<HTML>
<HEAD>
   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
   <META NAME="GENERATOR" CONTENT="Mozilla/4.04 [en] (Win95; I) [Netscape]">
   <META NAME="Author" CONTENT="YuGung">
   <META NAME="Classification" CONTENT="Reverse Code Engineering">
   <META NAME="Description" CONTENT="Step by step guide to cracking MoneyKey v 0.2.0 demo">
   <META NAME="KeyWords" CONTENT="How to crack MoneyKey v 0.2.0 demo">
   <TITLE>MoneyKey v 0.2.0 demo</TITLE>
</HEAD>
<BODY TEXT="#001010" BGCOLOR="#C0C0C0" LINK="#FF0000" VLINK="#000099" ALINK="#FFFF00">
&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" 22" >
<TR BGCOLOR="#FFFFFF">
<TD WIDTH="15%">
<CENTER><B><FONT FACE="Arial,Helvetica">Sept 1998</FONT></B></CENTER>
</TD>

<TD WIDTH="100%">
<CENTER><FONT FACE="Arial,Helvetica"><FONT SIZE=+2>"MoneyKey v 0.2.0 demo"</FONT></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">Recover M$ Money file protection password</FONT></CENTER>
</TD>

<TD WIDTH="30%">
<CENTER><B><FONT FACE="Arial,Helvetica">Win '95 PROGRAM</FONT></B></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><FONT COLOR="#808080">Win Code Reversing</FONT></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><FONT COLOR="#808080">&nbsp;</FONT></FONT></CENTER>
</TD>
</TR>

<TR BGCOLOR="#FFFF99">
<TD WIDTH="15%">
<CENTER><FONT FACE="Arial,Helvetica"><FONT COLOR="#890000">&nbsp;</FONT></FONT></CENTER>
</TD>

<TD>
<CENTER><FONT FACE="Arial,Helvetica">by <FONT SIZE=+3>YuGung&nbsp;</FONT></FONT></CENTER>
</TD>

<TD VALIGN=CENTER WIDTH="30%"><FONT FACE="Arial,Helvetica">&nbsp;</FONT></TD>
</TR>

<TR BGCOLOR="#999900">
<TD WIDTH="15%">
<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>
</TD>

<TD>
<CENTER><FONT FACE="Arial,Helvetica">Code Reversing For Beginners&nbsp;</FONT></CENTER>
</TD>

<TD WIDTH="30%">
<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>
</TD>
</TR>

<TR BGCOLOR="#C0C0C0">
<TD WIDTH="15%"></TD>

<TD ALIGN=LEFT>
<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>

<CENTER><B><FONT FACE="Arial,Helvetica">Program Details</FONT></B></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><B>Program Name:</B> moneykey_demo.zip</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><B>Program Type:</B> password recover</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><B>Program Location:</B> <A HREF="http://www.lostpassword.com" tppabs="http://www.execpc.com/%7esbd">Here</A>&nbsp;</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><B>Program Size: </B>750K&nbsp;</FONT></CENTER>
<FONT FACE="Arial,Helvetica">&nbsp;</FONT></TD>

<TD WIDTH="30%"></TD>
</TR>

<TR BGCOLOR="#C0C0C0">
<TD WIDTH="15%"></TD>

<TD><FONT FACE="Arial,Helvetica"><B>&nbsp;</B>&nbsp;</FONT>&nbsp;
<CENTER><B><FONT FACE="Arial,Helvetica">Tools Used:</FONT></B></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;Softice V3.2 - Win'95 Debugger</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">W32Dasm V8.9 - Win'95 Dissembler</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>
</TD>

<TD WIDTH="30%"></TD>
</TR>

<TR>
<TD VALIGN=CENTER BGCOLOR="#C6E7C6">
<CENTER><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#0000FF">Rating</FONT></FONT></B></CENTER>
</TD>

<TD VALIGN=CENTER BGCOLOR="#C6E7C6">
<CENTER><B><FONT FACE="Arial,Helvetica"><FONT SIZE=-1><FONT COLOR="#0000FF">Easy
( X&nbsp; )&nbsp; Medium (&nbsp;&nbsp; )&nbsp; Hard (&nbsp;&nbsp;&nbsp;
)&nbsp; Pro (&nbsp;&nbsp;&nbsp; )</FONT>&nbsp;</FONT></FONT></B></CENTER>
</TD>

<TD WIDTH="30%" BGCOLOR="#999900"><B><FONT FACE="Arial,Helvetica"><FONT SIZE=-1>There
is a crack, a crack in everything. That's how the light gets in.</FONT></FONT></B></TD>
</TR>
</TABLE>

<CENTER><FONT FACE="Arial,Helvetica"><FONT SIZE=-1>&nbsp;</FONT></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT>&nbsp;
<HR></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><FONT SIZE=+2>MoneyKey v 0.2.0 demo</FONT></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><FONT COLOR="#0B7FC1">Written by YuGung</FONT></FONT></CENTER>
<FONT FACE="Arial Black">&nbsp;</FONT>
<BR>&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT COLOR="#0000FF"><FONT SIZE=+2>Introduction</FONT></FONT></CENTER>
</TD>
</TR>
</TABLE>
<I><FONT FACE="Arial,Helvetica"><FONT SIZE=-1>&nbsp;</FONT></FONT></I>
<BR><I><FONT FACE="Arial,Helvetica"><FONT SIZE=-1>"This is a demo version
that will recover only first two letters of the password. Please visit
http://www.lostpassword.com for updated demo versions and details on purchasing
full version."</FONT></FONT></I>
<BR>&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT COLOR="#3333FF"><FONT SIZE=+2>About this protection system</FONT></FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">Easy, easy, very easy (stupid ?) protection.</FONT>

<P><FONT FACE="Arial,Helvetica">It's a demo, no registration code, but
when you drag your money file on the prog window the output is the recovered
password with just the first two letters readable.</FONT>
<BR>&nbsp;
<BR>&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT SIZE=+2><FONT COLOR="#0000FF">The Essay</FONT>&nbsp;</FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">First i begin my
usual (experimented) working method: logging the install, open FILEMON,
REGMON then run the target.</FONT></FONT>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">No problems on install,
but during the first run Moneykey search for a c:\window\moneykey.ini;
i'm sure that this one is a registration file but i have no clues on what
could be inside.</FONT></FONT>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">I try to create a
fake monekey.ini with different "serial", "registration code" etc... lines:
obviously this method don't work.</FONT></FONT>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">Then i start using
some Zen (thanks +Orc); when i drag a money file the output password is:</FONT></FONT>
<BR><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000"><FONT SIZE=-1>Recovering
password for the file:</FONT></FONT></FONT></B>
<BR><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000"><FONT SIZE=-1>C:\WINDOWS\Desktop\1997.mny</FONT></FONT></FONT></B>
<BR><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000"><FONT SIZE=-1>The
password is: 'TO*****' (no quotes)</FONT></FONT></FONT></B>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">Now i don't think
that the programmers are so good to decrypt just the first two letter of
a password, i think that they just use "*" to cover the others characters.</FONT></FONT>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">2Ah is the asci number
for "*", so we must search the disassembled code for something like: move
xyz, 2a (where xyz could be eax, ebx, ecx or some memory pointers).</FONT></FONT>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">With Wdasm or with
the text generated file search for ", 2a" and you jump directly on:</FONT></FONT>
<BR>&nbsp;
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#000000"><FONT SIZE=-1>*
Referenced by a (U)nconditional or (C)onditional Jump at Address:</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#000000"><FONT SIZE=-1>|:0040135E(C)</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#000000"><FONT SIZE=-1>|</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1><FONT COLOR="#000000">:00401357
C6002A&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov byte ptr [eax], 2A ; </FONT><B><FONT COLOR="#993366">this put "*" (=asci
2a) over the decrypted password</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#000000"><FONT SIZE=-1>:0040135A
40&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
inc eax</FONT></FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT COLOR="#000000"><FONT SIZE=-1>*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#000000"><FONT SIZE=-1>|:0040134E(C),
:00401355(U)</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#000000"><FONT SIZE=-1>|</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#000000"><FONT SIZE=-1>:0040135B
803800&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
cmp byte ptr [eax], 00</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#000000"><FONT SIZE=-1>:0040135E
75F7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jne 00401357</FONT></FONT></FONT>
<BR>&nbsp;

<P><FONT FACE="Arial,Helvetica">Just to confirm our suspect, run the program...</FONT>

<P><FONT FACE="Arial,Helvetica"><B><FONT COLOR="#993366">1.</FONT></B>
Fire up Softice by pressing <B>CTL-D</B>.</FONT>

<P><FONT FACE="Arial,Helvetica"><B><FONT COLOR="#993366">2.</FONT></B>
Type: <B>bpx hmemcpy </B>then<B> x</B> to leave Softice</FONT>

<P><FONT FACE="Arial,Helvetica"><B><FONT COLOR="#993366">3.</FONT></B>
Drag your money file into the target window</FONT>

<P><FONT FACE="Arial,Helvetica"><B><FONT COLOR="#993366">4.</FONT></B>
Softice break at the beginning of <B>Hmemcpy</B></FONT>

<P><FONT FACE="Arial,Helvetica"><B><FONT COLOR="#993366">5.</FONT></B>
Press 'F12' 7-8 times until you reach the monekey code.</FONT>

<P><FONT FACE="Arial,Helvetica"><B><FONT COLOR="#993366">6.</FONT></B>
Now type: <B>bc * </B>to clear the previous breakpoint and <B>bpx 401357,
</B>then<B> x</B> to leave Softice</FONT>

<P><FONT FACE="Arial,Helvetica"><B><FONT COLOR="#993366">7.</FONT></B>
Drag another time your money file into the target window.</FONT>

<P><FONT FACE="Arial,Helvetica"><B><FONT COLOR="#993366">8.</FONT></B>
Softice break at&nbsp; </FONT><FONT FACE="Courier New,Courier"><FONT COLOR="#000000"><FONT SIZE=-1>:00401357
C6002A mov byte ptr [eax], 2A</FONT></FONT></FONT>

<P><FONT FACE="Arial,Helvetica"><B><FONT COLOR="#993366">9.</FONT></B>
Type <B>d eax </B>and look at the memory window: YES it's your complete
decrypted password !!!</FONT>

<P><FONT FACE="Arial,Helvetica">That's all; now we know where and how patch
this stupid protection.</FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;</FONT></FONT>
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT SIZE=+2><FONT COLOR="#0000FF">The Patches</FONT>&nbsp;</FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica">I use the most simple (but not elegant
as +Orc say) method to patch this one: just NOP the instructions at</FONT>

<P><FONT FACE="Courier New,Courier"><FONT COLOR="#000000"><FONT SIZE=-1>00401357
C6002A&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov byte ptr [eax], 2A</FONT></FONT></FONT>

<P><FONT FACE="Arial,Helvetica">and at&nbsp; (the protection routine is
repeated two times, i think for money97/money98 files)</FONT>

<P><FONT FACE="Courier New,Courier"><FONT COLOR="#000000"><FONT SIZE=-1>:00401A8A
C6002A&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov byte ptr [eax], 2A</FONT></FONT></FONT>

<P><FONT FACE="Arial,Helvetica">substituting&nbsp; C6 00 2A with&nbsp;
90 90 90</FONT>
<BR>&nbsp;
<CENTER><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#3333FF">If you intend
on using this program beyond it's evaluation period then please BUY IT!</FONT></FONT></B></CENTER>

<CENTER><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#3333FF">&nbsp;</FONT></FONT></B></CENTER>

<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT SIZE=+2><FONT COLOR="#0000FF">Final Notes</FONT>&nbsp;</FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica"><FONT COLOR="#333333">&nbsp;&nbsp;&nbsp;&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica">Two notes about this one:</FONT>

<P><FONT FACE="Arial,Helvetica">First to the programmers: use your mind
not just for decrypt password routines, but also for give us less obvious
protections.</FONT>

<P><FONT FACE="Arial,Helvetica">Second to the micro$oft users: don't use
any password protection from bill "big brother" gates, they are really
weak protections.</FONT>

<P>My thanks and gratitude goes to:-
<BR>&nbsp;
<BR><FONT FACE="Arial,Helvetica">Fravia+ for providing possibly the greatest
source of Reverse Engineering</FONT>
<BR><FONT FACE="Arial,Helvetica">knowledge on the Web.</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">+ORC for showing me the light at the end
of the tunnel.</FONT>
<BR>&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT COLOR="#0000FF"><FONT SIZE=+2>Ob Duh</FONT></FONT>&nbsp;</CENTER>
</TD>
</TR>
</TABLE>
<I><FONT FACE="Arial,Helvetica">&nbsp;</FONT></I>
<BR><I><FONT FACE="Arial,Helvetica">Do I really have to remind you all
that by buying and NOT stealing the software you use will ensure that these
software houses will encourage them to produce even *better* software for
us to use and enjoy.</FONT></I>

<P><I><FONT FACE="Arial,Helvetica">Ripping off software through serials
and cracks is for lamers..</FONT></I>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><I><FONT FACE="Arial,Helvetica">If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.</FONT></I>
<BR>&nbsp;
<BR>
<HR SIZE=3 WIDTH="100%">
<CENTER>&nbsp;</CENTER>
<FONT FACE="Arial,Helvetica"><FONT SIZE=-2>Essay by:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<A HREF="mailto:Yugung<yugung@my-dejavu.com>">YuGung</A></FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT SIZE=-2>Page Created: 08st September
1998</FONT></FONT>
<BR><SCRIPT LANGUAGE="JavaScript">

<!--- hide script from old browsers

update= new Date(document.lastModified)

document.writeln("<FONT SIZE=-1>Last Updated: <EM>" + update.toLocaleString(update) + "</EM></FONT><BR>")

// end hiding --->

</SCRIPT>

</BODY>
</HTML>
