You will need your own Language Compilers, Assemblers and Linkers to use this application."
 

About this protection system

 
As i found out by now, all of this author's protection routines can be cracked by the same way that described in "How to crack Dllshow", but as crackers, we need to dig more deeply, and to have more closer look and understanding of a few Assembly instructions, like how our program is generates the *real* reg-code, and not just to
find the right place to 'nop' or to 'patch' it. This essay will give us some basics...

This program is a 30 day trial program, with a nag screen shown each time you run this program.

This program save the settings in our Registry file in this entries :

HKCU\Software\Software By Design\Programmer's IDE for Windows 95/NT\Registration\Code         HKCU\Software\Software By Design\Programmer's IDE For Windows 95\Registration\Organization
HKCU\Software\Software By Design\Programmer's IDE For Windows 95/NT\Registration\User

To access the 'Registration Screen' you will need to select the 'Help' menu option then choose the 'Registration' sub menu option.

You will be asked to enter:

User Name:
Organization: (optional)
Registration:

Lets go to have a closer look at this protection routine. 
 

The Essay

 
This program using the 32 bit function GETDLGITEMTEXTA to "read" the input.
Run Programmer IDE, go in the Registration screen, and fill the user dedails. Remember that the Organization in optional.

1. When you've done this fire up Softice by pressing CTL-D.

2. Type: bpx getdlgitemtexta then x to leave Softice.

3. Click on the 'OK' button.

4. Softice now breaks at the beginning of the 1st System Function GetDlgItemTexta.
     There is 3 like this, for the User, Organization and for the Code.

5. press x  two times
    Press 'F11'
    we are in Project code, after the three input calls, here is the code :
 
:0040F951 FFD5             call ebp
:0040F953 8D442410         lea eax, dword ptr [esp+10] ; <-- we are here
:0040F957 50               push eax                    ; fake s/n (ascii)
:0040F958 E8F3930000       call 00418D50        ; convert fake s/n to hex
:0040F95D 83C404           add esp, 00000004
:0040F960 8BE8             mov ebp, eax              ; ebp = hex fake s/n
:0040F962 56               push esi
:0040F963 E8F8780000       call 00417260         ; generates basic code !
:0040F968 83C404           add esp, 00000004
:0040F96B 3D92A71901       cmp eax, 0119A792          ; author check (1)!
:0040F970 7518             jne 0040F98A

---------   snip  snip  --------

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F970(C)
|
:0040F98A 3D3CCE5F0D       cmp eax, 0D5FCE3C          ; author check (2)!
:0040F98F 750C             jne 0040F99D

---------   snip  snip  --------

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F98F(C)
|
:0040F99D 53               push ebx
:0040F99E 56               push esi
:0040F99F E8EC730000       call 00416D90        ; <-- we want to get here
:0040F9A4 83C408           add esp, 00000008
:0040F9A7 3BC5             cmp eax, ebp         ; real = fake ?
:0040F9A9 741E             je 0040F9C9          ; if yes, jump
:0040F9AB 68CFEA0000       push 0000EACF        ; else, show wrong key mess

Ok, we want to get to the routine that generates the real code, so, press the
F10 14 times untill you land on location :

:0040F99F E8EC730000       call 00416D90        ; <-- we want to get here

When you are on this location, press the F8 once (or type t, enter) and we are now in this code :

:00416D90 8B442404        mov eax, dword ptr [esp+04]     ; eax = our name
:00416D94 56              push esi                        ; esi = our name
:00416D95 8B35705D4200    mov esi, dword ptr [00425D70] ; esi = hard coded
:00416D9B 50              push eax                        ; eax = our name
:00416D9C 81CE78030000    or esi, 00000378
:00416DA2 E8B9040000      call 00417260           ; generate code for name
:00416DA7 83C404          add esp, 00000004
:00416DAA 03F0            add esi, eax   ; esi = hard coded + code of name
:00416DAC 8B44240C        mov eax, dword ptr [esp+0C] ; eax = organization
:00416DB0 50              push eax
:00416DB1 E8AA040000      call 00417260   ; generate code for organization
:00416DB6 83C404          add esp, 00000004
:00416DB9 03C6            add eax, esi  ; eax = code of organization + esi
:00416DBB 5E              pop esi
:00416DBC C3              ret

Note :when i say "hard coded"(hd), it means that when the program run, there is a lot of addresses in the memory that set with values, this values can be numbers, letters or any other character. each of them have it's hex value.
One of the ways to use this hex hard-coded values is to manipulate them
with the hex value of the characters of the real code, like multiply or divide. If you follow the next lines, you'll see how the author use it.

This code above shows how this routine, saves the name and goes to generate the code for it, then saves the org and goes to generate the code for it (optional).
After the first call to 00417260, the hex code for the name is in register EAX and it added  to register ESI, that holds the basic hex code that moved to it on loc 00416d95. Now, after the second call to 00417260, the hex code for the org is in register EAX and register ESI is added to EAX to hold the full hex reg-code. The ret
takes us back to where this routine called from, to check *real* code against the one we entered. We're ready now to look how it get generated ?
When you are on location 00416DA2 (call 00417260) press F8 to trace this routine :

(Remember that this routine is for the name and for the organization you entered)

:00417260 53               push ebx              ; ebx=organization
:00417261 56               push esi       ; esi=basic code from 00416D95
:00417262 8B74240C         mov esi, dword ptr [esp+0C] ; addres of name
:00417266 57               push edi
:00417267 55               push ebp
:00417268 33FF             xor edi, edi
:0041726A 56               push esi
:0041726B FF15F8B44300     Call dword ptr [0043B4F8] ; check name length
:00417271 85F6             test esi, esi  
:00417273 7432             je 004172A7        
:00417275 85C0             test eax, eax    ; eax=0 ? no name/organization?
:00417277 742E             je 004172A7        ; then jump
:00417279 B900000000       mov ecx, 00000000
:0041727E 7E27             jle 004172A7

(Here is the main loop for calculating each letter of name/organization)
 
:00417280 0FBE9C08B89B4200 movsx ebx, byte ptr [eax+ecx+00429BB8] ;ebx=hd
:00417288 0FBE2C0E         movsx ebp, byte ptr [esi+ecx] ;ebx=char of name
:0041728C 8D5101           lea edx, dword ptr [ecx+01]     ; edx=loops count
:0041728F 0FAFDD           imul ebx, ebp                                ; ebx = hd * char
:00417292 0FBE89F09B4200   movsx ecx, byte ptr [ecx+00429BF0]    ; ecx=hd
:00417299 0FAFD9           imul ebx, ecx                                 ; ebx = ebx * hd
:0041729C 0FAFDA           imul ebx, edx                               ; ebx = ebx * edx
:0041729F 03FB             add edi, ebx                 ; edi = sum of chars code
:004172A1 8BCA             mov ecx, edx                 ; ecx= saves loops counts
:004172A3 3BC2             cmp eax, edx   ; end of string to calculate ?
:004172A5 7FD9             jg 00417280      ; if not, jump to begin of loop
:004172A7 8BC7             mov eax, edi  ; eax holds the code when "ret"

You can go back now to location :00416DA7 to see how the registers get manipulated
and the program is is going to generates the code for the org, if it was entered.

 
 

The Patches

  
Not needed.

REMEMBER, i'm doing my cracks as a hobby and challenge, so please, if you like
this utility and want to keep using it, support the author and pay for it.
  

Final Notes

 
If you followed by now, you can remember that at the begining of the protection routine
register "esi" got a hex value, and only after that the program makes the rest of the code for the name and the organization. If no name and org where entered, the only code left is this one, in esi. If the code is "cce2da45", type "? cce2da45" in SI, and
you will see the right ascii code for 'blank' name and organization.....

My thanks and gratitude goes to:-
 
The Sandman for all what he is doing for us, newbies.
 
Rhayader for helping me with Reverse Code Engineering and
useful tips