub esp, 00000018		
:00401453 8D442400                lea eax, dword ptr [esp]
:00401457 56                      push esi
:00401458 57                      push edi
:00401459 50                      push eax
.....

looks a bit puzzling, doesn't it? IGNORE it, just scroll down a few lines untill you see this:
you will see a lot of cmp's and jne's; An eight-bytes range, starting with [esi] and ending with
[esi + 07] will be read from memory and compared with what -let me tell you- it should be: 
the real code!
I will call them byte 0 to 8, follow me:
(use the ascii charactes table at the bottom)

:004014B5 8A06                    mov al, byte ptr [esi]	<- get byte 0
:004014B7 3C30                    cmp al, 30			   byte 0 = 30h ="0"
:004014B9 7573                    jne 0040152E
:004014BB 0FBED0                  movsx edx, al			<- al should be 30h -> edx = 30h
:004014BE 0FBE4E01                movsx ecx, byte ptr [esi+01]	<- get byte 1 in ecx
:004014C2 8BFA                    mov edi, edx			<- edi = 30h
:004014C4 2BF9                    sub edi, ecx			<- 30h minus byte1 = -4h,
:004014C6 83FFFC                  cmp edi, FFFFFFFC=-4		<- so byte1 =34h = "4"
:004014C9 7563                    jne 0040152E
:004014CB 8B7C241C                mov edi, dword ptr [esp+1C]	<	
:004014CF 81E7FFFFFF7F            and edi, 7FFFFFFF		<
:004014D5 0B7C2418                or edi, dword ptr [esp+18]	<   IGNORE
:004014D9 7453                    je 0040152E			<
:004014DB 384602                  cmp byte ptr [esi+02], al	<- byte 2 = al = 30h = "0" 
:004014DE 754E                    jne 0040152E
:004014E0 0FBE7E03                movsx edi, byte ptr [esi+03]  <- get byte 3 in edi
:004014E4 8BC1                    mov eax, ecx			<- eax=byte 1 = 34h
:004014E6 2BC7                    sub eax, edi			<- 34h minus byte3 = -5h,
:004014E8 83F8FB                  cmp eax, FFFFFFFB=-5h		<- so byte3 = 39h = "9"
:004014EB 7541                    jne 0040152E
:004014ED 807E0457                cmp byte ptr [esi+04], 57	<- byte 4 = 57h = "W"
:004014F1 753B                    jne 0040152E
:004014F3 807E0547                cmp byte ptr [esi+05], 47	<- byte 5 = 47h = "G"
:004014F7 7535                    jne 0040152E
:004014F9 8B44240C                mov eax, dword ptr [esp+0C]	<
:004014FD 25FFFFFF7F              and eax, 7FFFFFFF		<
:00401502 0B442408                or eax, dword ptr [esp+08]	<   IGNORE
:00401506 7426                    je 0040152E			<
:00401508 0FBE4606                movsx eax, byte ptr [esi+06]  <- get byte 6 in eax
:0040150C 2BF8                    sub edi, eax			<- 39h minus byte 6 
:0040150E 2BF9                    sub edi, ecx			<- minus 34h(byte 1)
:00401510 03FA                    add edi, edx			<- plus 30h
:00401512 83FF03                  cmp edi, 00000003		<- = 3h, so byte 6= 32h = "2"
:00401515 7517                    jne 0040152E
:00401517 807E0750                cmp byte ptr [esi+07], 50	<- byte 7 = 50h = "P"
:0040151B 7511                    jne 0040152E
:0040151D 807E0800                cmp byte ptr [esi+08], 00	<- byte 8 must be 00h(end string)
:00401521 750B                    jne 0040152E

* Possible Reference to Menu: MenuID_0001 
                                  |
:00401523 B801000000              mov eax, 00000001		<- eax is tested at :004016E2
:00401528 5F                      pop edi
:00401529 5E                      pop esi
:0040152A 83C418                  add esp, 00000018
:0040152D C3                      ret

	OK lets put together byte 0 to byte 7 (byte 8 = 00h, meaning "nothing") and get the 
	magic key: 
	0 4 0 9 W G 2 P
	WOW! we did it! Now let's see if this works...
	
part 4: Register! (the kick ;)

	Run deepp.exe
	goto Help|Register, with good feelings, this time.
	Enter the key..... =boom= "Succesfull registration, thank you"
	
	Congratulations: you have just cracked Deep Pockets!
	
	Greetingz to all the crackers at c4n
	Special thanx go out to: elmopio, for the nice little target (heh)


	Mister Legend/iNSiDE - '98				
	(contact me at #cracking4newbies or #iNSiDE)

                                

				ASCII CODES


Graphic Characters

     20(32)        30(48)  0     40(64)  @     50(80)  P     60(96)   ` *   70(112)  p
     21(33)  !     31(49)  1     41(65)  A     51(81)  Q     61(97)   a     71(113)  q
     22(34)  "     32(50)  2     42(66)  B     52(82)  R     62(98)   b     72(114)  r
     23(35)  #     33(51)  3     43(67)  C     53(83)  S     63(99)   c     73(115)  s
     24(36)  $     34(52)  4     44(68)  D     54(84)  T     64(100)  d     74(116)  t
     25(37)  %     35(53)  5     45(69)  E     55(85)  U     65(101)  e     75(117)  u
     26(38)  &     36(54)  6     46(70)  F     56(86)  V     66(102)  f     76(118)  v
     27(39)  '     37(55)  7     47(71)  G     57(87)  W     67(103)  g     77(119)  w
     28(40)  (     38(56)  8     48(72)  H     58(88)  X     68(104)  h     78(120)  x
     29(41)  )     39(57)  9     49(73)  I     59(89)  Y     69(105)  i     79(121)  y
     2A(42)  *     3A(58)  :     4A(74)  J     5A(90)  Z     6A(106)  j     7A(122)  z
     2B(43)  +     3B(59)  ;     4B(75)  K     5B(91)  [     6B(107)  k     7B(123)  { *
     2C(44)  ,     3C(60)  <     4C(76)  L     5C(92)  \ *   6C(108)  l     7C(124)  | *
     2D(45)  -     3D(61)  =     4D(77)  M     5D(93)  ]     6D(109)  m     7D(125)  } *
     2E(46)  .     3E(62)  >     4E(78)  N     5E(94)  ^ *   6E(110)  n     7E(126)  ~ *
     2F(47)  /     3F(63)  ?     4F(79)  O     5F(95)  _     6F(111)  o     7F(127)  DEL   delete