<HTML>
<HEAD>
   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
   <META NAME="GENERATOR" CONTENT="Mozilla/4.04 [en] (Win95; I) [Netscape]">
   <META NAME="Author" CONTENT="The Sandman">
   <META NAME="Classification" CONTENT="Reverse Code Engineering">
   <META NAME="Description" CONTENT="Step by step guide to cracking ClipHound v1.0a">
   <META NAME="KeyWords" CONTENT="How to crack ClipHound V1.0a">
   <TITLE>ClipHound V1.0a</TITLE>
</HEAD>
<BODY TEXT="#001010" BGCOLOR="#C0C0C0" LINK="#FF0000" VLINK="#000099" ALINK="#FFFF00">
&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" 22" >
<TR BGCOLOR="#FFFFFF">
<TD WIDTH="15%">
<CENTER><B><FONT FACE="Arial,Helvetica">May 1998</FONT></B></CENTER>
</TD>

<TD WIDTH="100%">
<CENTER><FONT FACE="Arial,Helvetica"><FONT SIZE=+2>"ClipHound V1.0a"</FONT></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">( 'Nop'ing '&nbsp; )</FONT></CENTER>
</TD>

<TD WIDTH="30%">
<CENTER><B><FONT FACE="Arial,Helvetica">Win '95 PROGRAM</FONT></B></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><FONT COLOR="#808080">Win Code Reversing</FONT></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><FONT COLOR="#808080">&nbsp;</FONT></FONT></CENTER>
</TD>
</TR>

<TR BGCOLOR="#FFFF99">
<TD WIDTH="15%">
<CENTER><FONT FACE="Arial,Helvetica"><FONT COLOR="#890000">&nbsp;</FONT></FONT></CENTER>
</TD>

<TD>
<CENTER><FONT FACE="Arial,Helvetica">by <FONT SIZE=+3>The Sandman&nbsp;</FONT></FONT></CENTER>
</TD>

<TD VALIGN=CENTER WIDTH="30%"><FONT FACE="Arial,Helvetica">&nbsp;</FONT></TD>
</TR>

<TR BGCOLOR="#999900">
<TD WIDTH="15%">
<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>
</TD>

<TD>
<CENTER><FONT FACE="Arial,Helvetica">Code Reversing For Beginners&nbsp;</FONT></CENTER>
</TD>

<TD WIDTH="30%">
<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>
</TD>
</TR>

<TR BGCOLOR="#C0C0C0">
<TD WIDTH="15%"></TD>

<TD ALIGN=LEFT>
<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>

<CENTER><B><FONT FACE="Arial,Helvetica">Program Details</FONT></B></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><B>Program Name:</B> cliphound.exe</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><B>Program Type:</B> Clipboard Utility</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><B>Program Location:</B> <A HREF="http://tucows.cableinet.net/adnload/dlchound.html">Here</A>
or <A HREF="http://ftpsearch.ntnu.no/cgi-bin/search?query=cliphound.exe&doit=Search&type=Case+insensitive+substring+search&doexact=on&hits=50&matches=&hitsprmatch=&limdom=&limpath=&f1=Count&f2=Mode&f3=Size&f4=Date&f5=Host&f6=Path&header=none&sort=none&trlen=20">Here</A></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><B>Program Size: </B>192K&nbsp;</FONT></CENTER>
<FONT FACE="Arial,Helvetica">&nbsp;</FONT></TD>

<TD WIDTH="30%"></TD>
</TR>

<TR BGCOLOR="#C0C0C0">
<TD WIDTH="15%"></TD>

<TD><FONT FACE="Arial,Helvetica"><B>&nbsp;</B>&nbsp;</FONT>&nbsp;
<CENTER><B><FONT FACE="Arial,Helvetica">Tools Used:</FONT></B></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><A HREF="http://www.fortunecity.com/bally/waterford/18/w32dsm89.zip">W32Dasm
V8.9 - Disassembler</A></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;Hex Workshop32 or any other
Hex Editor</FONT></CENTER>
</TD>

<TD WIDTH="30%"></TD>
</TR>

<TR>
<TD VALIGN=CENTER BGCOLOR="#C6E7C6">
<CENTER><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#0000FF">Rating</FONT></FONT></B></CENTER>
</TD>

<TD VALIGN=CENTER BGCOLOR="#C6E7C6">
<CENTER><B><FONT FACE="Arial,Helvetica"><FONT SIZE=-1><FONT COLOR="#0000FF">Easy
( X )&nbsp; Medium (&nbsp;&nbsp; )&nbsp; Hard (&nbsp;&nbsp;&nbsp; )&nbsp;
Pro (&nbsp;&nbsp;&nbsp; )</FONT>&nbsp;</FONT></FONT></B></CENTER>
</TD>

<TD WIDTH="30%" BGCOLOR="#999900"><B><FONT FACE="Arial,Helvetica"><FONT SIZE=-1>There
is a crack, a crack in everything. That's how the light gets in.</FONT></FONT></B></TD>
</TR>
</TABLE>

<CENTER><FONT FACE="Arial,Helvetica"><FONT SIZE=-1>&nbsp;</FONT></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT>&nbsp;
<HR></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><FONT SIZE=+2>ClipHound V1.0a</FONT></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><FONT SIZE=+2>( '</FONT><FONT SIZE=+1>Going
through the front door'</FONT><B>&nbsp;</B><FONT SIZE=+2> )</FONT></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><FONT COLOR="#0B7FC1">Written by The
Sandman</FONT></FONT></CENTER>
<FONT FACE="Arial Black">&nbsp;</FONT>
<BR>&nbsp;
<BR>&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT COLOR="#0000FF"><FONT SIZE=+2>Introduction</FONT></FONT></CENTER>
</TD>
</TR>
</TABLE>
&nbsp;
<BR><FONT FACE="Arial,Helvetica">The <A HREF="http://www.nexi.com/albinofrog">author</A>
says about ClipHound:</FONT>

<P><FONT FACE="Arial,Helvetica"><FONT SIZE=-1>"When ClipHound is running,
it will monitor the Windows 95 clipboard.&nbsp; Whenever you cut or copy
some text, ClipHound will take a look at it and determine if it should
take action.&nbsp; Usually, this means ClipHound will make a private copy
of the text you put on the clipboard in its own list.&nbsp; However, if
you</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT SIZE=-1>have PasteBack enabled,
ClipHound will check the text you placed in the clipboard against the names
of items already in ClipHound. If a match is found, the full contents of
the item matched is placed in the clipboard, overwriting the name.&nbsp;
You can then paste this back into your application."</FONT></FONT>
<BR>&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT COLOR="#3333FF"><FONT SIZE=+2>About this protection system</FONT></FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">This program is registered by selecting
the '<B>About'</B> button, then the '<B>Register</B>' button and finally
via the '<B>Enter Code</B>' Button'!!.&nbsp;</FONT>
<BR>&nbsp;
<BR><B><FONT FACE="Arial,Helvetica">Name:</FONT></B>
<BR><B><FONT FACE="Arial,Helvetica">&nbsp;Code:</FONT></B>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT SIZE=+2><FONT COLOR="#0000FF">The Essay</FONT>&nbsp;</FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp; As with most
program's that require a serial number to be entered into it we have a
number of choices to how best to *crack* this program.. We could for instance,
trace through the actual protection code and find out how where the serial
number lies in memory then use that knowledge to register the program with,
or we could simply patch the code so that it automatically registers itself
with whatever name we choose first time round.&nbsp; Since I was unable
to locate the location in memory where the registration key is stored I
have decided to use the patch method on this babe, which means I don't
have to worry about any registration serial numbers because the program
will accept any I give it.</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;</FONT></FONT>
<BR>Run the program several times, lets get a 'feel' for the way the program
works, make notes as you go.&nbsp; This should by now, be automatic to
you and I shouldn't have to tell you this.&nbsp; As you already know, the
program makes many decisions as it loads, one of which is wether or not
to show Cliphound - Unregistered Shareware at the top of it's screen or
wether to show something else.&nbsp; Since I'm not going to crack this
program using it's serial number routines I'm going to short circuit this
whole area by mimicking what happens when the program is registered properly.
<BR>&nbsp;
<BR>Right, make a 'Dead Listing' of this program using W32Dasm so we can
see where we're going and what code we will have to change or nop out.&nbsp;
When you've done this search for the text "Unregistered Shareware".&nbsp;
When you've found this string reference check again to see if there are
any more references of this string, better safe than sorry..
<BR>&nbsp;
<BR>OK, there's only one reference, good, that makes our job a bit easier..
<BR>&nbsp;
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004021E3 C645FC03&nbsp;&nbsp;&nbsp;&nbsp;
mov [ebp-04], 03</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004021E7 66813ED007&nbsp;&nbsp;
cmp word ptr [esi], 07D0 ;<B><FONT COLOR="#993366">The program here is</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">checking to see if these</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">two bytes [07D0] is stored</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">at the memory location</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">pointed to by esi.</FONT></B></FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004021EC 7505&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jne 004021F3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">If any other bytes found</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">other than [07D0] then</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">the program isunregistered</FONT></B></FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004021EE 8B45EC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, dword ptr [ebp-14]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004021F1 EB17&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jmp 0040220A</FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>* Possible StringData
Ref from Data Obj ->"Unregistered Shareware"</FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004021F3 6814914200&nbsp;&nbsp;
push 00429114&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">Program comes here IF</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">it has NOT been registered</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004021F8 8D4DD8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea ecx, dword ptr [ebp-28]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004021FB E8C72F0100&nbsp;&nbsp;
call 004151C7</FONT></FONT>
<BR>&nbsp;

<P>Looking at the above code we *could* just nop(90h) out that jne 004021F3
instruction completely and yes, the program would run as though it has
been registered but that is not the whole story here..&nbsp; Look what
W32Dasm is telling us..

<P>It is telling us that the program tries to see if, at a certain memory
location pointed to by the [esi] register that there exists two bytes [07D0]
and if whatever is currently stored at [esi] is <U>NOT EQUAL</U> to [07D0]
(i.e not the same) then the program knows that it has not been registered!.
<BR>&nbsp;
<BR>In order to see the importance of this we must now use W32Dasm and
search for any other locations within the program's code to see if it performs
the same check for these two magic bytes [07D0] anywhere else, if it does
then we can assume that these represents the differences in the way the
program works between being a Shareware program and being a fully registered
program..

<P>While still in W32Dasm <B>search for the bytes</B>: <B><FONT COLOR="#993366">6681</FONT></B>
these two bytes make up just a part of the <FONT FACE="Arial,Helvetica">cmp
word ptr [esi], 07D0</FONT> instruction and will find variations of this
same instruction as well.&nbsp; Right, we should see that there are <U><FONT COLOR="#000099">four</FONT></U>
other locations within this program that checks to see if the program is
registered or not. Can you see what I'm trying to say here?.&nbsp; If we
simply NOP (90h) out the jne 004021F3 instruction at memory location <FONT FACE="Arial,Helvetica">:004021EC
then we WON'T be placing the magic [07D0] bytes in the computer's memory,
that then tells the rest of the program that it has been registered even
though we can fool it into accepting our fake serial number by nop'ing
the jne instruction!! If you are to understand *cracking* then you really
must understand this statement.</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">OK, then what must we do?.. Well, we MUST
make sure that the bytes [07D0] get placed in the [esi] register BEFORE
we can proceed to the 'Good Guy' routines so why not change the <B><FONT COLOR="#993366">cmp
word ptr [esi], 07D0 </FONT></B><FONT COLOR="#000000">instruction and turn
it into </FONT><B><FONT COLOR="#993366">mov word ptr [esi], 07D0</FONT></B></FONT>
which we CAN do easily. Next, since our two magic bytes [07D0] have now
been placed correctly into memory we can no get rid of that jne 004021F3
instruction since there is now no comparison instruction being executed,
so now we can nop it out knowing that it is no longer needed.

<P>Here's what our new routine looks like:-

<P><B><U>BEFORE:</U></B>
<BR>&nbsp;
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004021E3 C645FC03&nbsp;&nbsp;&nbsp;&nbsp;
mov [ebp-04], 03</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004021E7 66813ED007&nbsp;&nbsp;
cmp word ptr [esi], 07D0</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004021EC 7505&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jne 004021F3</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004021EE 8B45EC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, dword ptr [ebp-14]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004021F1 EB17&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jmp 0040220A</FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>* Possible StringData
Ref from Data Obj ->"Unregistered Shareware"</FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004021F3 6814914200&nbsp;&nbsp;
push 00429114</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004021F8 8D4DD8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea ecx, dword ptr [ebp-28]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004021FB E8C72F0100&nbsp;&nbsp;
call 004151C7</FONT></FONT>

<P><B><U>AFTER:</U></B>
<BR>&nbsp;
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004021E3 C645FC03&nbsp;&nbsp;&nbsp;&nbsp;
mov [ebp-04], 03</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#CC0000"><FONT SIZE=-1>:004021E7
66C706D007&nbsp;&nbsp; mov word ptr [esi], 07D0</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#CC0000"><FONT SIZE=-1>:004021EC
90&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nop</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#CC0000"><FONT SIZE=-1>:004021eD
90&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nop</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004021EE 8B45EC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, dword ptr [ebp-14]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004021F1 EB17&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jmp 0040220A</FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>* Possible StringData
Ref from Data Obj ->"Unregistered Shareware"</FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004021F3 6814914200&nbsp;&nbsp;
push 00429114</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004021F8 8D4DD8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea ecx, dword ptr [ebp-28]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004021FB E8C72F0100&nbsp;&nbsp;
call 004151C7</FONT></FONT>

<P>See, we've changed a cmp instruction into a mov instruction then nop'd
out a redundant jne instruction and now we have a fully registered ClipHound
program!
<BR>&nbsp;
<BR>Job Done.
<BR>&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT SIZE=+2><FONT COLOR="#0000FF">The 'Crack'</FONT>&nbsp;</FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">Load up cliphound.exe into your favorite
hex editor then:-</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Courier New,Courier"><B><U>SEARCH</U></B> FOR THE FOLLOWING
BYTES: 66813ED0077505</FONT>
<BR><FONT FACE="Courier New,Courier">THEN <B><U>REPLACE</U></B> HIGHLIGHTED
BYTES: <FONT COLOR="#CC0000">66C706D0079090</FONT></FONT>
<BR>&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT SIZE=+2><FONT COLOR="#0000FF">Final Notes</FONT>&nbsp;</FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica"><FONT COLOR="#333333">&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica">This was an interesting exercise in *cracking*,
changing a compare into a move then nop'ing a redundant jne instruction
so that the program then believes it has been registered.&nbsp; Because
we bothered to check the magic 07D0 bytes we found that a just nop'ing
the jne instruction was not enough on it's own to properly *crack* this
program. A little investigation on our part can save a great deal of time
looking for the reason why the program produces unexpected results after
being *cracked*..</FONT>
<BR>&nbsp;
<BR>My thanks and gratitude goes to:-
<BR>&nbsp;
<BR><FONT FACE="Arial,Helvetica">Fravia+ for providing possibly the greatest
source of Reverse Engineering</FONT>
<BR><FONT FACE="Arial,Helvetica">knowledge on the Web.</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">+ORC for showing me the light at the end
of the tunnel.</FONT>
<BR>&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT COLOR="#0000FF"><FONT SIZE=+2>Ob Duh</FONT></FONT>&nbsp;</CENTER>
</TD>
</TR>
</TABLE>
<I><FONT FACE="Arial,Helvetica">&nbsp;</FONT></I>
<BR><I><FONT FACE="Arial,Helvetica">Do I really have to remind you all
that by buying and NOT stealing the software you use will ensure that these
software houses will continue to&nbsp; produce even *better* software for
us to use and more importantly, to continue offering even more challenges
to breaking their often weak protection systems.</FONT></I>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><I><FONT FACE="Arial,Helvetica">If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.</FONT></I>
<BR>&nbsp;
<BR>
<HR SIZE=3 WIDTH="100%">
<CENTER>&nbsp;</CENTER>

<CENTER>&nbsp;</CENTER>

<CENTER><TABLE BORDER=2 >
<TR>
<TD>&nbsp;<B><A HREF="Es26.html">Next</A></B>&nbsp;</TD>

<TD>&nbsp;<B><A HREF="Tindex.html">Return to Essay Index</A></B>&nbsp;</TD>

<TD>&nbsp;<B><A HREF="Es24.html">Previous</A></B>&nbsp;</TD>
</TR>
</TABLE></CENTER>

<CENTER><B><FONT SIZE=+1>&nbsp;</FONT></B></CENTER>

<HR SIZE=3 WIDTH="100%">
<BR><FONT FACE="Arial,Helvetica"><FONT SIZE=-2>Essay by:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<A HREF="mailto:The Sandman<greenway@proweb.co.uk>">The Sandman</A></FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT SIZE=-2>Page Created: 14th June
1998</FONT></FONT>
<BR><SCRIPT LANGUAGE="JavaScript">
<!--- hide script from old browsers
update= new Date(document.lastModified)
document.writeln("<FONT SIZE=-1>Last Updated: <EM>" + update.toLocaleString(update) + "</EM></FONT><BR>")
// end hiding --->
</SCRIPT>

</BODY>
</HTML>
