
 //**cracking tut by alpine**//
       //*****and******//
//**the immortal descendants**//

#4 05.1999

greetings and welcome to a new tutorail from alpine.Today we are dealing with a program called powermark.We going to manipulate it,so that you can enter every serial you want.This essay is for intermediate 
crackers.

we need:

softice
wdasm
hex editor of your choice

and of course our target.Download it from:
www.kaylon.com  495 kb

Lets start


When you start the program,you will come across a time trial protection.But we won't deal with it today,because it is a very easy one.
No goto help/enter license code
and you will get a dialogbox to enter name and reg.number.Enter your favourite name and serial,I used alpine and 1234565.
Press ok and you will get an error message,telling you wrong serial.
Now set a breakpoint on hmemcpy and press okay.Now you will be back to softice.We know there were to fields to enter our strings, therefore we have to press f5 again,to be shure all our information is copied to the memory.Now press f12 till you are back to the main exe file.Now trace with f10 till you reach the following code:

:0041298A 8BCB                    mov ecx, ebx
:0041298C 56                      push esi
:0041298D E810B80100              call 0042E1A2
:00412992 8BCF                    mov ecx, edi
:00412994 E866C60100              call 0042EFFF
:00412999 8BCE                    mov ecx, esi
:0041299B E85FC60100              call 0042EFFF <--compare serials
:004129A0 8B5608                  mov edx, dword ptr [esi+08]
:004129A3 8B4F08                  mov ecx, dword ptr [edi+08]
:004129A6 E878FFFEFF              call 00402923 <--- our messagebox
:004129AB 85C0                    test eax, eax
:004129AD 7409                    je 004129B8

Now trace into the call at 0041299b
and then press f10 till you reach:

:00402935 E8D2BC0200              call 0042E60C
:0040293A 3D6965C632              cmp eax, 32C66569
:0040293F 7478                    je 004029B9
:00402941 3D74788689              cmp eax, 89867874
:00402946 744C                    je 00402994
:00402948 3D01DC1498              cmp eax, 9814DC01
:0040294D 740C                    je 0040295B
:0040294F 3DBF61A7D9              cmp eax, D9A761BF
:00402954 7463                    je 004029B9
:00402956 E98B000000              jmp 004029E6

what happens here?
At 00402935 our serial is compared to the real one by using a loop and then a number is written to our eax register.This number can be 
32c66569 =wrong serial
89867874 =not the right format
9814dc01 =right, registered
d9a761bf =something else

I know that 9814dc01 is the number for a right serial,because after the cond. jump at 0040294D there is a push (push 0040130) and i did a
d 0040130 and i saw in the data window a registered message.
So what we wont to do is, that the program doesn't jump at 0040293F and 
00402946, but i should jump at 0040294D.
I patched it like this:


 original 
:0040293A 3D6965C632              cmp eax, 32C66569
:0040293F 7478                    je 004029B9


 changed to:

             mov eax, 9814dc01
             nop 
	     nop

you see,instead of jumping to the badboy it puts the number forn the right serail into eax.
Ok,you did it? Then start your program and register it to what you want,and the program will say,ok!After registering you will find your name in the about box.
But we are not finished yet.
Quit the program and rerun it, and you will see it is still unregistered.
My thought was: maybe the program checks the 9814dc01 number once again at the beginning and it did:
I searched for 9814dc01 and found the following code:

:00403EF3 E814A70200              call 0042E60C
:00403EF8 3D6965C632              cmp eax, 32C66569
:00403EFD 7437                    je 00403F36
:00403EFF 3D74788689              cmp eax, 89867874
:00403F04 7430                    je 00403F36
:00403F06 3D01DC1498              cmp eax, 9814DC01
:00403F0B 7409                    je 00403F16
:00403F0D 3DBF61A7D9              cmp eax, D9A761BF
:00403F12 7422                    je 00403F36
:00403F14 EB73                    jmp 00403F89


You see, it is the same as above, but the adresses are different.
We will do the same as above :
change cmp eax, 32c66569 into mov eax, 9814dc01 and
nop the cond. jump at 00403efd out.
Run your program, and it will say, it is registered to test drive.
Goto help/enter license code and put your favourite name and serial into the box.Now quit the program and after starting it again it will say,that it is registered to your name.


That's all...
alpine
alpine@gmx.at

thanks to the immortal descendants

	