http://www.musicmatch.com - Webpage (6.39Mb).
After reverse engineering v2.01 of MusicMatch JukeBox some 6mths ago, a tutorial where I highlighted the weakness of the protection scheme, I've decided to re-acquaint myself with this rather good MP3 player. The protection scheme hasn't changed a great deal (we've still got a serial/upgrade key), we might however expect some improvements. The first of these is apparent when you follow the traditional "purchase by phone" option, the default serial number structure has changed, mine is 43983-751F7-14F0E-C43E0, I believe this serial number is determined by your user details, naturally for this tutorial I was not foolish enough to use my real name.
We proceed onwards, following the prompts and eventually reaching the insert unlock code stage, what we'll discover like many VB schemes is that the algorithm writer was either too lazy or stupid to do anything revolutionary, the unlock code is most probably of the form xxxxx-xxxxx-xxxxx-xxxxx as per the serial #. Unlike the previous version the nag box has been removed in favour of a message beep (rtcBeep, address 0067C460 mmjb.exe).
We could elect to disassemble mmjb.exe and work our way back to the deciding jump or set breakpoints and try to reach it manually, (SmartCheck is also an option). I took the relaxed approach with W32Dasm but there isn't any good reason why you can't bpx MultiByteToWideChar and use SoftICE to trace through the actual scheme.
:0067B7A3 MOV EDX, DWORD PTR [0069F290] <-- Code entered.
:0067B7A9 PUSH EDX <-- Push entered code.
:0067B7AA CALL 00661780 <-- Protection routine.
:0067B7AF CMP AX, FFFF <-- Check AX.
:0067B7B3 JNZ 0067C459 <-- Jump_bad.
The return value of AX depends on the value of the word ptr [EBP-30], you'll
easily see how functions should work to achieve this, in fact much of 00661780
is devoted to string moving/copying, note that before we reached here the
program called a Mid$ function to strip away the hyphens, the length is checked
on both strings, 18h (with), 14h (without). You can hack your way through the
manipulations if you so please, I'm not a VB programmer so I had to make do
with the API manual.
Fatally MusicMatch offer lifetime upgrades for their product, this means that the fundamental protection can't have changed, (the license file License.mml still stores the registration details but registry keys control the registered/not registered status). You can open the license file with a text editor, there aren't any aesthetic gains in specifying a user name so we can easily create a generic registry license file. Finding your real code is very easy indeed, firstly reach the deciding check above and reverse the jump, then continue tracing to this code.
:0067B86D MOV EDX,EAX <-- Good code is in EAX/EDX.
Sadly all you need now is your favourite pen and paper and a willingness to
register this software. The patchers amongst you might like to consider
using an in-memory approach with a message box which displays the good code,
evidently you can depend on the real codes location. My unlock code (for
anyone coding a keygen) was 0198B-5F020-E34F2-180B4.
