|
Tutorial Cracking : Any Speed v1.3
|
Target : Any Speed v1.3
Tool : SoftIce v4.05, Hex Workshop v4.10
Another fairly interesting crack this because many newer crackers will have experienced the challenge that this application presents, as you know my first step to crack most applications is too take out the disassembler, so don't wait on my account, you'll easily locate our nag at 0046A771 and also some other interesting references concerning Reg_Key & Reg_Name, but there's a problem, just above the 0046A771 we'll see this code:
0046A768 7418 JE 004687A2 <-- Jumps Invalid Code Msg.
You reckon that just changing this so it always jumps say 7418 to EB18 might do the trick, I didn't try it but I strongly suggest it won't. Now look a little further up the tree, referenced by call at 00403DE1, have a look there and you'll see how many functions call this function, its not going to be easy.
So, lets try the Softice approach, you launch the program and up comes the nag, you select Registration Key and its our old friends the 2 dialog boxes. You enter some details, toddle over to Softice and try GetWindowTextA, GetDlgItemTextA in the hope they work.....and no break, well Hmemcpy must do it you think, but alas no, the program doesn't break on this either, and now if you are a newer cracker you are stuck.
Well, lets try another really great Softice feature and cracking approach, the Window Handle, bmsg approach.
Enter your details in the 2 boxes and Ctrl+D into Softice, type the following:
>hwnd <-- Displays windows handles.
Now scroll the list using the space bar, look at the windows scrolling by, and note this:
Window-Handle hQueue SZ QOwner Class-Name Window-Proc
04C4(1) 2A1F 32 ANYSPEED TRegistrationDlg 147F:00000B38
Now this looks like the handle of our registration box, note that the handle will be different each time you do this, so lets bmsg on this handle and the windows message gettext using the following command in Softice.
>bmsg 04C4 wm_gettext (note that wm_command is also good for this situation).
Now, Ctrl+D out of Softice and click OK, you'll be returned probably somewhere in Kernel.alloc but now lets search for the string we entered.
>s 0 l ffffffff '12121212'
I find my string at 00A43078 and a load of 8xxxxxxx & Cxxxxxxx locations but lets dump the memory around the 00A43078 location, at 00A43038 I find an 8 figure string which looks remarkably like a serial #, so lets enter it and see, you know that it works already and as a side-note the information gets stored in the registry.
Registration Name: CRACKING TUTORIAL Registration Code: CF9A3A00
|