    
        ____                     __       __           
       /  _/_ _  __ _  ___  ____/ /____ _/ /            
      _/ //  ' \/  ' \/ _ \/ __/ __/ _ `/ /              
     /___/_/_/_/_/_/_/\___/_/  \__/\_,_/_/               
       ____                          __          __      
      / __ \___ ___ _______ ___  ___/ /__ ____  / /____  
     / /_/ / -_|_-</ __/ -_) _ \/ _  / _ `/ _ \/ __(_-<  
    /_____/\__/___/\__/\__/_//_/\_,_/\_,_/_//_/\__/___/  
                                                         
          Web: http://www.ImmortalDescendants.org        
          EFnet: #ImmortalDescendants                    
          Author: WhizKiD                                
          Date:  05/11/00  (mm/dd/yy)                    
          Topic: Serial Fishing/Patching                 
          Level: Beginner                                
                                                         
      
       
       

Welcome to my cracking tutorial.
In this one I will teach how to crack Teleport Pro 1.29.
The Protection in here is Name/Serial; Patch.

It can be found on:
N/A

The tools used here are:
SoftICE 3.24 or higher
W32Dasm

The Essay:

TeleportPro is a program that helps you download full sites, just
by entering its URL.

After cracking TeleportPro a long time ago, by finding the
correct serial number for my name, i noticed that after some
uses in the app, the app locks itself, and doesn't let you enter
claiming to be 'Altered' by a Virus. After i ran a Virus-Check
and found out that there are no virii running in my computer,
I realized that the reason for that is that whenever
TeleportPro is used to download a site, it checks
with its server, if the user is a registered user.

Another interesting thing i found is that whenever you change
the original filename (pro.exe) to something else, the app
will not load at all.

In this essay i will review quickly how to defeat the name/serial
protection (i have bumped into a great essay about how doing
this by Parker/CiA AND by UmE/ID), and to show you how to patch it.

Let's Rock:


FIRST METHOD - SERIAL FISHING
------------------------------
First Part
----------

Load up the program, and enter to the Help > Register menu.
Enter your name (my case: WhizKiD), and enter a fake serial
number (12341234). there's no need to enter a company name,
because the registaration routine doesn't check that.

Type Ctrl+D to enter SoftICE. in softice we should set a
breakpoint over GetWindowTextA. You should do it by typing
'bpx GetWindowTextA' without the brackets in softice.

Go back to our program and there click OK.
SoftICE breaks and now press F11 5 times.

Trace by pressing F10 until you Get to this line:

O15F:00425761   CMP  [EBP-14], EAX

type '? EAX' and you get a number.
Clear all breakpoints by typing 'BC *'.
Go back to the program and then enter the number and the app is regged.

I'm sorry for not explaining how the serial is generated and why i did
such stuff, but you can reffer to another tut in the immortal descendants
website: www.immortaldescendants.org where you will find an essay about
that subject.


Second Part
-----------

If you will continue using the program, you will eventually
get a nag saying:

'This program has been altered, possibly by a virus; program execution will 
stop now.'

Now we should crack in the dead-listing method.

Open up w32dasm, and load the file pro.exe into it.
after the disassemble is done, go to the StrnRef button,
and look for that message there. after you found it, double-click
on it, and you should be here now:

* Possible StringData Ref from Data Obj ->"This program has been altered, "
                                        ->"possibly by a virus; program 
execution "
                                        ->"will stop now."
                                  |
:0040B996 68F4D64700              push 0047D6F4
:0040B99B E8CE060400              call 0044C06E
:0040B9A0 6A03                    push 00000003
:0040B9A2 E8E91D0200              call 0042D790
:0040B9A7 59                      pop ecx



Scroll up a bit, until you get to tis point of code:



:0040B987 3BFB                    cmp edi, ebx
:0040B989 741D                    je 0040B9A8  --> a jump to 0040B9A8

* Possible StringData Ref from Data Obj ->"2"
                                  |
:0040B98B A1E4D64700              mov eax, dword ptr [0047D6E4]
:0040B990 3B30                    cmp esi, dword ptr [eax]
:0040B992 7414                    je 0040B9A8 --> another jump to 0040B9A8
:0040B994 53                      push ebx
:0040B995 53                      push ebx


you see that there are 2 conditional jumps to 0040B9A8..
Press Shift+12 and enter 0040B9A8.
Now you are here:

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040B989(C), :0040B992(C)
|
:0040B9A8 834DFCFF                or dword ptr [ebp-04], FFFFFFFF
:0040B9AC 395DE4                  cmp dword ptr [ebp-1C], ebx
:0040B9AF 7409                    je 0040B9BA
:0040B9B1 FF75E4                  push [ebp-1C]
:0040B9B4 E85C960300              call 00445015
:0040B9B9 59                      pop ecx

Hey! that just below the code of that darn nag!
i guess that those jumps need to be changed, in order that the nag
will skip at the startup!

Check out the offsets of those jumps:
1) AD89h
2) AD92h


first make a copy of pro.exe and call it pro1.exe.
Open up Hacker's View (HIEW) and load pro1.exe into it.

Press F4 and choose the decode mode in order to be in the asm code.
Press F5 and type the first offset: AD89.
Press F3 and change the 741D into EB1D.
Press F9 to update the file.

Now the second offset:

Press F5 and type the first offset: AD92.
Press F3 and change the 7414 into EB14.
Press F9 to update the file.

What i did here, was changing the conditional jump
74, into and UNconditional jump EB. that way the app
doesn't need any conditions to skip the nag, it just
skips it anyway :)

I guess we are done now. open up pro1.exe to check how the nag is
dissappeared, but wait OH NO!!!! we get another fucking NAG!!!!
this time it says:

'This program's name has been changed; please rename the program to its 
original name'

oh sure we can rename it and then it will work,
but then again, we are reversers aren't we?

we should now do the same as we did in the first nag.
Find it in the StrnRef, and here's the following code:

:0040B8EB B870064600              mov eax, 00460670
:0040B8F0 E83B020200              call 0042BB30
:0040B8F5 83EC10                  sub esp, 00000010
:0040B8F8 53                      push ebx
:0040B8F9 56                      push esi
:0040B8FA 33DB                    xor ebx, ebx
:0040B8FC 57                      push edi
:0040B8FD 53                      push ebx
:0040B8FE 6A20                    push 00000020
:0040B900 53                      push ebx
:0040B901 8D4DE4                  lea ecx, dword ptr [ebp-1C]
:0040B904 E8AC65FFFF              call 00401EB5
:0040B909 FF35446B4800            push dword ptr [00486B44]
:0040B90F 8D4DE4                  lea ecx, dword ptr [ebp-1C]
:0040B912 895DFC                  mov dword ptr [ebp-04], ebx
:0040B915 E8AF000000              call 0040B9C9
:0040B91A 395D08                  cmp dword ptr [ebp+08], ebx
:0040B91D 742F                    je 0040B94E                    --> Jump 1 
to 0040B94E
:0040B91F FF7508                  push [ebp+08]
:0040B922 FF35446B4800            push dword ptr [00486B44]
:0040B928 E8A1F4FFFF              call 0040ADCE
:0040B92D 59                      pop ecx
:0040B92E 50                      push eax
:0040B92F E80C990200              call 00435240
:0040B934 59                      pop ecx
:0040B935 85C0                    test eax, eax
:0040B937 59                      pop ecx
:0040B938 7414                    je 0040B94E                    --> Jump 2 
to 0040B94E
:0040B93A 53                      push ebx
:0040B93B 53                      push ebx

* Possible StringData Ref from Data Obj ->"This program's name has been 
changed; "
                                        ->"please rename the program to its 
"
                                        ->"original name."
                                  |
:0040B93C 684CD74700              push 0047D74C
:0040B941 E828070400              call 0044C06E
:0040B946 6A02                    push 00000002
:0040B948 E8431E0200              call 0042D790
:0040B94D 59                      pop ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040B91D(C), :0040B938(C)
|

* Possible StringData Ref from Data Obj ->"2"
                                  |
:0040B94E A1E4D64700              mov eax, dword ptr [0047D6E4]        --> 
Location 0040B94E
                                                                           
Followd by those
                                                                           2 
jumps


Note the offsets of the 2 jumps:

1)AD1Dh
2)AD38H

Do the same as we did in HIEW in the first NAG:

1) change 742F to EB2F
2) change 7414 to EB14

and there is no more nag!!



SECOND METHOD - PATCHING TO ACCEPT ANY SERIAL
---------------------------------------------

Open pro.exe and go to the Help > Register menu.
Enter your name and a fake serial. you'll get a message saying that it is 
wrong.
now you should go look for it in the StrnRef in w32dasm.
after you have found it, you are here:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004257EB(C)
|
:00425823 8D4DF0                  lea ecx, dword ptr [ebp-10]
:00425826 E863F10100              call 0044498E

* Possible Reference to String Resource ID=07033: "We're sorry!  The 
registration number you entered appears to"
                                  |
:0042582B 68791B0000              push 00001B79

hmm, this message is refrenced by a jump in 004257EB.
Press Shift+F12 and enter that address

you are here:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004257AA(C)
|
:004257E2 57                      push edi
:004257E3 E80D090000              call 004260F5
:004257E8 85C0                    test eax, eax
:004257EA 59                      pop ecx
:004257EB 7536                    jne 00425823
:004257ED 8D4DF0                  lea ecx, dword ptr [ebp-10]
:004257F0 E899F10100              call 0044498E

* Possible Reference to String Resource ID=07032: "You haven't entered a 
valid username.  Your username must be"

Refrenced by ANOTHER jump??
well do the same as the last step with the address 004257AA.

this jump will be refrenced by another one at the address 00425765.
go to that address. and this is the code location:

:00425765 753A                    jne 004257A1   		---> The Jump
:00425767 8D4DF0                  lea ecx, dword ptr [ebp-10]
:0042576A E81FF20100              call 0044498E

* Possible Reference to String Resource ID=07030: "Thank you!  Your copy of 
Teleport Pro is now registered.  Al"
                                  |
:0042576F 68761B0000              push 00001B76

Hmm, this is the good serial message. let's change that jump in order that 
we could
enter any name and registration to the app.

the offset is 24b65. change 753A to 743A.
Go back to the program, and now enter any reg key and you'll get the good 
serial msg.

Open & Close TeleportPro few more times, until you get the nag saying you 
are
halfway through the evaluation period. find that msg in the SDR (StrnRef):

:00412905 7535                    jne 0041293C
:00412907 8D4D0C                  lea ecx, dword ptr [ebp+0C]
:0041290A E87F200300              call 0044498E

* Possible Reference to String Resource ID=07151: "Hello again!  You're 
halfway through the free evaluation per"

hmm, a jump.
its offset is 11d05. change 7535 to EB35.
You will never get this nag again.

Open & Close Teleport pro few more times, til you get the message saying
that this is the last session b4 the last session.
Find it in w32dasm:

:0041293F 7531                    jne 00412972
:00412941 8D4D0C                  lea ecx, dword ptr [ebp+0C]
:00412944 E845200300              call 0044498E

* Possible Reference to String Resource ID=07152: "Hello again!  After this 
session, you will have only one mor"

Hmm, another jump. the offset is 11D3F. change 7531 to EB31.

Now open teleport pro again. and you get another nag telling you this is 
your
last session. do i have to tell you what to do now? :)

:00412975 7572                    jne 004129E9
:00412977 8D4D0C                  lea ecx, dword ptr [ebp+0C]
:0041297A E80F200300              call 0044498E

* Possible Reference to String Resource ID=07153: "Hello again!  This 
session marks the end the free evaluation"

The offset of that jump is 11D75. change it from 7572 to EB72.

Is that end of those pasky nags?
lets see. open TeleportPro, and you will get the message that he evaluation
period is over. Find that nag in w32dasm:

:0041CC6C 743D                    je 0041CCAB
:0041CC6E 8D4DEC                  lea ecx, dword ptr [ebp-14]
:0041CC71 E8187D0200              call 0044498E

* Possible Reference to String Resource ID=07073: "Sorry!  The free 
evaluation period for Teleport Pro is limit"

again! the same pattern of the nag!
The offset of the jump is 1C06C. change 743D to EB3D.
but there are 2 location with the same message. go to the second location:

:00412893 7434                    je 004128C9
:00412895 8D4D0C                  lea ecx, dword ptr [ebp+0C]
:00412898 E8F1200300              call 0044498E

* Possible Reference to String Resource ID=07073: "Sorry!  The free 
evaluation period for Teleport Pro is limit"

Amazing how shareware authors can be so pathetic!
the offset of that jump is 11C93. change 7434 to EB34.

hmm looks like we are done!
just one more little thing. open the app and click the Help > About menu.
WTF?? it says there that the time trial had expired!
hmm, it did expire, but i still don't want that shitty message written 
there.
so, look for it in w32dasm, and you are here:

:00415A7E 7435                    je 00415AB5
:00415A80 8D4DF0                  lea ecx, dword ptr [ebp-10]
:00415A83 E806EF0200              call 0044498E

* Possible Reference to String Resource ID=07100: "The free evaluation 
period for Teleport Pro has expired."

The offset is 14E7E. change 7435 to EB35.
Open the app again,  and see what happens,
instead of saying we are registered, it says UNREGISTERED!!!

just below that last location, was the "UNREGISTERED" string.
actually, by changing he jump in the last string, we changed it
so it will jump to the unregistered message. return to that location
and you should see this:

:00415ABB 7435                    je 00415AF2
:00415ABD 8D4DF0                  lea ecx, dword ptr [ebp-10]
:00415AC0 E8C9EE0200              call 0044498E

* Possible Reference to String Resource ID=07101: "This copy of Teleport Pro 
is UNREGISTERED."

the offset is 14EBB. change 7435 to EB35.
Looks like we are done in this crack, but wait, there's more.
one more shitty thing in this app is that it can retrieve only up to 500 
files per session of download.
here's a part of the readme file:

   1.  The program, and your license to use it, expire after you have used 
it
       40 times.
   2.  Until you register it, Teleport Pro will only retrieve up to 500 
files
       per project.

looks like we have cracked the first part. let's see if we can crack the 
second.
Load the file into w32dasm and look for the string that says:

:004194AD E8DCB40200              call 0044498E

* Possible Reference to String Resource ID=07047: "Sorry!  Until registered, 
Teleport Pro cannot retrieve more "
                                  |
:004194B2 68871B0000              push 00001B87

Scroll up until you see:

:0041946E 747F                    je 004194EF				---> Jump1
:00419470 80BF9E0F000000          cmp byte ptr [edi+00000F9E], 00
:00419477 8D879E0F0000            lea eax, dword ptr [edi+00000F9E]
:0041947D 7570                    jne 004194EF				---> Jump 2
:0041947F 817F58F4010000          cmp dword ptr [edi+58], 000001F4
:00419486 7267                    jb 004194EF				---> Jump 3
:00419488 6A00                    push 00000000

hmm 3 calls heading to the same offset. lets change them.

jump1: offset 1886E, change 747F to EB7F
jump2: offset 1887D, change 7570 to EB70
jump3: offset 18886, change 7267 to EB67

Now we are done!!!
let's look at the file compare results and see how many offsets were 
patched:

FileSize:    C7800h

MsgBox Nags:
-------------
DD       AD1Dh
DB         74h
DB         EBh
DD       AD38h
DB         74h
DB         EBh
DD       AD89h
DB         74h
DB         EBh
DD       AD92h
DB         74h
DB         EBh

Time Trial and window nags:
----------------------------
DD      11C93h
DB         74h
DB         EBh
DD      11D05h
DB         75h
DB         EBh
DD      11D3Fh
DB         75h
DB         EBh
DD      11D75h
DB         75h
DB         EBh
DD      14E7Eh
DB         74h
DB         EBh
DD      14EBBh
DB         74h
DB         EBh

File Download limit:
--------------------
DD      1886Eh
DB         74h
DB         EBh
DD      1887Dh
DB         75h
DB         EBh
DD      18886h
DB         72h
DB         EBh
DD      1C06Ch
DB         74h
DB         EBh

Patch to enter any serial:
--------------------------
DD      24B65h
DB         75h
DB         74h

File Compare Results by the PC FileCompare32 by Plushmm & The+Q


In order to Unregister the program open Regedit and go to:
HKEY_CURRENT_USER\Software\Tennyson Maxwell\Teleport Pro\User
and remove the "Registration" String.


Last Words:
-----------
This was one hell of an essay to write, actually, it was my longest :)
my goal here was to teach you, that if you patch a program, there's
always check if your crack is successfull in all the ways.
I hope you enjoyed reading this essay, and hope you learned something.
Email me for comments, suggestions etc. halokshoorim@hotmail.com :)

I would really like to thank amante4 of the Immortal Descendants
for uploading those 600 files, so i could test if the
crack was successful :)
amante: THANKS!

-WhizKiD


This file is the courstey of the Immortal Descendants 2000 (c)