<HTML>
<HEAD>
   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
   <META NAME="GENERATOR" CONTENT="Mozilla/4.04 [en] (Win95; I) [Netscape]">
   <META NAME="Author" CONTENT="NiXe">
   <META NAME="Classification" CONTENT="Reverse Code Engineering">
   <META NAME="Description" CONTENT="Step by step guide to cracking Password Tracker Deluxe 3.56">
   <META NAME="KeyWords" CONTENT="How to crack Password Tracker Deluxe 3.56">
   <TITLE>Password Tracker Deluxe 3.56</TITLE>
<STYLE> <!-- A:HOVER {font-weight:bold;color:#3399FF} --> </STYLE>
</HEAD>
<BODY TEXT="#E0E0E0" BGCOLOR="#000000" LINK="#D0D0FF" VLINK="#FFD0D0" leftmargin="30">
&nbsp;
<CENTER><TABLE BORDER CELLSPACING=0 WIDTH="100%" bordercolor="#AAAAAA" >
<TR BGCOLOR="#102030">
<TD WIDTH="15%">
<CENTER><B><FONT COLOR="#0B7FC1">January 1999</FONT></B></CENTER>
</TD>

<TD WIDTH="70%" HEIGHT="60">
<CENTER><FONT COLOR="#0B7FC1"><FONT SIZE=+2>"Password Tracker Deluxe 3.56"</FONT></FONT></CENTER>

<CENTER>'Patching'&nbsp;</CENTER>
</TD>

<TD WIDTH="15%">
<CENTER><B><FONT COLOR="#0B7FC1">W32 PROGRAM</FONT></B> Code Reversing</CENTER>
</TD>
</TR>

<TR BGCOLOR="#000000">
<TD WIDTH="15%"></TD>

<TD WIDTH="15%" HEIGHT="55" BGCOLOR="#102030">
<CENTER>by&nbsp;&nbsp; <FONT SIZE=+3><FONT COLOR="#F2F2FF">N</FONT> <FONT COLOR="#E4E4FF">i</FONT>
<FONT COLOR="#D7D7FF">X</FONT> <FONT COLOR="#C9C9FF">e</FONT>&nbsp;</FONT></CENTER>
</TD>

<TD WIDTH="15%"></TD>
</TR>

<TR ALIGN=CENTER BGCOLOR="#000000">
<TD WIDTH="15%"></TD>

<TD HEIGHT="40" BGCOLOR="#102030">Code Reversing For Beginners&nbsp;</TD>

<TD WIDTH="15%"></TD>
</TR>

<TR BGCOLOR="#000000">
<TD WIDTH="15%"></TD>

<TD ALIGN=CENTER BGCOLOR="#102030">

<P><B>Program Details</B>
<BR><B>Program Name:</B> ptrack.zip
<BR><B>Program Type:</B> Utility
<BR><B>Program Location:</B> <A HREF="http://www.bigfoot.com/~ptd">Here</A>
<BR><B>Program Size: </B>1.03 Mb</TD>

<TD WIDTH="15%"></TD>
</TR>

<TR BGCOLOR="#000000">
<TD WIDTH="15%"></TD>

<TD BGCOLOR="#102030">
<CENTER></CENTER>

<CENTER><B>Tools Used:</B></CENTER>

<CENTER>Softice - Win'95 Debugger</CENTER>

<CENTER>W32Dasm - Win'95 Disassembler</CENTER>
&nbsp;</TD>

<TD WIDTH="15%"></TD>
</TR>

<TR BGCOLOR="#102030">
<TD ALIGN=CENTER><B><FONT COLOR="#0B7FC1">Rating</FONT></B>&nbsp;</TD>

<TD ALIGN=CENTER><B><FONT COLOR="#0B7FC1"><FONT SIZE=-1>Easy ( X )&nbsp;
Medium ( )&nbsp; Hard ( )&nbsp; Pro ( )</FONT></FONT></B>&nbsp;</TD>

<TD>
<CENTER></CENTER>

<CENTER><B><FONT COLOR="#0B7FC1"><FONT SIZE=-1>Solving the puzzle</FONT></FONT></B></CENTER>
&nbsp;</TD>
</TR>
</TABLE></CENTER>

<CENTER>&nbsp;</CENTER>

<CENTER></CENTER>
<!C---------------------------------------------------------------------------!>
<TABLE BORDER CELLSPACING=0 CELLPADDING=2 WIDTH="100%" BGCOLOR="#102030" bordercolor="#AAAAAA" >
<TR>
<TD WIDTH="100%">
<CENTER><FONT COLOR="#0B7FC1"><FONT SIZE=+2>Introduction</FONT></FONT></CENTER>
</TD>
</TR>
</TABLE>
&nbsp;

<P><FONT FACE="Arial,Helvetica">We all know that using separate user names
and passwords is smart computing. It is also smart to change your passwords
frequently. Remembering all those user names and passwords, especially
if you change them as often as you should, can be a real hassle. That was
before Password Tracker Deluxe.</FONT>

<P><FONT FACE="Arial,Helvetica">Password Tracker Deluxe solves the problem
of trying to remember multiple user names and passwords for different programs.
All you need to do is enter the information into Password Tracker Deluxes
database, assign the program window where you want the information to go,
and youre done. The next time you need to enter user name and password
information, just click on the Password Tracker Deluxe icon in the Windows
95/98/NT 4.0 System Tray, pick the correct "P-Track" and the data is automatically
inserted into the program. And with the wizards in Password Tracker Deluxe,
using Password Tracker Deluxe has never been easier.</FONT>

<P><FONT FACE="Arial,Helvetica">Password Tracker Deluxe does even more
than just track your passwords. Password Tracker Deluxe can even launch
a program or URL. Also, Password Tracker Deluxe can even send your commonly
typed text to programs.</FONT>
<BR>&nbsp;
<TABLE BORDER CELLSPACING=0 CELLPADDING=2 WIDTH="100%" BGCOLOR="#102030" bordercolor="#AAAAAA" >
<TR>
<TD WIDTH="100%">
<CENTER><FONT COLOR="#0B7FC1"><FONT SIZE=+2>About this protection system</FONT></FONT></CENTER>
</TD>
</TR>
</TABLE>
&nbsp;

<P><FONT FACE="Arial,Helvetica">This shareware will end up registered if
you enter a name and a registration number.</FONT>

<P><FONT FACE="Arial,Helvetica">The following entries are created in the
in windows registry:</FONT>
<PRE><FONT FACE="Arial,Helvetica">[HKEY_CURRENT_USER\Software\CLR\Password Tracker\Install]
"MainDirectory"="C:\\Program Files\\Password Tracker Deluxe"
"RegistrationNameDeluxe"="My name" (not encrypted)
"RegistrationNumberDeluxe"="My serial number" (not encrypted)</FONT></PRE>
<FONT FACE="Arial,Helvetica">Note: Use Regmon to find out what is written
to/read from the Windows Registry.</FONT>
<BR>&nbsp;
<TABLE BORDER CELLSPACING=0 CELLPADDING=2 WIDTH="100%" BGCOLOR="#102030" bordercolor="#AAAAAA" >
<TR>
<TD WIDTH="100%">
<CENTER><FONT COLOR="#0B7FC1"><FONT SIZE=+2>The Essay</FONT></FONT></CENTER>
</TD>
</TR>
</TABLE>
&nbsp;

<P><FONT FACE="Arial,Helvetica">Try to run Password Tracker a couple of
times and enter something in the registration screen.</FONT>
<BR><FONT FACE="Arial,Helvetica">Notice the 'Invalid registration number.'
message! Write it down.</FONT>

<P><FONT FACE="Arial,Helvetica">Create a deadlisting in W32Dasm and find
the 'Invalid..' message you have written down. Now we must analyse the
code before the string reference too see if we can avoid the bad guy message.</FONT>
<BR><FONT FACE="Arial,Helvetica">The routine containing the ref to 'Invalid..'
has a 'call 0041FC20' followed by a 'cmp eax,1' just a few lines up. A
call followed by a compare/test on eax should make a bell ring! Many programs
uses a serial validation function that returns with eax=0 if the reg code
was invalid and eax=1 if correct reg code. Maybe this program also does
this?</FONT>

<P><FONT FACE="Arial,Helvetica">Here is the interesting code:</FONT>
<PRE><FONT FACE="Arial,Helvetica"><FONT COLOR="#0B7FC1">:0041F66A 8B542404&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov edx, dword ptr [esp+04]
:0041F66E 8B442408&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov eax, dword ptr [esp+08]
:0041F672 52&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push edx
:0041F673 50&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push eax
:0041F674 E8A7050000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call 0041FC20&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; an interesting call - serial validation?
<FONT COLOR="#0B7FC1">:0041F679 83C408&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add esp, 00000008
:0041F67C 83F801&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmp eax, 00000001&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; compare eax and 1
<FONT COLOR="#0B7FC1">:0041F67F 7509&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jne 0041F68A&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; if not equal jump to 'Invalid reg...'
<FONT COLOR="#0B7FC1">ADD EAX,2&nbsp; - 0502000000
:0041F681 8BCE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov ecx, esi
:0041F683 E8B17C0100&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call 00437339
:0041F688 EB21&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jmp 0041F6AB
* Referenced by a (U)nconditional or (C)onditional Jump at Address: 0041F67F(C)
:0041F68A 6A00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push 00000000
:0041F68C 6A30&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push 00000030
* Possible StringData Ref from Data Obj ->"Invalid registration number." </FONT>; our string!
<FONT COLOR="#0B7FC1">.
.
.
* Referenced by a CALL at Addresses: 0041F674, 0041FB8F </FONT>; this function is called from 2 locations<FONT COLOR="#0B7FC1">&nbsp;&nbsp;
:0041FC20 6AFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push FFFFFFFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; start of validate name/serial routine
<FONT COLOR="#0B7FC1">:0041FC22 6808954500&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push 00459508
:0041FC27 64A100000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov eax, dword ptr fs:[00000000]
:0041FC2D 50&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push eax
:0041FC2E 64892500000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov dword ptr fs:[00000000], esp
:0041FC35 83EC14&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sub esp, 00000014
:0041FC38 8B442424&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov eax, dword ptr [esp+24]
:0041FC3C 56&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push esi
:0041FC3D 50&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push eax
:0041FC3E 8D4C2408&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; lea ecx, dword ptr [esp+08]
:0041FC42 E8E9FAFFFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call 0041F730&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; calculations on name
<FONT COLOR="#0B7FC1">:0041FC47 8B54242C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov edx, dword ptr [esp+2C]
:0041FC4B 51&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push ecx
:0041FC4C 8BCC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov ecx, esp
:0041FC4E 8964242C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov dword ptr [esp+2C], esp
:0041FC52 52&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push edx
:0041FC53 C744242800000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov [esp+28], 00000000
:0041FC5B E856B60100&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call 0043B2B6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; ?
<FONT COLOR="#0B7FC1">:0041FC60 8D4C2408&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; lea ecx, dword ptr [esp+08]
:0041FC64 E827FCFFFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call 0041F890&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; serial
<FONT COLOR="#0B7FC1">:0041FC69 8D4C2404&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; lea ecx, dword ptr [esp+04]
:0041FC6D 8BF0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov esi, eax
:0041FC6F C7442420FFFFFFFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov [esp+20], FFFFFFFF
:0041FC77 E8C4FBFFFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call 0041F840&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; if this return esi&lt;>1 then&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; we get the 'Invalid reg..' message
<FONT COLOR="#0B7FC1">:0041FC7C 8B4C2418&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov ecx, dword ptr [esp+18]
:0041FC80 8BC6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov eax, esi&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; move return code to eax
<FONT COLOR="#0B7FC1">:0041FC82 64890D00000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov dword ptr fs:[00000000], ecx
:0041FC89 5E&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; pop esi
:0041FC8A 83C420&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add esp, 00000020
:0041FC8D C3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ret</FONT></FONT></PRE>
&nbsp;

<P><FONT FACE="Arial,Helvetica">Hey, let's fire up SoftIce and try to follow
the call to 0041FC20. Yes, here are a lot of calculations on memory addresses,
our name, and our serial. This IS the validate serial function. Let's crack
it...</FONT>

<P><FONT FACE="Arial,Helvetica">I tried to figure out the real serial...
and failed.</FONT>

<P><FONT FACE="Arial,Helvetica">I tried to find the real serial... and
failed.</FONT>

<P><FONT FACE="Arial,Helvetica">I tried to patch the 'is valid serial'
routine (0041FC20) but that is pretty tricky because we have a lot of pointers
being manipulated here and there are <I>no place</I> to insert the extra
assembler statement needed. I tried but then some of the registers was
affected... which resulted in all kinds of strange page faults and a lot
of reboots. So I failed here too.</FONT>

<P><FONT FACE="Arial,Helvetica">Then I patched the call to 0041F840 so
it allways returned 1. Nope, this routine is called from several locations
and if it allways returns 1 you will get an error when closing the application.
Failure again:-(</FONT>

<P><FONT FACE="Arial,Helvetica">After some debugging and taking notes I
found that the call to 0041FC20 returned with eax = FFFFFFFF if reg no
not valid and eax = 1 if reg no valid. There must be somewhere we can we
make our patch? Hm, there are two references to 0041FC20: From a CALL at
addresses 0041F674 and 0041FB8F. After the call both routines have this
code:</FONT>
<PRE><FONT FACE="Arial,Helvetica"><FONT COLOR="#0B7FC1">:0041F674 E8A7050000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call 0041FC20&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; validate name/serial
<FONT COLOR="#0B7FC1">:0041F679 83C408&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add esp, 00000008&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; adjust stack pointer
<FONT COLOR="#0B7FC1">:0041F67C 83F801&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmp eax, 00000001&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; compare eax (FFFFFFFF) and 1
<FONT COLOR="#0B7FC1">:0041F67F 7509&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jne XXXXXX&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; if not equal we are not registered
<FONT COLOR="#0B7FC1">:0041F681 8BCE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov XXXXXX</FONT></FONT></PRE>


<P><FONT FACE="Arial,Helvetica">Here we actually have 5 bytes we can use
(cmp eax, 00000001 and jne XXXXXX). "mov eax,1" takes up exactly 5 bytes:-)</FONT>
<BR><FONT FACE="Arial,Helvetica">Now we are back on track. We can patch
the two calling routines so they think the call to 0041FC20 returned eax=1.</FONT>
<BR><FONT FACE="Arial,Helvetica">The following patch removes a compare
and makes a conditional jump unconditional. It does not change any register
values other than eax. Make your patch as small as possible:</FONT>
<PRE><FONT FACE="Arial,Helvetica">Before the fix:
<FONT COLOR="#0B7FC1">:0041F674 E8A7050000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call 0041FC20&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
:0041F679 83C408&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add esp, 00000008
:0041F67C 83F801&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmp eax, 00000001&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; compare eax and 1
<FONT COLOR="#0B7FC1">:0041F67F 7509&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jne 0041F68A&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; if not equal jump to 'Invalid reg...'
<FONT COLOR="#0B7FC1">.
.
.
:0041FB8F E88C000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call 0041FC20
:0041FB94 83C408&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add esp, 00000008
:0041FB97 83F801&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmp eax, 00000001&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; compare eax and 1
<FONT COLOR="#0B7FC1">:0041FB9A 7514&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jne 0041FBB0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; if not equal jump to 'Invalid reg...'


After this fix
<FONT COLOR="#0B7FC1">:0041F674 E8A7050000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call 0041FC20&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
:0041F679 83C408&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add esp, 00000008&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</FONT><FONT COLOR="#C17F7F">:0041F67C B801000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov eax, 00000001&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; eax allways 1 and no jump
<FONT COLOR="#0B7FC1">.
.
.
:0041FB8F E88C000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call 0041FC20
:0041FB94 83C408&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add esp, 00000008&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</FONT><FONT COLOR="#C17F7F">:0041FB97 B801000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov eax, 00000001&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; eax allways 1 and no jump</FONT></PRE>


<P><FONT FACE="Arial,Helvetica">Finally we are registered - even after
restarting the application.</FONT>

<P><FONT FACE="Arial,Helvetica">All name/serial combinations are now accepted:-)</FONT>
<BR>&nbsp;
<TABLE BORDER CELLSPACING=0 CELLPADDING=2 WIDTH="100%" BGCOLOR="#102030" bordercolor="#AAAAAA" >
<TR>
<TD WIDTH="100%">
<CENTER><FONT COLOR="#0B7FC1"><FONT SIZE=+2>Final Notes</FONT></FONT></CENTER>
</TD>
</TR>
</TABLE>
&nbsp;

<P><FONT FACE="Arial,Helvetica">This protection system fooled me a bit.
Usually it's best to patch the 'check valid serial' routine but in this
case I found that the easiest crack was to patch the two calling routines...</FONT>

<P><FONT FACE="Arial,Helvetica">Nice protection system but it all depends
on the two compares. Just a little more protection and I would not have
solved this puzzle and found something easier to play with.</FONT>
<BR>&nbsp;
<TABLE BORDER CELLSPACING=0 CELLPADDING=2 WIDTH="100%" BGCOLOR="#102030" bordercolor="#AAAAAA" >
<TR>
<TD WIDTH="100%">
<CENTER><FONT COLOR="#0B7FC1"><FONT SIZE=+2>Ob Duh</FONT></FONT></CENTER>
</TD>
</TR>
</TABLE>
&nbsp;

<P><FONT FACE="Arial,Helvetica">I wont even bother explaining you that
you should BUY this target program if you intend to use it for a longer
period than the allowed one.</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR>
<HR SIZE=3 WIDTH="100%">
<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>

<CENTER><TABLE BORDER=2 >
<TR>
<TD><FONT FACE="Arial,Helvetica">&nbsp;<B><A HREF="students.html">Return</A>&nbsp;</B></FONT></TD>
</TR>
</TABLE></CENTER>

<CENTER><B><FONT FACE="Arial,Helvetica"><FONT SIZE=+1>&nbsp;</FONT></FONT></B></CENTER>

<HR SIZE=3 WIDTH="100%">
</BODY>
</HTML>
