                    How to crack Lockdown2000 v7.0.0.1?
                    ***********************************
                              by M.o.D. [f2f]

tools used:   - PEditor 1.5  (protools.exit.de or come.to/f2f :)
              - SoftIce 4.05 (protools.exit.de)
              - Hiew    6.x  (protools.exit.de)
              - Filemon 4.28 (www.sysinternals.com)

download:     - www.lockdown2000.com

Hi there!

Ok, install Lockdown and start it. We see a Unlock button and a time limit ( 10 days ).
We want to patch Lockdown so that it runs without a valid unlockcode.
Close Lockdown, open Filemon and use the filter, to see only Lockdowns fileaccesses.
Start our target and look at the fileaccesses. You should recognize that Lockdown opens
"LD2KReg.ini" to look for the valid code. We will use this to set a nice breakpoint in
SoftIce, but first we have to unpack Lockdown (packed with PKLiTE).
I think you can use Progdump, but i did it myself.

Unpacking:
~~~~~~~~~~
We start PEditor, browse to Lockdown2000.exe and click on break'n'enter. Open SoftIce and set
a breakpoint on int3 (bpint 3). Now we click on run and enter the command, which we can read
in the box. Now it's time to trace to the DepackersExitPoint (DEP). At this point the 
programm was unpacked, the unpackcode jumps to the OriginalEntryPoint (OEP) and the programm runs!
We see the following code:
005F6000 6880605F00  push 005F6080
005F6005 68D04A6800  push 00684AD0
005F600A 6800000000  push 00000000
005F600F E8BCEA0800  call 00684AD0 -> unpacks the programm in the memory
005F6014 E9D30EEEFF  jmp 004D6EEC  -> jump to the OEP :)

When we breaked in SI and entered the command in the box we trace to line 5F6014 (Press F5).
Now we have to scribble down the RelativeVirtuellAdress ( RVA ) of the OEP.
The jump goes to 4D6EEC, so we know the VirtuellAdress (4D6EEC) of the OEP; 
substract the Imagebase ( 4D6EEC-400000 ) and now we have the RVA of the OEP : D6EEC.
We should be still at line 5F6014. Now we have to enter in SI: 
a       - [Enter]
jmp eip - [Enter] - [ESC]

Ok, we assembled a endless loop. This is important to get a virgin data-section.
Now it's time to dump this process. We leave SI by pressing F5. We click on tasks in PEditor, 
dump Lockdown2000 and terminate the process after dumpimg. Load the dumped exe into PEditor and change the Entry Point to our new value (D6EEC). Click on apply changes, close PEditor and start the dumped file. If we did nothing wrong the file should run without any problems.

Cracking the filecheck:
~~~~~~~~~~~~~~~~~~~~~~~
Yeah, we know already a good breakpoint for SI. So, fire up SI and enter the 
following breakpoint: bpx CreateFileA do "d esp->4". Now we see everytime when SI
breaks in the datawindow, which file Lockdown wants to open/create.
Start now our dumped file and look carefully at the datawindow.
Oh, what this! Lockdown didn't opend "LD2KReg.ini", but maybe you recognized that
Lockdown opend "c:\Windows\Ableda.ini". I don't really know what sense this file has,
but if you start our dumped file again and look at the datawindow when we break again
at the CreateFile of "Ableda.ini" then you can see your Registrationcode for Lockdown.
Ok, it's time to patch!
We will break again at the CreateFile of "Ableda.ini". Now we press F12 8 times to go to
the call, which called these code.
We see this:

004C3146 E8B516FEFF  call 004A4800 -> call to the CreateFile
004C314B 48          dec eax
004C314C 7D27        jge 004C3175
004C314E A14C9E4D00  mov eax, dword ptr [004D9E4C]
004C3153 8B00        mov eax, dword ptr [eax]
004C3155 E82AC5F8FF  call 0044F684 -> calls the box telling us we're unregistered :(

Set a breakpint at the call to the CreateFile ( doubleclick on this line in SI).
You should be at line 004C314B. We see that the "jge 004C3175" jumps over the ugly
window. So press F10 to go to line 004C314C and type in SI "r fl o". We should jump now.
Press F5 to continue...but Lockdown is still uunregistered :( .
Ok, Lockdown already knows at this line, that we're unregistered users. Start Lockdown again.
We break at the call. Now scroll up to see what happens above these call.
We see this:

004C3132 687D4F4C00   push 004C4F7D
004C3137 64FF30       push dword ptr fs:[eax]
004C313A 648920       mov dword ptr fs:[eax], esp
004C313D E8321CFEFF   call 004A4D74 -> calcluates our regcode and checks them
004C3142 84C0         test al, al   -> test if good/bad user
004C3144 7546         jne 004C318C  -> !!break here!! :)

After we breaked at line 004C3144 we see that the jump brings us over the CreateFile-call
and the ugly window. So type in SI at line 004C3144  "r fl z" and we jump. Press F5 in SI to continue and...yeah Lockdown runs without nasty limits :D !!
Last part follows now. Close Lockdown, start it again and we break at line 004C3144. Set a
breakpoint at the call at line 004C313D ( doubleclick on this line ). Start Lockdown
again and after we breaked press F8 to go in the call. The programm check if the call returns
1 in AL, which mean good user ( test al, al ). So we will let return these call always 1 in AL.
This is important, because this routine is called several time from diffrent locations, but
we will always return good user ( al=1 ), so Lockdown believes we're good :).
Scribble down the Adress of the line we are at the moment; should be the first in the call
( 4A4D74 ). Start PEditor and load the dumped file. Click on 'FLC' and enter as VirtuellAdress our value ( 4A4D74 ). Write down the offset, close PEditor and load the dumped file in 
Hiew. Change your view to 'Decode', press F5 and enter our offset. Press F3 and enter:
B001   - [mov al,1]
C3     - [ret]

Save the changes and start Lockdown. Yeah!!! It runs without nasty limits!!
Now you can rebuild the ImportTable with PEditor - READY!

Ok, thats it.  

For comments or questions mail me : MoD_f2f@gmx.net

cu
M.o.D.

ps: english isn't my mother tongue :) !



  









