Software Reverse Engineering - DocMan v2.1 - Hardcoded Registration Keys!
Copyright (c) 1998 Volatility
Document Courtesy of The Immortal Descendants - http://pages.prodigy.net/volatility

	This protection is so pathetic, I shouldn't be wasting my time writing this essay.
The author might as well GIVE the program away for FREE!

	Since This protection is so simple, I decided to show another way to crack it, so
it wouldn't be a complete waste of time, even though this method is about equally as simple.

---------------------------------------------------------------------------------------------
Target:  DocMan v2.1 - (docman21.zip) 116,334 bytes.  Download this at:

	  ftp://ftp.eurobretagne.fr/pub/pc/win95/sysutil/docman21.zip

Tools Needed:  	WDASM - recommended (or disassembler of your choice)
                SOFT-ICE (any version)
---------------------------------------------------------------------------------------------

---------------------------------------------------------------------------------------------
METHOD 1: HARDCODED REGISTRATION KEYS
---------------------------------------------------------------------------------------------

Prepare To Crack:

	After running the install program, I ran DocMan, and checked for a registration
screen.  I found it at "Help", "About DocMan".  Only one place to enter a key, and the key
can only be 6 characters.  I entered a dummy code (272727) to see what the error message would
say.  I wrote down the error message, and Fired up Wdasm "Disassembler", "Open file to 
disassemble".  

Making The Crack:

	I always check the String References under "Refs", "String Data References", 
because more often than not, you can find such strings as "Registered", "Registered To",
"Registration", etc.  I looked through the strings, and saw "IFNRUX", "IUIOOP" and "KNJRUT".
This looked rather curious to me, so I double-clicked on one of them.  Would you believe it,
this popped me right smack dab into the registration routine.  I thought to myself "no, this
can't be... the registration keys?".  I tried one out... I'll be damned!  They all work!

	Stupid, Stupid, Stupid lazy programmers.  Here are the hardcoded keys:

---------------------------------------------------------------------------------------------
Valid Registration Keys
---------------------------------------------------------------------------------------------
IFNRUX
AHPUQW
IUIOOP
KNJRUT

---------------------------------------------------------------------------------------------
METHOD 2:  FISHING FOR VALID KEYS IN SOFT-ICE
---------------------------------------------------------------------------------------------

	NOTE: If you don't know how to use Soft-Ice, I'd suggest getting some tutorials
              from the web, there's MANY good ones out there.

Prepare  To Crack:

	Since we disassembled the program once already, we can look at the Imports ("Functions,
"Imports") in Wdasm to see what we need to breakpoint on in Soft-Ice.  To save you time, the
two most common imports are "GetDlgItemTextA" and "GetWindowTextA" for 32 bit programs.  To
save you even more time, the one we need is "GetDlgItemTextA".

	Run DocMan, and open up the registration screen.  Enter in some test data, then press
Cntrl+D to pop into Soft-Ice.  Set a breakpoint on GetDlgItemTextA (BPX GETDLGITEMTEXTA).
Press Cntrl+D to exit back to DocMan and click the "Unlock" button.  Soft-Ice will pop up on the 
breakpoint.  Press F-11 once to get into the routine, and you'll land in the following code:

---------------------------------------------------------------------------------------------
0137:00402B3B  CALL     [USER32!GetDlgItemTextA]   <import we broke in on
0137:00402B41  MOV      EAX,0040EDB0               <
0137:00402B46  PUSH     EAX                        <various functions to put the correct
0137:00402B47  CALL     004067CC                   <key and our key in memory
0137:00402B4C  ADD      ESP,04                     <
0137:00402B4F  TEST     EAX,EAX                    <compare our key with the correct one
0137:00402B51  JNZ      00402B68                   <jump to registered if not zero
0137:00402B53  PUSH     0040B61B                   <hmm....what is this? :)
0137:00402B58  PUSH     64
0137:00402B5A  PUSH     EBX
0137:00402B5B  CALL     00402133
---------------------------------------------------------------------------------------------

	The PUSH location I commented above looks interesting to us, so let's step through
the code by pressing F10 until we get to that line.  display it by typing d 40B61B ... and 
what do we see in the registers window?  a code!

	You'll see three more routines just like the one above if you step through the code
using F10.  At each PUSH location, display it like above, and you'll find more codes.

-Volatility-

