| Well, I thought nobody requires a tutorial
for that program - but one Newbie ask for one (perhaps he hasn't even
"tried" to crack it), because he got lost in the program (??). So here
it is:
Step 1
Well, let's run the target and see what we can find
out. A NAG-Screen appears saying "SimulBrowse 1.5 is shareware ...". This
looks like a standard messagebox. So now press OK. Go to the Help-Menu
and choose Register. Now a dialog "Validation" asks for our User Name and
Registration Number. So enter "Cracking Tutorial" and "999999999". Press
Ok. Now you get "Your registration user name and password could not be
validated". So press OK and exit the application. The NAG-Screen pops up
once again and then the application exits. So we know enough to take our
Disassembler and have a look at the program in
Step 2
Now choose String Reference and look
for interesting strings. I found the following interesting:
" - UNREGISTERED
VERSION"
"SimulBrowse 1.5 is shareware. "
"Software\SeaglassSoftware\SimulBrowse"
"Software\SeaglassSoftware\SimulBrowse\"
"Software\SeaglassSoftware\SimulBrowse\CurrentV"
"Thank you for registering SimulBrowse."
"Validation"
"Your registration user name and " |
Step 3
We want to go to the Validation-Function,
so double click on "Validation". You'll get this:
| * Possible
StringData Ref from Code Obj ->"User" |
| |
| |
| :00457B17 |
mov ecx, 00457B6C |
| |
| * Possible
StringData Ref from Code Obj ->"Validation" |
We want to be there, where this location
was called, so scroll up a few lines, until you find
| * Referenced by a
CALL at Address: |
| |:00457DE1 |
So let's go to 457DE1. You'll get
| :00457D56 |
call 0042F470 |
|
| :00457D5B |
mov eax, dword ptr
[ebp-0C] |
|
| :00457D5E |
cmp dword ptr [eax+00000150],
00000001 |
|
| :00457D65 |
jne 00457DF3 |
; jump out of the
function |
| ... |
... |
... |
| :00457DB8 |
call 0045767C |
|
| :00457DBD |
cmp dword ptr [ebp-08],
00000000 |
; have we entered
something? |
| :00457DC1 |
je 00457DE8 |
; if not, jump to
invalid code message |
| :00457DC3 |
mov eax, dword ptr
[ebp-08] |
; the right serial#
is in now hold in EAX |
| :00457DC6 |
mov edx, dword ptr
[ebp-04] |
|
| :00457DC9 |
mov edx, dword ptr
[edx+3C] |
; our serial# is now
hold in EDX |
| :00457DCC |
call 00403CF8 |
; compare
right serial # with that what we entered |
| :00457DD1 |
jne 00457DE8 |
; if they're
not equal, jump to invalid code message |
| :00457DD3 |
mov edx, dword ptr
[ebp-04] |
|
| :00457DD6 |
mov eax, dword ptr
[ebp-04] |
|
| :00457DD9 |
call 00457A94 |
|
| :00457DDE |
mov eax, dword ptr
[ebp-04] |
|
| :00457DE1 |
call 00457AE4 |
; we land here |
| :00457DE6 |
jmp 00457DF3 |
; jump out of the
function |
Have you recognized those jumps to
457DF3 and 457DE8? 457DF3 simply jumps out of the function. 457DE8 jumps
to the invalid code message.
Step 4
We can get the serial # we entered
if we do a D EDX at just before that CALL 00403CF8 ... guess what's in
EAX. Or we can trace through that call. So our registration code for "Cracking
Tutorial" is "574368372017". BTW, it's not important if you write a capital
letter or not. |
This tutorial
was written by TORN@DO. I hope you enjoyed reading it as I enjoyed writing
it - I'm always trying to improve my writing skills.
I'd like to
greet the following people (no specific order):
+ORC, Fravia,
nIabI, JosephCo, Razzia, MisterE, Krazy_N, Vizion, YOSHi, Qapla, Odin
everyone in
#Cracking and in #Cracking4Newbies ... and everyone else I forgot. |